Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux

This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
2025-11-02 21:41:03 +02:00
parent f98cea3bcf
commit 1d962ee6fc
71 changed files with 3675 additions and 1255 deletions
--- a/docs/modules/scanner/TASKS.md
+++ b/docs/modules/scanner/TASKS.md
@@ -1,9 +1,10 @@
-# Task board — Scanner
-
-> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable.
-
-| ID | Status | Owner(s) | Description | Notes |
-|----|--------|----------|-------------|-------|
-| SCANNER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md |
-| SCANNER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md |
-| SCANNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow |
+# Task board — Scanner
+
+> Local tasks should link back to ./AGENTS.md and mirror status updates into ../../TASKS.md when applicable.
+
+| ID | Status | Owner(s) | Description | Notes |
+|----|--------|----------|-------------|-------|
+| SCANNER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md |
+| SCANNER-DOCS-0002 | DONE (2025-11-02) | Docs Guild | Keep scanner benchmark comparisons (Trivy/Grype/Snyk) and deep-dive matrix current with source references. | Coordinate with docs/benchmarks owners |
+| SCANNER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md |
+| SCANNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against ../../implplan/SPRINTS.md. | Update status via ./AGENTS.md workflow |
--- a/docs/modules/scanner/operations/entrypoint-static-analysis.md
+++ b/docs/modules/scanner/operations/entrypoint-static-analysis.md
@@ -140,19 +140,18 @@ Compose the runtime argv as `Entrypoint ++ Cmd`, honouring shell-form vs exec-fo

 ## 4) Wrapper catalogue

-> _Roadmap note_: extended package/tool runners land with **SCANNER-ENTRYTRACE-18-508**; today the catalogue covers init/user-switch/environment/supervisor wrappers listed above.
+Collapse known wrappers before analysing the target command so the terminal reflects the real runtime binary. Sprint 130.A ships the extended catalogue from **SCANNER-ENTRYTRACE-18-508**, covering init/user-switch/environment/supervisor wrappers as well as package and language launchers such as `bundle exec`, `docker-php-entrypoint`, `npm exec`, `yarn node`, `pipenv run`, and `poetry run`.

-Collapse known wrappers before analysing the target command:
-
- Init shims: `tini`, `dumb-init`, `s6-svscan`, `runit`, `supervisord`.
- Privilege droppers: `gosu`, `su-exec`, `chpst`.
- Shells: `sh`, `bash`, `dash`, BusyBox variants.
- Package runners: `npm`, `yarn`, `pnpm`, `pip`, `pipenv`, `poetry`, `bundle`, `rake`.
+- Init shims: `tini`, `dumb-init`, `s6-svscan`, `runit`, `supervisord`.
+- Privilege droppers: `gosu`, `su-exec`, `chpst`.
+- Shells: `sh`, `bash`, `dash`, BusyBox variants.
+- Package runners: `npm`, `yarn`, `pnpm`, `pip`, `pipenv`, `poetry`, `bundle`, `rake`.

 Rules:
- If wrapper contains a `--` sentinel (`tini -- app …`) drop the wrapper and record a reduction edge.
- `gosu user cmd …` → collapse to `cmd …`.
- For shell wrappers, delegate to the ShellFlow analyser (see separate guide).
+- If wrapper contains a `--` sentinel (`tini -- app …`) drop the wrapper and record a reduction edge.
+- `gosu user cmd …` → collapse to `cmd …`.
+- For shell wrappers, delegate to the ShellFlow analyser (see separate guide).
+- When a wrapper delegates to an interpreter (`python`, `node`, `java -jar`), continue into the interpreter handlers so a terminal classification is still recorded even if the script/module cannot be resolved.

 ## 5) ShellFlow integration