stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat: Add new projects to solution and implement contract testing documentation

Browse Source 
- Added "StellaOps.Policy.Engine", "StellaOps.Cartographer", and "StellaOps.SbomService" projects to the StellaOps solution.
- Created AGENTS.md to outline the Contract Testing Guild Charter, detailing mission, scope, and definition of done.
- Established TASKS.md for the Contract Testing Task Board, outlining tasks for Sprint 62 and Sprint 63 related to mock servers and replay testing.
This commit is contained in:
master
2025-10-27 07:57:55 +02:00
parent 935ec9aa25
commit 2b7b88ca77
355 changed files with 17276 additions and 1160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md
View File

@@ -18,7 +18,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana
- All symlink targets canonicalized; path traversal guarded.
- **Gate Artifacts:**
- `Fixtures/lang/node/**` golden outputs.
- Analyzer benchmark CSV + flamegraph (commit under `bench/Scanner.Analyzers`).
- Analyzer benchmark CSV + flamegraph (commit under `src/StellaOps.Bench/Scanner.Analyzers`).
- Worker integration sample enabling Node analyzer via manifest.
- **Progress (2025-10-21):** Module walker with package-lock/yarn/pnpm resolution, workspace attribution, integrity metadata, and deterministic fixture harness committed; Node tasks 10-302A/B remain green. Shared component mapper + canonical result harness landed, closing tasks 10-307/308. Script metadata & telemetry (10-302C) emit policy hints, hashed evidence, and feed `scanner_analyzer_node_scripts_total` into Worker OpenTelemetry pipeline. Restart-time packaging closed (10-309): manifest added, Worker language catalog loads the Node analyzer, integration tests cover dispatch + layer fragments, and Offline Kit docs call out bundled language plug-ins.
@@ -52,7 +52,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana
- **Gate Artifacts:**
- Benchmarks vs competitor open-source tool (Trivy or Syft) demonstrating faster metadata extraction.
- Documentation snippet explaining VCS metadata fields for Policy team.
- **Progress (2025-10-22):** Build-info decoder shipped with DWARF-string fallback for `vcs.*` markers, plus cached metadata keyed by binary length/timestamp. Added Go test fixtures covering build-info and DWARF-only binaries with deterministic goldens; analyzer now emits `go.dwarf` evidence alongside `go.buildinfo` metadata to feed downstream provenance rules. Completed stripped-binary heuristics with deterministic `golang::bin::sha256` components and a new `stripped` fixture to guard quiet-provenance behaviour. Heuristic fallbacks now emit `scanner_analyzer_golang_heuristic_total{indicator,version_hint}` counters, and shared buffer pooling (`ArrayPool<byte>`) keeps concurrent scans allocation-lite. Bench harness (`bench/Scanner.Analyzers/config.json`) gained a dedicated Go scenario with baseline mean 4.02ms; comparison against Syft v1.29.1 on the same fixture shows a 22% speed advantage (see `bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv`).
- **Progress (2025-10-22):** Build-info decoder shipped with DWARF-string fallback for `vcs.*` markers, plus cached metadata keyed by binary length/timestamp. Added Go test fixtures covering build-info and DWARF-only binaries with deterministic goldens; analyzer now emits `go.dwarf` evidence alongside `go.buildinfo` metadata to feed downstream provenance rules. Completed stripped-binary heuristics with deterministic `golang::bin::sha256` components and a new `stripped` fixture to guard quiet-provenance behaviour. Heuristic fallbacks now emit `scanner_analyzer_golang_heuristic_total{indicator,version_hint}` counters, and shared buffer pooling (`ArrayPool<byte>`) keeps concurrent scans allocation-lite. Bench harness (`src/StellaOps.Bench/Scanner.Analyzers/config.json`) gained a dedicated Go scenario with baseline mean 4.02ms; comparison against Syft v1.29.1 on the same fixture shows a 22% speed advantage (see `src/StellaOps.Bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv`).
## Sprint LA4 — .NET Analyzer & RID Variants (Tasks 10-305, 10-307, 10-308, 10-309 subset)
- **Scope:** Parse `*.deps.json`, `runtimeconfig.json`, assembly metadata, and RID-specific assets; correlate with native dependencies.
@@ -97,7 +97,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana
- Telemetry coverage: each analyzer emits timing + component counters.
- **Gate Artifacts:**
- `SPRINTS_LANG_IMPLEMENTATION_PLAN.md` progress log updated (this file).
- `bench/Scanner.Analyzers/lang-matrix.csv` recorded + referenced in docs.
- `src/StellaOps.Bench/Scanner.Analyzers/lang-matrix.csv` recorded + referenced in docs.
- Ops notes for packaging plug-ins into Offline Kit.
---
@@ -106,7 +106,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana
- **Security:** All analyzers must enforce path canonicalization, guard against zip-slip, and expose provenance classifications (`observed`, `heuristic`, `attested`).
- **Offline-first:** No network calls; rely on cached metadata and optional offline bundles (license texts, signature roots).
- **Determinism:** Normalise timestamps to `0001-01-01T00:00:00Z` when persisting synthetic data; sort collections by stable keys.
- **Benchmarking:** Extend `bench/Scanner.Analyzers` to compare against open-source scanners (Syft/Trivy) and document performance wins.
- **Benchmarking:** Extend `src/StellaOps.Bench/Scanner.Analyzers` to compare against open-source scanners (Syft/Trivy) and document performance wins.
- **Hand-offs:** Emit guild requires consistent component schemas; Policy needs license + provenance metadata; Scheduler depends on usage flags for ImpactIndex.
## Tracking & Reporting