Skip to content

feat: SPDX 3.0.1 export, VLA rule reduction, XELO-005 + inline scan+plugin#16

Open
rangoel-nu wants to merge 6 commits intomainfrom
ranjan/feature-rel-8
Open

feat: SPDX 3.0.1 export, VLA rule reduction, XELO-005 + inline scan+plugin#16
rangoel-nu wants to merge 6 commits intomainfrom
ranjan/feature-rel-8

Conversation

@rangoel-nu
Copy link
Contributor

@rangoel-nu rangoel-nu commented Mar 18, 2026

Summary

This PR delivers four related improvements:

1. SPDX 3.0.1 JSON-LD export (--format spdx)

  • New xelo scan --format spdx output format generating spec-compliant SPDX 3.0.1 JSON-LD
  • spdx_export toolbox plugin with optional SHACL validation (--config validate=true, requires xelo[spdx])
  • CLI reference and getting-started docs updated

2. Vulnerability scanner — rules reduced to XELO-001–004

  • Trimmed 21 structural rules to the 4 highest-signal rules, renumbered sequentially
  • Old XELO-002/006/012/021 → new XELO-001/002/003/004
  • Stale helper functions removed; module docstring, registry, and all docs updated
  • Atlas annotator test fixture updated to match new rule IDs

3. New structural rule XELO-005 (LOW) — AI workloads without resource limits

  • Triggers on no_resource_limits security finding or per-node DEPLOYMENT metadata flag
  • Remediation guidance covers K8s resource specs and LLM max_tokens limits
  • Rule catalogue, worked example, and CLI reference updated

4. 34 unit tests for XELO-001–005

  • True positive / negative coverage for all 5 rules
  • Registry tests: correct order, all rules return list, required finding keys

5. Inline scan + plugin (--output optional when --plugin is set)

  • xelo scan <target> --plugin vulnerability --plugin-config format=markdown --plugin-output findings.md
  • No intermediate SBOM file required; --output defaults to /dev/null when --plugin is active
  • Docs updated with single-command examples

Tests

626 passed, 23 deselected

Docs updated

  • docs/vulnerability-scanning.md
  • docs/cli-reference.md
  • docs/getting-started.md (SPDX format)

@rangoel-nu
feat: add SPDX 3.0.1 JSON-LD export format
c4f7b3f 
- Add SpdxExporter toolbox plugin (spdx_exporter.py) producing SPDX 3.0.1
  JSON-LD aligned with the NuGuardAI validator-hardened reference format:
  SPDXRef- identifiers, SoftwareAgent creator, simplelicensing_LicenseExpression
  data license element, software_packageVersion / releaseTime / suppliedBy on
  every package, Relationship elements with completeness=complete, xelo:
  extension namespace for AI-security metadata
- Add --format spdx to xelo scan CLI (local and remote scan)
- Rename --format unified to --format cyclonedx-ext; add note that
  --format cyclonedx outputs package deps only (no AI SBOM node details)
- software_downloadLocation set to the scanned repo URL / local path
- Fix generated_at microseconds (models.py)
- Add 79 tests for SpdxExporter covering all format invariants
- Update docs: cli-reference.md, developer-guide.md, getting-started.md
@rangoel-nu
feat: reduce structural VLA rules to XELO-001–004
add657c 
- Keep only 4 rules: PHI/PII to external LLM (001), models no output
  validation (002), secrets in env vars (003), containers as root (004)
- Renumber from old XELO-002/006/012/021 to sequential 001-004
- Remove stale helpers _gha_nodes, _iam_nodes_list, _has_wildcard_perm
- Update module docstring and _RULES registry
- Update tests/test_atlas_annotator.py fixture to new XELO-001
- Update .github/copilot-instructions.md next rule ID to XELO-005
- Update docs/vulnerability-scanning.md rule catalogue + worked example
- Update docs/cli-reference.md plugin table
@rangoel-nu
feat: add XELO-005 AI workloads without resource limits (LOW)
cbea754 
- Rule triggers on no_resource_limits security finding or deployment
  node metadata flag
- Update module docstring, _RULES registry
- Update docs/vulnerability-scanning.md catalogue, worked example
- Update docs/cli-reference.md plugin table to XELO-001-005
- Bump next available rule ID to XELO-006
@rangoel-nu
test: add unit tests for XELO-001 through XELO-005 VLA rules
41dc580 
- True positive and negative cases for all 5 structural rules
- Edge cases: multiple models, both secret issues, per-node vs summary flags
- Registry tests: correct order, all rules return list, required finding keys
@rangoel-nu
feat: make --output optional when --plugin is set (defaults to /dev/n…
de101a6 
…ull)

When --plugin is used without --output, the SBOM is silently discarded
so no intermediate file is needed. Explicit --output still works as before.

- cli.py: scan --output default changed to None; resolved to /dev/null
  when --plugin active, stdout otherwise
- cli-reference.md: --output row updated to No/optional in both scan tables;
  Scan+Plugin example simplified to omit --output
- vulnerability-scanning.md: Step 1 updated to single --plugin command
@rangoel-nu
style: auto-formatter line-length fixes in vulnerability plugin and t…
1dc9018 
…ests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rangoel-nu