audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

src/Scanner/StellaOps.Scanner.WebService/Contracts/PolicyPreviewContracts.cs

@@ -67,50 +67,65 @@ public sealed record PolicyPreviewFindingDto
 public sealed record PolicyPreviewVerdictDto
 {
     [JsonPropertyName("findingId")]
+    [JsonPropertyOrder(0)]
     public string? FindingId { get; init; }
 
+    [JsonPropertyName("reachability")]
+    [JsonPropertyOrder(1)]
+    public string? Reachability { get; init; }
+
+    [JsonPropertyName("score")]
+    [JsonPropertyOrder(2)]
+    public double? Score { get; init; }
+
+    [JsonPropertyName("sourceTrust")]
+    [JsonPropertyOrder(3)]
+    public string? SourceTrust { get; init; }
+
     [JsonPropertyName("status")]
+    [JsonPropertyOrder(4)]
     public string? Status { get; init; }
 
     [JsonPropertyName("ruleName")]
+    [JsonPropertyOrder(5)]
     public string? RuleName { get; init; }
 
     [JsonPropertyName("ruleAction")]
+    [JsonPropertyOrder(6)]
     public string? RuleAction { get; init; }
 
     [JsonPropertyName("notes")]
+    [JsonPropertyOrder(7)]
     public string? Notes { get; init; }
 
-    [JsonPropertyName("score")]
-    public double? Score { get; init; }
-
     [JsonPropertyName("configVersion")]
+    [JsonPropertyOrder(8)]
     public string? ConfigVersion { get; init; }
 
     [JsonPropertyName("inputs")]
+    [JsonPropertyOrder(9)]
     public IReadOnlyDictionary<string, double>? Inputs { get; init; }
 
     [JsonPropertyName("quietedBy")]
+    [JsonPropertyOrder(10)]
     public string? QuietedBy { get; init; }
 
     [JsonPropertyName("quiet")]
+    [JsonPropertyOrder(11)]
     public bool? Quiet { get; init; }
 
     [JsonPropertyName("unknownConfidence")]
+    [JsonPropertyOrder(12)]
     public double? UnknownConfidence { get; init; }
 
     [JsonPropertyName("confidenceBand")]
+    [JsonPropertyOrder(13)]
     public string? ConfidenceBand { get; init; }
 
     [JsonPropertyName("unknownAgeDays")]
+    [JsonPropertyOrder(14)]
     public double? UnknownAgeDays { get; init; }
 
-    [JsonPropertyName("sourceTrust")]
-    public string? SourceTrust { get; init; }
-
-    [JsonPropertyName("reachability")]
-    public string? Reachability { get; init; }
-
 }
 
 public sealed record PolicyPreviewPolicyDto

src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScanEndpoints.cs

@@ -82,6 +82,7 @@ internal static class ScanEndpoints
         // Register additional scan-related endpoints
         scans.MapCallGraphEndpoints();
         scans.MapSbomEndpoints();
+        scans.MapLayerSbomEndpoints();
         scans.MapReachabilityEndpoints();
         scans.MapReachabilityDriftScanEndpoints();
         scans.MapExportEndpoints();

src/Scanner/StellaOps.Scanner.WebService/Program.cs

@@ -140,6 +140,7 @@ builder.Services.AddSingleton<IAttestationChainVerifier, AttestationChainVerifie
 builder.Services.AddSingleton<IHumanApprovalAttestationService, HumanApprovalAttestationService>();
 builder.Services.AddScoped<ICallGraphIngestionService, CallGraphIngestionService>();
 builder.Services.AddScoped<ISbomIngestionService, SbomIngestionService>();
+builder.Services.AddScoped<ILayerSbomService, LayerSbomService>();
 builder.Services.AddSingleton<ISbomUploadStore, InMemorySbomUploadStore>();
 builder.Services.AddScoped<ISbomByosUploadService, SbomByosUploadService>();
 builder.Services.AddSingleton<IPolicySnapshotRepository, InMemoryPolicySnapshotRepository>();

src/Scanner/StellaOps.Scanner.WebService/Services/DeterministicScoringService.cs

@@ -1,4 +1,5 @@
 using System.Buffers.Binary;
+using System.Globalization;
 using System.Security.Cryptography;
 using System.Text;
 using StellaOps.Policy.Scoring;
@@ -28,7 +29,7 @@ public sealed class DeterministicScoringService : IScoringService
             concelierSnapshotHash?.Trim() ?? string.Empty,
             excititorSnapshotHash?.Trim() ?? string.Empty,
             latticePolicyHash?.Trim() ?? string.Empty,
-            freezeTimestamp.ToUniversalTime().ToString("O"),
+            freezeTimestamp.ToUniversalTime().ToString("O", CultureInfo.InvariantCulture),
             Convert.ToHexStringLower(seed));
 
         var digest = SHA256.HashData(Encoding.UTF8.GetBytes(input));

src/Scanner/StellaOps.Scanner.WebService/Services/LayerSbomService.cs

@@ -1,5 +1,6 @@
 using System.Collections.Concurrent;
 using System.Collections.Immutable;
+using System.Globalization;
 using System.Text;
 using System.Text.Json;
 using StellaOps.Scanner.Emit.Composition;
@@ -165,7 +166,7 @@ public sealed class LayerSbomService : ILayerSbomService
         {
             ScanId = scanId,
             ImageDigest = imageDigest,
-            CreatedAt = DateTimeOffset.UtcNow.ToString("O"),
+            CreatedAt = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
             Recipe = new CompositionRecipe
             {
                 Version = "1.0.0",

src/Scanner/StellaOps.Scanner.WebService/Services/MessagingPlatformEventPublisher.cs

@@ -1,3 +1,4 @@
+using System.Globalization;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using StellaOps.Messaging;
@@ -62,7 +63,7 @@ internal sealed class MessagingPlatformEventPublisher : IPlatformEventPublisher
             Headers = new Dictionary<string, string>
             {
                 ["kind"] = @event.Kind,
-                ["occurredAt"] = @event.OccurredAt.ToString("O")
+                ["occurredAt"] = @event.OccurredAt.ToString("O", CultureInfo.InvariantCulture)
             }
         };
 

src/Scanner/StellaOps.Scanner.WebService/Services/RedisPlatformEventPublisher.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Globalization;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
@@ -62,7 +63,7 @@ internal sealed class RedisPlatformEventPublisher : IPlatformEventPublisher, IAs
             new("event", payload),
             new("kind", @event.Kind),
             new("tenant", @event.Tenant),
-            new("occurredAt", @event.OccurredAt.ToString("O")),
+            new("occurredAt", @event.OccurredAt.ToString("O", CultureInfo.InvariantCulture)),
             new("idempotencyKey", @event.IdempotencyKey)
         };
 

src/Scanner/StellaOps.Scanner.WebService/Services/UnifiedEvidenceService.cs

@@ -4,12 +4,13 @@
 // Description: Implementation of IUnifiedEvidenceService for assembling evidence.
 // -----------------------------------------------------------------------------
 
+using System.Globalization;
+using System.Security.Cryptography;
+using System.Text;
 using Microsoft.EntityFrameworkCore;
 using StellaOps.Scanner.Triage;
 using StellaOps.Scanner.Triage.Entities;
 using StellaOps.Scanner.WebService.Contracts;
-using System.Security.Cryptography;
-using System.Text;
 using System.Text.Json;
 
 namespace StellaOps.Scanner.WebService.Services;
@@ -252,7 +253,7 @@ public sealed class UnifiedEvidenceService : IUnifiedEvidenceService
         {
             ArtifactDigest = ComputeDigest(finding.Purl),
             ManifestHash = ComputeDigest(contentForHash),
-            FeedSnapshotHash = ComputeDigest(finding.LastSeenAt.ToString("O")),
+            FeedSnapshotHash = ComputeDigest(finding.LastSeenAt.ToString("O", CultureInfo.InvariantCulture)),
             PolicyHash = ComputeDigest("default-policy"),
             KnowledgeSnapshotId = finding.KnowledgeSnapshotId
         };

src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj

@@ -7,6 +7,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <RootNamespace>StellaOps.Scanner.WebService</RootNamespace>
+    <PreserveCompilationContext>true</PreserveCompilationContext>
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="CycloneDX.Core" />