4c55b01222
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented EntropyPolicyBannerComponent with configuration for entropy policies, including thresholds, current scores, and mitigation steps. - Created PolicyGateIndicatorComponent to display the status of policy gates, including passed, failed, and warning gates, with detailed views for determinism and entropy gates. - Added HTML and SCSS for both components to ensure proper styling and layout. - Introduced computed properties and signals for reactive state management in Angular. - Included remediation hints and actions for user interaction within the policy gate indicator.
5.7 KiB
5.7 KiB
Product Advisory Index
This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates.
Canonical Advisories (Active)
These are the authoritative advisories to reference for implementation:
CVSS v4.0
- Canonical:
25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md - Sprint: SPRINT_0190_0001_0001_cvss_v4_receipts.md
- Status: New sprint created
SBOM/VEX Pipeline
- Canonical:
27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md - Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f)
- Supersedes:
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md→ archive25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md→ archive26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md→ archive
Rekor/DSSE Batch Sizing
- Canonical:
26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md - Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks)
- Supersedes:
27-Nov-2025 - Rekor Envelope Size Heuristic.md→ archive (duplicate)27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md→ archive (duplicate)27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md→ archive (duplicate)
Graph Revision IDs
- Canonical:
26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md - Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
- Supersedes:
25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md→ archive (earlier version)
Reachability Benchmark (Public)
- Canonical:
24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md - Sprint: SPRINT_0513_0001_0001_public_reachability_benchmark.md
- Related:
26-Nov-2025 - Opening Up a Reachability Dataset.md→ complementary (dataset focus)
Unknowns Registry
- Canonical:
27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md - Sprint: SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
- Extends:
archived/18-Nov-2025 - Unknowns-Registry.md - Status: Already implemented in Signals module; advisory validates design
Explainability
- Canonical (Graphs):
27-Nov-2025 - Making Graphs Understandable to Humans.md - Canonical (Verdicts):
27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md - Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
- Status: Complementary advisories - graphs cover edge reasons, verdicts cover audit trails
VEX Proofs
- Canonical:
25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md - Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)
Binary Reachability
- Canonical:
27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md - Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)
Scanner Roadmap
- Canonical:
27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md - Sprint: Multiple sprints (0186, 0401, 0512)
- Status: High-level roadmap document
Files to Archive
The following files should be moved to archived/ as they are superseded:
# Duplicates/superseded
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md
25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md
25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md
26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md
27-Nov-2025 - Rekor Envelope Size Heuristic.md
27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md
27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md
# Junk/malformed files
24-Nov-2025 - 1 copy 2.md
24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd (missing dot)
25-Nov-2025 - Half‑Life Confidence Decay for Unknownsmd (missing dot)
Sprint Cross-Reference
| Advisory Topic | Sprint ID | Status |
|---|---|---|
| CVSS v4.0 | SPRINT_0190_0001_0001 | NEW |
| SPDX 3.0.1 / SBOM | SPRINT_0186_0001_0001 | AUGMENTED |
| Reachability Benchmark | SPRINT_0513_0001_0001 | NEW |
| Reachability Evidence | SPRINT_0401_0001_0001 | EXISTING |
| Unknowns Registry | SPRINT_0140_0001_0001 | EXISTING (implemented) |
| Graph Revision IDs | SPRINT_0401_0001_0001 | EXISTING |
| DSSE/Rekor Batching | SPRINT_0401_0001_0001 | EXISTING |
Implementation Priority
Based on gap analysis:
- P0 - CVSS v4.0 (Sprint 0190) - Industry moving to v4.0, genuine gap
- P1 - SPDX 3.0.1 (Sprint 0186 tasks 15a-15f) - Standards compliance
- P1 - Public Benchmark (Sprint 0513) - Differentiation/marketing value
- P2 - Explainability (Sprint 0401) - UX enhancement, existing tasks
- P3 - Already Implemented - Unknowns, Graph IDs, DSSE batching
Implementer Quick Reference
For each topic, the implementer should read:
- Sprint file - Contains task definitions, dependencies, working directories
- Documentation Prerequisites - Listed in each sprint file
- Canonical advisory - Full product context and rationale
- Module AGENTS.md - If exists, contains module-specific coding guidance
Key Module Docs to Read Before Implementation
| Module | Architecture Doc | AGENTS.md |
|---|---|---|
| Policy | docs/modules/policy/architecture.md |
src/Policy/*/AGENTS.md |
| Scanner | docs/modules/scanner/architecture.md |
src/Scanner/*/AGENTS.md |
| Sbomer | docs/modules/sbomer/architecture.md |
src/Sbomer/*/AGENTS.md |
| Signals | docs/modules/signals/architecture.md |
src/Signals/*/AGENTS.md |
| Attestor | docs/modules/attestor/architecture.md |
src/Attestor/*/AGENTS.md |
Index created: 2025-11-27 Last updated: 2025-11-27