stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
ea1106ce7ccaca83151cd018bad43a9a9d3b7cc6
git.stella-ops.org/src/StellaOps.Feedser.Source.Vndr.Msrc
History
Vladimir Moushkov ea1106ce7c up
2025-10-15 10:03:56 +03:00
..
Configuration
up
2025-10-15 10:03:56 +03:00
Internal
up
2025-10-15 10:03:56 +03:00
AGENTS.md
Initial commit (history squashed)
2025-10-11 23:28:35 +03:00
Jobs.cs
up
2025-10-15 10:03:56 +03:00
MsrcConnector.cs
up
2025-10-15 10:03:56 +03:00
MsrcConnectorPlugin.cs
up
2025-10-15 10:03:56 +03:00
MsrcDependencyInjectionRoutine.cs
up
2025-10-15 10:03:56 +03:00
MsrcServiceCollectionExtensions.cs
up
2025-10-15 10:03:56 +03:00
README.md
up
2025-10-15 10:03:56 +03:00
StellaOps.Feedser.Source.Vndr.Msrc.csproj
Initial commit (history squashed)
2025-10-11 23:28:35 +03:00
TASKS.md
up
2025-10-15 10:03:56 +03:00

README.md

MSRC Security Updates Connector Notes

API endpoints

  • Vulnerability summaries GET https://api.msrc.microsoft.com/sug/v2.0/<locale>/vulnerabilities (requires api-version=2024-08-01, client credential bearer token).
  • Vulnerability detail GET https://api.msrc.microsoft.com/sug/v2.0/<locale>/vulnerability/{id} (same headers/scopes).
  • CVRF package the detail payload contains cvrfUrl pointing to a ZIP/JSON asset that is stable per revision. We surface the URL as a reference and capture it in metadata for future offline bundling.

Cursor behaviour

  • Connector keeps a lastModifiedCursor and replays the previous 10 minutes on every fetch to cover late revisions.
  • MSRC limits requests to ~60/minute; requestDelay defaults to 250ms and is configurable.

Authentication

  • Uses Azure AD client credential flow against https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with scope api://api.msrc.microsoft.com/.default.
  • Token refresh happens lazily and is cached until 60 seconds before expiry.
  • Configuration values (tenantId, clientId, clientSecret) must be supplied via feedser:sources:vndr:msrc.

CVRF handling

  • Detail payload is persisted with the cvrfUrl in metadata (msrc.cvrfUrl).
  • Mapping stage emits the CVRF link as a reference so offline runs can fetch it later. When DownloadCvrf is enabled the connector also saves the ZIP artefact to the documents store (marked as msrc.cvrf=true) for Offline Kit staging.