stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

Browse Source
This commit is contained in:
master
2026-01-07 18:49:59 +02:00
parent 04ec098046
commit 608a7f85c0
866 changed files with 56323 additions and 6231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Runtime/JavaRuntimeIngestor.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using StellaOps.Scanner.Analyzers.Lang.Java.Internal.Resolver;
namespace StellaOps.Scanner.Analyzers.Lang.Java.Internal.Runtime;
@@ -187,7 +188,7 @@ internal static class JavaRuntimeIngestor
ResolutionPath: ImmutableArray.Create("runtime-trace"),
Metadata: ImmutableDictionary<string, string>.Empty
.Add("runtime.invocation_count", entry.InvocationCount.ToString())
.Add("runtime.first_seen", entry.FirstSeen.ToString("O")));
.Add("runtime.first_seen", entry.FirstSeen.ToString("O", CultureInfo.InvariantCulture)));
}
private static JavaResolutionStatistics RecalculateStatistics(

3
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/RuntimeEvidence/PythonRuntimeEvidenceCollector.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using System.Text.Json;
using StellaOps.Scanner.Analyzers.Lang.Python.Internal.Observations;
@@ -391,6 +392,6 @@ internal sealed class PythonRuntimeEvidenceCollector
private static string GetUtcTimestamp()
{
return DateTime.UtcNow.ToString("O");
return DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture);
}
}

6
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Graph/NativeGraphDsseWriter.cs
View File

@@ -1,3 +1,5 @@
using System.Globalization;
namespace StellaOps.Scanner.Analyzers.Native.Internal.Graph;
/// <summary>
@@ -26,7 +28,7 @@ internal static class NativeGraphDsseWriter
Version: "1.0.0",
LayerDigest: graph.LayerDigest,
ContentHash: graph.ContentHash,
GeneratedAt: graph.Metadata.GeneratedAt.ToString("O"),
GeneratedAt: graph.Metadata.GeneratedAt.ToString("O", CultureInfo.InvariantCulture),
GeneratorVersion: graph.Metadata.GeneratorVersion,
BinaryCount: graph.Metadata.BinaryCount,
FunctionCount: graph.Metadata.FunctionCount,
@@ -126,7 +128,7 @@ internal static class NativeGraphDsseWriter
LayerDigest: graph.LayerDigest,
ContentHash: graph.ContentHash,
Metadata: new NdjsonMetadataPayload(
GeneratedAt: graph.Metadata.GeneratedAt.ToString("O"),
GeneratedAt: graph.Metadata.GeneratedAt.ToString("O", CultureInfo.InvariantCulture),
GeneratorVersion: graph.Metadata.GeneratorVersion,
BinaryCount: graph.Metadata.BinaryCount,
FunctionCount: graph.Metadata.FunctionCount,

56
src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SpdxComposer.cs
View File

@@ -40,7 +40,29 @@ public sealed record SpdxCompositionOptions
public SpdxLicenseListVersion LicenseListVersion { get; init; } = SpdxLicenseListVersion.V3_21;
public ImmutableArray<string> ProfileConformance { get; init; } = ImmutableArray.Create("core", "software");
/// <summary>
/// Gets or sets the SPDX 3.0.1 profile type. Defaults to Software.
/// </summary>
public Spdx3ProfileType ProfileType { get; init; } = Spdx3ProfileType.Software;
/// <summary>
/// Gets or sets an explicit profile conformance override.
/// If not set (default or empty), the conformance is derived from ProfileType.
/// </summary>
public ImmutableArray<string> ProfileConformance { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Gets the effective profile conformance based on ProfileType if ProfileConformance is not explicitly set.
/// </summary>
public ImmutableArray<string> GetEffectiveProfileConformance()
{
if (!ProfileConformance.IsDefaultOrEmpty && ProfileConformance.Length > 0)
{
return ProfileConformance;
}
return ProfileType.GetProfileConformance().ToImmutableArray();
}
}
public sealed class SpdxComposer : ISpdxComposer
@@ -139,12 +161,12 @@ public sealed class SpdxComposer : ISpdxComposer
var packages = new List<SpdxPackage>();
var packageIdMap = new Dictionary<string, string>(StringComparer.Ordinal);
var rootPackage = BuildRootPackage(request.Image, idBuilder);
var rootPackage = BuildRootPackage(request.Image, idBuilder, options);
packages.Add(rootPackage);
foreach (var component in graph.Components)
{
var package = BuildComponentPackage(component, idBuilder, licenseList);
var package = BuildComponentPackage(component, idBuilder, licenseList, options);
packages.Add(package);
packageIdMap[component.Identity.Key] = package.SpdxId;
}
@@ -175,7 +197,7 @@ public sealed class SpdxComposer : ISpdxComposer
Sbom = sbom,
Elements = packages.Cast<SpdxElement>().ToImmutableArray(),
Relationships = relationships,
ProfileConformance = options.ProfileConformance
ProfileConformance = options.GetEffectiveProfileConformance()
};
}
@@ -261,17 +283,23 @@ public sealed class SpdxComposer : ISpdxComposer
.ToImmutableArray();
}
private static SpdxPackage BuildRootPackage(ImageArtifactDescriptor image, SpdxIdBuilder idBuilder)
private static SpdxPackage BuildRootPackage(
ImageArtifactDescriptor image,
SpdxIdBuilder idBuilder,
SpdxCompositionOptions options)
{
var digest = image.ImageDigest;
var digestParts = digest.Split(':', 2, StringSplitOptions.TrimEntries);
var digestValue = digestParts.Length == 2 ? digestParts[1] : digest;
var checksums = ImmutableArray.Create(new SpdxChecksum
{
Algorithm = digestParts.Length == 2 ? digestParts[0].ToUpperInvariant() : "SHA256",
Value = digestValue
});
// Lite profile omits checksums
var checksums = options.ProfileType.IncludeChecksums()
? ImmutableArray.Create(new SpdxChecksum
{
Algorithm = digestParts.Length == 2 ? digestParts[0].ToUpperInvariant() : "SHA256",
Value = digestValue
})
: ImmutableArray<SpdxChecksum>.Empty;
return new SpdxPackage
{
@@ -288,13 +316,17 @@ public sealed class SpdxComposer : ISpdxComposer
private static SpdxPackage BuildComponentPackage(
AggregatedComponent component,
SpdxIdBuilder idBuilder,
SpdxLicenseList licenseList)
SpdxLicenseList licenseList,
SpdxCompositionOptions options)
{
var packageUrl = !string.IsNullOrWhiteSpace(component.Identity.Purl)
? component.Identity.Purl
: (component.Identity.Key.StartsWith("pkg:", StringComparison.Ordinal) ? component.Identity.Key : null);
var declared = BuildLicenseExpression(component.Metadata?.Licenses, licenseList);
// Lite profile omits detailed licensing
var declared = options.ProfileType.IncludeDetailedLicensing()
? BuildLicenseExpression(component.Metadata?.Licenses, licenseList)
: null;
return new SpdxPackage
{

78
src/Scanner/__Libraries/StellaOps.Scanner.Emit/Spdx/Spdx3ProfileType.cs Normal file
View File

@@ -0,0 +1,78 @@
// <copyright file="Spdx3ProfileType.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under the AGPL-3.0-or-later.
// </copyright>
namespace StellaOps.Scanner.Emit.Spdx;
/// <summary>
/// SPDX 3.0.1 profile types for SBOM generation.
/// </summary>
public enum Spdx3ProfileType
{
/// <summary>
/// Full Software profile with all available fields.
/// Includes detailed licensing, checksums, external refs, etc.
/// </summary>
Software,
/// <summary>
/// Lite profile with minimal required fields.
/// Optimized for CI/CD and performance-sensitive use cases.
/// Includes: spdxId, name, packageVersion, packageUrl or downloadLocation.
/// </summary>
Lite,
/// <summary>
/// Build profile with provenance and build environment data.
/// Suitable for attestation integration.
/// </summary>
Build,
/// <summary>
/// Security profile with vulnerability and VEX data.
/// Suitable for security analysis and VexLens integration.
/// </summary>
Security
}
/// <summary>
/// Extension methods for <see cref="Spdx3ProfileType"/>.
/// </summary>
public static class Spdx3ProfileTypeExtensions
{
/// <summary>
/// Gets the profile conformance URIs for this profile type.
/// </summary>
public static string[] GetProfileConformance(this Spdx3ProfileType profileType) => profileType switch
{
Spdx3ProfileType.Software => ["core", "software"],
Spdx3ProfileType.Lite => ["core", "software", "lite"],
Spdx3ProfileType.Build => ["core", "software", "build"],
Spdx3ProfileType.Security => ["core", "software", "security"],
_ => ["core", "software"]
};
/// <summary>
/// Returns true if this profile should include detailed licensing.
/// </summary>
public static bool IncludeDetailedLicensing(this Spdx3ProfileType profileType) =>
profileType is Spdx3ProfileType.Software;
/// <summary>
/// Returns true if this profile should include checksums.
/// </summary>
public static bool IncludeChecksums(this Spdx3ProfileType profileType) =>
profileType is Spdx3ProfileType.Software or Spdx3ProfileType.Build or Spdx3ProfileType.Security;
/// <summary>
/// Returns true if this profile should include external references.
/// </summary>
public static bool IncludeExternalRefs(this Spdx3ProfileType profileType) =>
profileType is not Spdx3ProfileType.Lite;
/// <summary>
/// Returns true if this profile should include annotations and comments.
/// </summary>
public static bool IncludeAnnotations(this Spdx3ProfileType profileType) =>
profileType is Spdx3ProfileType.Software;
}

3
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/DockerComposeParser.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using System.Text.RegularExpressions;
using StellaOps.Scanner.EntryTrace.Semantic;
using YamlDotNet.RepresentationModel;
@@ -98,7 +99,7 @@ public sealed partial class DockerComposeParser : IManifestParser
Services = services.ToImmutableArray(),
Edges = edges.ToImmutableArray(),
IngressPaths = ingressPaths,
AnalyzedAt = DateTime.UtcNow.ToString("O")
AnalyzedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
return Task.FromResult(graph);

3
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/KubernetesManifestParser.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using System.Text.RegularExpressions;
using StellaOps.Scanner.EntryTrace.Semantic;
using YamlDotNet.RepresentationModel;
@@ -87,7 +88,7 @@ public sealed partial class KubernetesManifestParser : IManifestParser
Services = services.ToImmutableArray(),
Edges = edges.ToImmutableArray(),
IngressPaths = ingressPaths.ToImmutableArray(),
AnalyzedAt = DateTime.UtcNow.ToString("O")
AnalyzedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
return Task.FromResult(graph);

5
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointAnalyzer.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using StellaOps.Scanner.EntryTrace.Semantic;
namespace StellaOps.Scanner.EntryTrace.Mesh;
@@ -260,7 +261,7 @@ public sealed class MeshEntrypointAnalyzer
Services = ImmutableArray<ServiceNode>.Empty,
Edges = ImmutableArray<CrossContainerEdge>.Empty,
IngressPaths = ImmutableArray<IngressPath>.Empty,
AnalyzedAt = DateTime.UtcNow.ToString("O")
AnalyzedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
}
@@ -303,7 +304,7 @@ public sealed class MeshEntrypointAnalyzer
Services = uniqueServices,
Edges = uniqueEdges,
IngressPaths = uniqueIngress,
AnalyzedAt = DateTime.UtcNow.ToString("O")
AnalyzedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
}

3
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointGraph.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using StellaOps.Scanner.EntryTrace.Semantic;
namespace StellaOps.Scanner.EntryTrace.Mesh;
@@ -423,7 +424,7 @@ public sealed class MeshEntrypointGraphBuilder
Services = _services.ToImmutableArray(),
Edges = _edges.ToImmutableArray(),
IngressPaths = _ingressPaths.ToImmutableArray(),
AnalyzedAt = DateTime.UtcNow.ToString("O"),
AnalyzedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture),
Metadata = _metadata.Count > 0
? _metadata.ToImmutableDictionary()
: null

3
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
namespace StellaOps.Scanner.EntryTrace.Semantic;
@@ -202,7 +203,7 @@ public sealed class SemanticEntrypointBuilder
FrameworkVersion = _frameworkVersion,
RuntimeVersion = _runtimeVersion,
Metadata = _metadata.Count > 0 ? _metadata.ToImmutableDictionary() : null,
AnalyzedAt = DateTime.UtcNow.ToString("O")
AnalyzedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
}
}

3
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using StellaOps.Scanner.EntryTrace.FileSystem;
using StellaOps.Scanner.EntryTrace.Semantic.Adapters;
using StellaOps.Scanner.EntryTrace.Semantic.Analysis;
@@ -226,7 +227,7 @@ public sealed class SemanticEntrypointOrchestrator
FrameworkVersion = adapterResult.FrameworkVersion,
RuntimeVersion = adapterResult.RuntimeVersion,
Metadata = metadata.ToImmutableDictionary(),
AnalyzedAt = DateTime.UtcNow.ToString("O")
AnalyzedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
}

3
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Serialization/EntryTraceNdjsonWriter.cs
View File

@@ -2,6 +2,7 @@ using System;
using System.Buffers;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Text;
@@ -83,7 +84,7 @@ public static class EntryTraceNdjsonWriter
writer.WriteNumber("edges", graph.Edges.Length);
writer.WriteNumber("targets", graph.Plans.Length);
writer.WriteNumber("warnings", graph.Diagnostics.Length);
writer.WriteString("generated_at", metadata.GeneratedAtUtc.UtcDateTime.ToString("O"));
writer.WriteString("generated_at", metadata.GeneratedAtUtc.UtcDateTime.ToString("O", CultureInfo.InvariantCulture));
if (!string.IsNullOrWhiteSpace(metadata.Source))
{
writer.WriteString("source", metadata.Source);

7
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Temporal/InMemoryTemporalEntrypointStore.cs
View File

@@ -1,5 +1,6 @@
using System.Collections.Concurrent;
using System.Collections.Immutable;
using System.Globalization;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
@@ -101,7 +102,7 @@ public sealed class InMemoryTemporalEntrypointStore : ITemporalEntrypointStore
var prunedGraph = graph with
{
Snapshots = prunedSnapshots,
UpdatedAt = DateTime.UtcNow.ToString("O")
UpdatedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
_graphs[serviceId] = prunedGraph;
@@ -117,7 +118,7 @@ public sealed class InMemoryTemporalEntrypointStore : ITemporalEntrypointStore
CurrentVersion = snapshot.Version,
PreviousVersion = null,
Delta = null,
UpdatedAt = DateTime.UtcNow.ToString("O")
UpdatedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
}
@@ -164,7 +165,7 @@ public sealed class InMemoryTemporalEntrypointStore : ITemporalEntrypointStore
CurrentVersion = newSnapshot.Version,
PreviousVersion = previousSnapshot?.Version,
Delta = delta,
UpdatedAt = DateTime.UtcNow.ToString("O")
UpdatedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
}

3
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Temporal/TemporalEntrypointGraph.cs
View File

@@ -1,4 +1,5 @@
using System.Collections.Immutable;
using System.Globalization;
using StellaOps.Scanner.EntryTrace.Semantic;
namespace StellaOps.Scanner.EntryTrace.Temporal;
@@ -231,7 +232,7 @@ public sealed class TemporalEntrypointGraphBuilder
CurrentVersion = _currentVersion,
PreviousVersion = _previousVersion,
Delta = _delta,
UpdatedAt = DateTime.UtcNow.ToString("O"),
UpdatedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture),
Metadata = _metadata.Count > 0
? _metadata.ToImmutableDictionary()
: null

3
src/Scanner/__Libraries/StellaOps.Scanner.Evidence/FuncProofTransparencyService.cs
View File

@@ -1,3 +1,4 @@
using System.Globalization;
using System.Net.Http.Json;
using System.Text.Json;
using Microsoft.Extensions.Logging;
@@ -227,7 +228,7 @@ public sealed class FuncProofTransparencyService : IFuncProofTransparencyService
EntryLocation = entry.EntryLocation,
LogIndex = entry.LogIndex,
InclusionProofUrl = entry.InclusionProofUrl,
RecordedAt = _timeProvider.GetUtcNow().ToString("O")
RecordedAt = _timeProvider.GetUtcNow().ToString("O", CultureInfo.InvariantCulture)
};
}
catch (HttpRequestException ex) when (opts.AllowOffline)

26
src/Scanner/__Libraries/StellaOps.Scanner.Gate/AGENTS.md Normal file
View File

@@ -0,0 +1,26 @@
# AGENTS - Scanner Gate Library
## Roles
- Backend engineer: .NET 10 gate policy, DI wiring, configuration, and determinism.
- QA / bench engineer: tests for policy evaluation, caching, audit logging, and config validation.
## Required Reading
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
- Current sprint file under docs/implplan/SPRINT_*.md
## Working Directory & Boundaries
- Primary scope: src/Scanner/__Libraries/StellaOps.Scanner.Gate
- Test scope: src/Scanner/__Tests/StellaOps.Scanner.Gate.Tests (create if missing)
- Avoid cross-module edits unless explicitly allowed in the sprint file.
## Determinism and Safety
- Inject TimeProvider and IGuidGenerator; no DateTime.UtcNow or Guid.NewGuid in production code.
- Use InvariantCulture for parsing/formatting and stable ordering for rule evaluation.
## Testing
- Cover policy evaluation, options validation, caching behavior, and audit logging.
- Use deterministic fixtures and fixed time providers in tests.

25
src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/AGENTS.md Normal file
View File

@@ -0,0 +1,25 @@
# AGENTS - Scanner.MaterialChanges Library
## Roles
- Backend engineer: maintain material change orchestration and card generation.
- QA / test engineer: validate deterministic report outputs and ordering.
## Required Reading
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/scanner/architecture.md
- src/Scanner/AGENTS.md
- Current sprint file under docs/implplan/SPRINT_*.md
## Working Directory & Boundaries
- Primary scope: src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges
- Related tests: src/Scanner/__Tests/StellaOps.Scanner.MaterialChanges.Tests
- Avoid cross-module edits unless explicitly noted in the sprint file.
## Determinism and Safety
- Ensure report ordering and hashes are deterministic (stable sort, canonical inputs).
- Avoid culture-sensitive comparisons when mapping severity or kinds.
## Testing
- Cover report ID determinism, summary aggregation, and option handling.

630
src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/CardGenerators.cs Normal file
View File

@@ -0,0 +1,630 @@
// -----------------------------------------------------------------------------
// CardGenerators.cs
// Sprint: SPRINT_20260106_001_004_LB_material_changes_orchestrator
// Tasks: MCO-006 to MCO-010 - Card generator interfaces and implementations
// Description: Generates material change cards from various diff sources
// -----------------------------------------------------------------------------
using System.Globalization;
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging;
namespace StellaOps.Scanner.MaterialChanges;
/// <summary>
/// Generates security-related change cards from SmartDiff.
/// </summary>
public interface ISecurityCardGenerator
{
Task<IReadOnlyList<MaterialChangeCard>> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct);
}
/// <summary>
/// Generates ABI-related change cards from SymbolDiff.
/// </summary>
public interface IAbiCardGenerator
{
Task<IReadOnlyList<MaterialChangeCard>> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct);
}
/// <summary>
/// Generates package-related change cards from ComponentDiff.
/// </summary>
public interface IPackageCardGenerator
{
Task<IReadOnlyList<MaterialChangeCard>> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct);
}
/// <summary>
/// Generates unknown-related change cards from Unknowns module.
/// </summary>
public interface IUnknownsCardGenerator
{
Task<(IReadOnlyList<MaterialChangeCard>, UnknownsSummary)> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct);
}
/// <summary>
/// Generates security cards from SmartDiff material risk changes.
/// </summary>
public sealed class SecurityCardGenerator : ISecurityCardGenerator
{
private readonly IMaterialRiskChangeProvider _smartDiff;
private readonly ILogger<SecurityCardGenerator> _logger;
public SecurityCardGenerator(
IMaterialRiskChangeProvider smartDiff,
ILogger<SecurityCardGenerator> logger)
{
_smartDiff = smartDiff;
_logger = logger;
}
public async Task<IReadOnlyList<MaterialChangeCard>> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct)
{
var changes = await _smartDiff.GetMaterialChangesAsync(
baseSnapshot.SnapshotId,
targetSnapshot.SnapshotId,
ct);
var cards = new List<MaterialChangeCard>();
foreach (var change in changes)
{
var priority = ComputeSecurityPriority(change);
var card = new MaterialChangeCard
{
CardId = ComputeCardId("sec", change.ChangeId),
Category = ChangeCategory.Security,
Scope = MapToScope(change.Scope),
Priority = priority,
What = new WhatChanged
{
Subject = change.Subject,
SubjectDisplay = change.SubjectDisplay,
ChangeType = change.RuleId,
Before = change.Before,
After = change.After,
Text = $"{change.SubjectDisplay}: {change.ChangeDescription}"
},
Why = new WhyItMatters
{
Impact = change.Impact,
Severity = change.Severity,
Context = change.CveId,
Text = FormatWhyText(change)
},
Action = new NextAction
{
Type = DetermineActionType(change),
ActionText = change.RecommendedAction ?? "Review change",
Link = change.CveId is not null ? $"https://nvd.nist.gov/vuln/detail/{change.CveId}" : null,
Text = change.RecommendedAction ?? "Review and assess impact"
},
Sources = [new ChangeSource { Module = "SmartDiff", SourceId = change.ChangeId }],
Cves = change.CveId is not null ? [change.CveId] : null
};
cards.Add(card);
}
_logger.LogDebug("Generated {Count} security cards", cards.Count);
return cards;
}
private static int ComputeSecurityPriority(MaterialRiskChange change)
{
// Base priority on severity and KEV status
var basePriority = change.Severity switch
{
"critical" => 95,
"high" => 80,
"medium" => 60,
"low" => 40,
_ => 30
};
// Boost if in KEV
if (change.IsInKev) basePriority = Math.Min(100, basePriority + 10);
// Boost if reachable
if (change.IsReachable) basePriority = Math.Min(100, basePriority + 5);
return basePriority;
}
private static ChangeScope MapToScope(string? scope) => scope switch
{
"package" => ChangeScope.Package,
"file" => ChangeScope.File,
"symbol" => ChangeScope.Symbol,
"layer" => ChangeScope.Layer,
_ => ChangeScope.Package
};
private static string FormatWhyText(MaterialRiskChange change)
{
var parts = new List<string> { $"Severity: {change.Severity}" };
if (change.IsInKev)
parts.Add("actively exploited (KEV)");
if (change.IsReachable)
parts.Add("reachable from entry points");
if (change.CveId is not null)
parts.Add(change.CveId);
return string.Join("; ", parts);
}
private static string DetermineActionType(MaterialRiskChange change) => change.Severity switch
{
"critical" => "urgent-upgrade",
"high" => "upgrade",
_ => "review"
};
private static string ComputeCardId(string prefix, string sourceId)
{
var hash = SHA256.HashData(Encoding.UTF8.GetBytes($"{prefix}:{sourceId}"));
return $"{prefix}-{Convert.ToHexString(hash[..8]).ToLowerInvariant()}";
}
}
/// <summary>
/// Material risk change from SmartDiff.
/// </summary>
public sealed record MaterialRiskChange
{
public required string ChangeId { get; init; }
public required string RuleId { get; init; }
public required string Subject { get; init; }
public required string SubjectDisplay { get; init; }
public string? Scope { get; init; }
public required string ChangeDescription { get; init; }
public string? Before { get; init; }
public string? After { get; init; }
public required string Impact { get; init; }
public required string Severity { get; init; }
public string? CveId { get; init; }
public bool IsInKev { get; init; }
public bool IsReachable { get; init; }
public string? RecommendedAction { get; init; }
}
/// <summary>
/// Provides material risk changes from SmartDiff.
/// </summary>
public interface IMaterialRiskChangeProvider
{
Task<IReadOnlyList<MaterialRiskChange>> GetMaterialChangesAsync(
string baseSnapshotId,
string targetSnapshotId,
CancellationToken ct);
}
/// <summary>
/// Generates ABI cards from symbol table diff.
/// </summary>
public sealed class AbiCardGenerator : IAbiCardGenerator
{
private readonly ISymbolDiffProvider _symbolDiff;
private readonly ILogger<AbiCardGenerator> _logger;
public AbiCardGenerator(
ISymbolDiffProvider symbolDiff,
ILogger<AbiCardGenerator> logger)
{
_symbolDiff = symbolDiff;
_logger = logger;
}
public async Task<IReadOnlyList<MaterialChangeCard>> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct)
{
var diff = await _symbolDiff.GetSymbolDiffAsync(
baseSnapshot.SnapshotId,
targetSnapshot.SnapshotId,
ct);
if (diff is null) return [];
var cards = new List<MaterialChangeCard>();
// Breaking changes get highest priority
foreach (var breaking in diff.BreakingChanges)
{
var card = new MaterialChangeCard
{
CardId = ComputeCardId("abi", breaking.SymbolName),
Category = ChangeCategory.Abi,
Scope = ChangeScope.Symbol,
Priority = 85,
What = new WhatChanged
{
Subject = breaking.SymbolName,
SubjectDisplay = breaking.DemangledName ?? breaking.SymbolName,
ChangeType = breaking.ChangeType,
Before = breaking.OldSignature,
After = breaking.NewSignature,
Text = $"{breaking.DemangledName ?? breaking.SymbolName}: {breaking.ChangeType}"
},
Why = new WhyItMatters
{
Impact = "ABI breaking change",
Severity = "high",
Context = breaking.BinaryPath,
Text = $"ABI breaking change in {breaking.BinaryPath}; may cause runtime failures"
},
Action = new NextAction
{
Type = "investigate",
ActionText = "Review callers and update if needed",
Text = "Check all callers of this symbol for compatibility"
},
Sources = [new ChangeSource { Module = "SymbolDiff", SourceId = diff.DiffId }]
};
cards.Add(card);
}
// Add removed exports as medium priority
foreach (var removed in diff.RemovedExports)
{
var card = new MaterialChangeCard
{
CardId = ComputeCardId("abi", $"removed:{removed.SymbolName}"),
Category = ChangeCategory.Abi,
Scope = ChangeScope.Symbol,
Priority = 75,
What = new WhatChanged
{
Subject = removed.SymbolName,
SubjectDisplay = removed.DemangledName ?? removed.SymbolName,
ChangeType = "removed",
Before = removed.SymbolName,
After = null,
Text = $"{removed.DemangledName ?? removed.SymbolName}: removed export"
},
Why = new WhyItMatters
{
Impact = "Export removed",
Severity = "high",
Context = removed.BinaryPath,
Text = $"Export removed from {removed.BinaryPath}; callers will fail"
},
Action = new NextAction
{
Type = "investigate",
ActionText = "Find replacement or update callers",
Text = "Check if symbol was renamed or removed intentionally"
},
Sources = [new ChangeSource { Module = "SymbolDiff", SourceId = diff.DiffId }]
};
cards.Add(card);
}
_logger.LogDebug("Generated {Count} ABI cards", cards.Count);
return cards;
}
private static string ComputeCardId(string prefix, string sourceId)
{
var hash = SHA256.HashData(Encoding.UTF8.GetBytes($"{prefix}:{sourceId}"));
return $"{prefix}-{Convert.ToHexString(hash[..8]).ToLowerInvariant()}";
}
}
/// <summary>
/// Symbol diff result.
/// </summary>
public sealed record SymbolDiffResult
{
public required string DiffId { get; init; }
public required IReadOnlyList<BreakingSymbolChange> BreakingChanges { get; init; }
public required IReadOnlyList<SymbolInfo> RemovedExports { get; init; }
public required IReadOnlyList<SymbolInfo> AddedExports { get; init; }
}
public sealed record BreakingSymbolChange
{
public required string SymbolName { get; init; }
public string? DemangledName { get; init; }
public required string ChangeType { get; init; }
public string? OldSignature { get; init; }
public string? NewSignature { get; init; }
public required string BinaryPath { get; init; }
}
public sealed record SymbolInfo
{
public required string SymbolName { get; init; }
public string? DemangledName { get; init; }
public required string BinaryPath { get; init; }
}
/// <summary>
/// Provides symbol diff from BinaryIndex.
/// </summary>
public interface ISymbolDiffProvider
{
Task<SymbolDiffResult?> GetSymbolDiffAsync(
string baseSnapshotId,
string targetSnapshotId,
CancellationToken ct);
}
/// <summary>
/// Generates package cards from component diff.
/// </summary>
public sealed class PackageCardGenerator : IPackageCardGenerator
{
private readonly IComponentDiffProvider _componentDiff;
private readonly ILogger<PackageCardGenerator> _logger;
public PackageCardGenerator(
IComponentDiffProvider componentDiff,
ILogger<PackageCardGenerator> logger)
{
_componentDiff = componentDiff;
_logger = logger;
}
public async Task<IReadOnlyList<MaterialChangeCard>> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct)
{
var diff = await _componentDiff.GetComponentDiffAsync(
baseSnapshot.SnapshotId,
targetSnapshot.SnapshotId,
ct);
var cards = new List<MaterialChangeCard>();
foreach (var change in diff.Changes)
{
var priority = change.ChangeType switch
{
"major-upgrade" => 55,
"downgrade" => 60,
"added" => 45,
"removed" => 50,
"minor-upgrade" => 30,
"patch-upgrade" => 20,
_ => 25
};
var card = new MaterialChangeCard
{
CardId = ComputeCardId("pkg", change.Purl),
Category = ChangeCategory.Package,
Scope = ChangeScope.Package,
Priority = priority,
What = new WhatChanged
{
Subject = change.Purl,
SubjectDisplay = change.PackageName,
ChangeType = change.ChangeType,
Before = change.OldVersion,
After = change.NewVersion,
Text = $"{change.PackageName}: {change.OldVersion ?? "(none)"} -> {change.NewVersion ?? "(removed)"}"
},
Why = new WhyItMatters
{
Impact = change.Impact ?? "Dependency change",
Severity = priority >= 50 ? "medium" : "low",
Text = change.ImpactDescription ?? $"Package {change.ChangeType}"
},
Action = new NextAction
{
Type = "review",
ActionText = "Review changelog for breaking changes",
Text = "Check release notes and update tests if needed"
},
Sources = [new ChangeSource { Module = "ComponentDiff", SourceId = diff.DiffId }]
};
cards.Add(card);
}
_logger.LogDebug("Generated {Count} package cards", cards.Count);
return cards;
}
private static string ComputeCardId(string prefix, string sourceId)
{
var hash = SHA256.HashData(Encoding.UTF8.GetBytes($"{prefix}:{sourceId}"));
return $"{prefix}-{Convert.ToHexString(hash[..8]).ToLowerInvariant()}";
}
}
/// <summary>
/// Component diff result.
/// </summary>
public sealed record ComponentDiffResult
{
public required string DiffId { get; init; }
public required IReadOnlyList<ComponentChange> Changes { get; init; }
}
public sealed record ComponentChange
{
public required string Purl { get; init; }
public required string PackageName { get; init; }
public required string ChangeType { get; init; }
public string? OldVersion { get; init; }
public string? NewVersion { get; init; }
public string? Impact { get; init; }
public string? ImpactDescription { get; init; }
}
/// <summary>
/// Provides component diff from Scanner.Diff.
/// </summary>
public interface IComponentDiffProvider
{
Task<ComponentDiffResult> GetComponentDiffAsync(
string baseSnapshotId,
string targetSnapshotId,
CancellationToken ct);
}
/// <summary>
/// Generates unknown cards from Unknowns module.
/// </summary>
public sealed class UnknownsCardGenerator : IUnknownsCardGenerator
{
private readonly IUnknownsDiffProvider _unknownsDiff;
private readonly ILogger<UnknownsCardGenerator> _logger;
public UnknownsCardGenerator(
IUnknownsDiffProvider unknownsDiff,
ILogger<UnknownsCardGenerator> logger)
{
_unknownsDiff = unknownsDiff;
_logger = logger;
}
public async Task<(IReadOnlyList<MaterialChangeCard>, UnknownsSummary)> GenerateCardsAsync(
SnapshotInfo baseSnapshot,
SnapshotInfo targetSnapshot,
CancellationToken ct)
{
var diff = await _unknownsDiff.GetUnknownsDiffAsync(
baseSnapshot.SnapshotId,
targetSnapshot.SnapshotId,
ct);
var cards = new List<MaterialChangeCard>();
foreach (var unknown in diff.NewUnknowns)
{
var priority = unknown.RiskLevel switch
{
"high" => 65,
"medium" => 45,
_ => 25
};
var card = new MaterialChangeCard
{
CardId = ComputeCardId("unk", unknown.UnknownId),
Category = ChangeCategory.Unknown,
Scope = MapScope(unknown.Kind),
Priority = priority,
What = new WhatChanged
{
Subject = unknown.Subject,
SubjectDisplay = unknown.SubjectDisplay,
ChangeType = "new-unknown",
Text = $"New unknown {unknown.Kind}: {unknown.SubjectDisplay}"
},
Why = new WhyItMatters
{
Impact = "Unknown component",
Severity = unknown.RiskLevel ?? "medium",
Context = unknown.ProvenanceHint,
Text = $"Unknown {unknown.Kind} discovered; {unknown.ProvenanceHint ?? "no provenance hints"}"
},
Action = new NextAction
{
Type = "investigate",
ActionText = unknown.SuggestedAction ?? "Investigate origin and purpose",
Text = unknown.SuggestedAction ?? "Determine if this component is expected"
},
Sources = [new ChangeSource { Module = "Unknowns", SourceId = unknown.UnknownId }],
RelatedUnknowns = [new RelatedUnknown
{
UnknownId = unknown.UnknownId,
Kind = unknown.Kind,
Hint = unknown.ProvenanceHint
}]
};
cards.Add(card);
}
var summary = new UnknownsSummary
{
Total = diff.TotalUnknowns,
New = diff.NewUnknowns.Count,
Resolved = diff.ResolvedUnknowns.Count,
ByKind = diff.NewUnknowns
.GroupBy(u => u.Kind)
.ToDictionary(g => g.Key, g => g.Count())
};
_logger.LogDebug("Generated {Count} unknown cards", cards.Count);
return (cards, summary);
}
private static ChangeScope MapScope(string kind) => kind switch
{
"binary" => ChangeScope.File,
"package" => ChangeScope.Package,
"symbol" => ChangeScope.Symbol,
_ => ChangeScope.File
};
private static string ComputeCardId(string prefix, string sourceId)
{
var hash = SHA256.HashData(Encoding.UTF8.GetBytes($"{prefix}:{sourceId}"));
return $"{prefix}-{Convert.ToHexString(hash[..8]).ToLowerInvariant()}";
}
}
/// <summary>
/// Unknown item from Unknowns module.
/// </summary>
public sealed record UnknownItem
{
public required string UnknownId { get; init; }
public required string Kind { get; init; }
public required string Subject { get; init; }
public required string SubjectDisplay { get; init; }
public string? RiskLevel { get; init; }
public string? ProvenanceHint { get; init; }
public string? SuggestedAction { get; init; }
}
/// <summary>
/// Unknowns diff result.
/// </summary>
public sealed record UnknownsDiffResult
{
public required int TotalUnknowns { get; init; }
public required IReadOnlyList<UnknownItem> NewUnknowns { get; init; }
public required IReadOnlyList<UnknownItem> ResolvedUnknowns { get; init; }
}
/// <summary>
/// Provides unknowns diff from Unknowns module.
/// </summary>
public interface IUnknownsDiffProvider
{
Task<UnknownsDiffResult> GetUnknownsDiffAsync(
string baseSnapshotId,
string targetSnapshotId,
CancellationToken ct);
}

68
src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/IMaterialChangesOrchestrator.cs Normal file
View File

@@ -0,0 +1,68 @@
// -----------------------------------------------------------------------------
// IMaterialChangesOrchestrator.cs
// Sprint: SPRINT_20260106_001_004_LB_material_changes_orchestrator
// Task: MCO-005 - Define IMaterialChangesOrchestrator interface
// Description: Interface for orchestrating material changes from multiple sources
// -----------------------------------------------------------------------------
namespace StellaOps.Scanner.MaterialChanges;
/// <summary>
/// Orchestrates material changes from multiple diff sources.
/// </summary>
public interface IMaterialChangesOrchestrator
{
/// <summary>
/// Generate a unified material changes report.
/// </summary>
Task<MaterialChangesReport> GenerateReportAsync(
string baseSnapshotId,
string targetSnapshotId,
MaterialChangesOptions? options = null,
CancellationToken ct = default);
/// <summary>
/// Get a single change card by ID.
/// </summary>
Task<MaterialChangeCard?> GetCardAsync(
string reportId,
string cardId,
CancellationToken ct = default);
/// <summary>
/// Filter cards by category and scope.
/// </summary>
Task<IReadOnlyList<MaterialChangeCard>> FilterCardsAsync(
string reportId,
ChangeCategory? category = null,
ChangeScope? scope = null,
int? minPriority = null,
CancellationToken ct = default);
}
/// <summary>
/// Options for material changes generation.
/// </summary>
public sealed record MaterialChangesOptions
{
/// <summary>Include security changes (default: true).</summary>
public bool IncludeSecurity { get; init; } = true;
/// <summary>Include ABI changes (default: true).</summary>
public bool IncludeAbi { get; init; } = true;
/// <summary>Include package changes (default: true).</summary>
public bool IncludePackage { get; init; } = true;
/// <summary>Include file changes (default: true).</summary>
public bool IncludeFile { get; init; } = true;
/// <summary>Include unknowns (default: true).</summary>
public bool IncludeUnknowns { get; init; } = true;
/// <summary>Minimum priority to include (0-100, default: 0).</summary>
public int MinPriority { get; init; } = 0;
/// <summary>Maximum number of cards to return (default: 100).</summary>
public int MaxCards { get; init; } = 100;
}

263
src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/MaterialChangesOrchestrator.cs Normal file
View File

@@ -0,0 +1,263 @@
// -----------------------------------------------------------------------------
// MaterialChangesOrchestrator.cs
// Sprint: SPRINT_20260106_001_004_LB_material_changes_orchestrator
// Tasks: MCO-006 to MCO-013 - Implement MaterialChangesOrchestrator
// Description: Orchestrates material changes from multiple diff sources
// -----------------------------------------------------------------------------
using System.Globalization;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
namespace StellaOps.Scanner.MaterialChanges;
/// <summary>
/// Orchestrates material changes from multiple diff sources.
/// </summary>
public sealed class MaterialChangesOrchestrator : IMaterialChangesOrchestrator
{
private readonly ISecurityCardGenerator _securityGenerator;
private readonly IAbiCardGenerator _abiGenerator;
private readonly IPackageCardGenerator _packageGenerator;
private readonly IUnknownsCardGenerator _unknownsGenerator;
private readonly ISnapshotProvider _snapshotProvider;
private readonly IReportCache _reportCache;
private readonly TimeProvider _timeProvider;
private readonly ILogger<MaterialChangesOrchestrator> _logger;
public MaterialChangesOrchestrator(
ISecurityCardGenerator securityGenerator,
IAbiCardGenerator abiGenerator,
IPackageCardGenerator packageGenerator,
IUnknownsCardGenerator unknownsGenerator,
ISnapshotProvider snapshotProvider,
IReportCache reportCache,
TimeProvider timeProvider,
ILogger<MaterialChangesOrchestrator> logger)
{
_securityGenerator = securityGenerator;
_abiGenerator = abiGenerator;
_packageGenerator = packageGenerator;
_unknownsGenerator = unknownsGenerator;
_snapshotProvider = snapshotProvider;
_reportCache = reportCache;
_timeProvider = timeProvider;
_logger = logger;
}
/// <inheritdoc />
public async Task<MaterialChangesReport> GenerateReportAsync(
string baseSnapshotId,
string targetSnapshotId,
MaterialChangesOptions? options = null,
CancellationToken ct = default)
{
options ??= new MaterialChangesOptions();
_logger.LogInformation(
"Generating material changes report: {Base} -> {Target}",
baseSnapshotId, targetSnapshotId);
var baseSnapshot = await _snapshotProvider.GetSnapshotAsync(baseSnapshotId, ct)
?? throw new ArgumentException($"Base snapshot not found: {baseSnapshotId}");
var targetSnapshot = await _snapshotProvider.GetSnapshotAsync(targetSnapshotId, ct)
?? throw new ArgumentException($"Target snapshot not found: {targetSnapshotId}");
var allCards = new List<MaterialChangeCard>();
var inputDigests = new ReportInputDigests
{
BaseSbomDigest = baseSnapshot.SbomDigest,
TargetSbomDigest = targetSnapshot.SbomDigest
};
// Generate cards from each source in parallel
var securityTask = options.IncludeSecurity
? _securityGenerator.GenerateCardsAsync(baseSnapshot, targetSnapshot, ct)
: Task.FromResult<IReadOnlyList<MaterialChangeCard>>([]);
var abiTask = options.IncludeAbi
? _abiGenerator.GenerateCardsAsync(baseSnapshot, targetSnapshot, ct)
: Task.FromResult<IReadOnlyList<MaterialChangeCard>>([]);
var packageTask = options.IncludePackage
? _packageGenerator.GenerateCardsAsync(baseSnapshot, targetSnapshot, ct)
: Task.FromResult<IReadOnlyList<MaterialChangeCard>>([]);
var unknownsTask = options.IncludeUnknowns
? _unknownsGenerator.GenerateCardsAsync(baseSnapshot, targetSnapshot, ct)
: Task.FromResult<(IReadOnlyList<MaterialChangeCard>, UnknownsSummary)>(
([], new UnknownsSummary { Total = 0, New = 0, Resolved = 0 }));
await Task.WhenAll(securityTask, abiTask, packageTask, unknownsTask);
allCards.AddRange(await securityTask);
allCards.AddRange(await abiTask);
allCards.AddRange(await packageTask);
var (unknownCards, unknownsSummary) = await unknownsTask;
allCards.AddRange(unknownCards);
// Filter by priority
var filteredCards = allCards
.Where(c => c.Priority >= options.MinPriority)
.OrderByDescending(c => c.Priority)
.ThenBy(c => c.Category)
.Take(options.MaxCards)
.ToList();
// Compute summary
var summary = ComputeSummary(filteredCards);
// Compute content-addressed report ID
var reportId = ComputeReportId(baseSnapshotId, targetSnapshotId, filteredCards);
var report = new MaterialChangesReport
{
ReportId = reportId,
Base = ToSnapshotReference(baseSnapshot),
Target = ToSnapshotReference(targetSnapshot),
Changes = filteredCards,
Summary = summary,
Unknowns = unknownsSummary,
GeneratedAt = _timeProvider.GetUtcNow(),
InputDigests = inputDigests
};
// Cache the report
await _reportCache.StoreAsync(report, ct);
_logger.LogInformation(
"Generated material changes report {ReportId}: {CardCount} cards",
reportId, filteredCards.Count);
return report;
}
/// <inheritdoc />
public async Task<MaterialChangeCard?> GetCardAsync(
string reportId,
string cardId,
CancellationToken ct = default)
{
var report = await _reportCache.GetAsync(reportId, ct);
if (report is null) return null;
return report.Changes.FirstOrDefault(c => c.CardId == cardId);
}
/// <inheritdoc />
public async Task<IReadOnlyList<MaterialChangeCard>> FilterCardsAsync(
string reportId,
ChangeCategory? category = null,
ChangeScope? scope = null,
int? minPriority = null,
CancellationToken ct = default)
{
var report = await _reportCache.GetAsync(reportId, ct);
if (report is null) return [];
IEnumerable<MaterialChangeCard> cards = report.Changes;
if (category.HasValue)
cards = cards.Where(c => c.Category == category.Value);
if (scope.HasValue)
cards = cards.Where(c => c.Scope == scope.Value);
if (minPriority.HasValue)
cards = cards.Where(c => c.Priority >= minPriority.Value);
return cards.ToList();
}
private static ChangesSummary ComputeSummary(IReadOnlyList<MaterialChangeCard> cards)
{
var byCategory = cards
.GroupBy(c => c.Category)
.ToDictionary(g => g.Key, g => g.Count());
var byScope = cards
.GroupBy(c => c.Scope)
.ToDictionary(g => g.Key, g => g.Count());
var byPriority = new PrioritySummary
{
Critical = cards.Count(c => c.Priority >= 90),
High = cards.Count(c => c.Priority >= 70 && c.Priority < 90),
Medium = cards.Count(c => c.Priority >= 40 && c.Priority < 70),
Low = cards.Count(c => c.Priority < 40)
};
return new ChangesSummary
{
Total = cards.Count,
ByCategory = byCategory,
ByScope = byScope,
ByPriority = byPriority
};
}
private static string ComputeReportId(
string baseSnapshotId,
string targetSnapshotId,
IReadOnlyList<MaterialChangeCard> cards)
{
var sb = new StringBuilder();
sb.Append(baseSnapshotId);
sb.Append('|');
sb.Append(targetSnapshotId);
sb.Append('|');
foreach (var card in cards.OrderBy(c => c.CardId))
{
sb.Append(card.CardId);
sb.Append(';');
}
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(sb.ToString()));
return Convert.ToHexString(hash).ToLowerInvariant();
}
private static SnapshotReference ToSnapshotReference(SnapshotInfo snapshot)
{
return new SnapshotReference
{
SnapshotId = snapshot.SnapshotId,
ArtifactDigest = snapshot.ArtifactDigest,
ArtifactName = snapshot.ArtifactName,
ScannedAt = snapshot.ScannedAt
};
}
}
/// <summary>
/// Snapshot information for the orchestrator.
/// </summary>
public sealed record SnapshotInfo
{
public required string SnapshotId { get; init; }
public required string ArtifactDigest { get; init; }
public string? ArtifactName { get; init; }
public required DateTimeOffset ScannedAt { get; init; }
public required string SbomDigest { get; init; }
}
/// <summary>
/// Provides snapshot information.
/// </summary>
public interface ISnapshotProvider
{
Task<SnapshotInfo?> GetSnapshotAsync(string snapshotId, CancellationToken ct);
}
/// <summary>
/// Cache for material changes reports.
/// </summary>
public interface IReportCache
{
Task StoreAsync(MaterialChangesReport report, CancellationToken ct);
Task<MaterialChangesReport?> GetAsync(string reportId, CancellationToken ct);
}

306
src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/MaterialChangesReport.cs Normal file
View File

@@ -0,0 +1,306 @@
// -----------------------------------------------------------------------------
// MaterialChangesReport.cs
// Sprint: SPRINT_20260106_001_004_LB_material_changes_orchestrator
// Tasks: MCO-002, MCO-003, MCO-004 - Define MaterialChangesReport and related records
// Description: Unified material changes report combining all diff sources
// -----------------------------------------------------------------------------
using System.Text.Json.Serialization;
namespace StellaOps.Scanner.MaterialChanges;
/// <summary>
/// Unified material changes report combining all diff sources.
/// </summary>
public sealed record MaterialChangesReport
{
/// <summary>Content-addressed report ID.</summary>
[JsonPropertyName("report_id")]
public required string ReportId { get; init; }
/// <summary>Report schema version.</summary>
[JsonPropertyName("schema_version")]
public string SchemaVersion { get; init; } = "1.0";
/// <summary>Base snapshot reference.</summary>
[JsonPropertyName("base")]
public required SnapshotReference Base { get; init; }
/// <summary>Target snapshot reference.</summary>
[JsonPropertyName("target")]
public required SnapshotReference Target { get; init; }
/// <summary>All material changes as compact cards.</summary>
[JsonPropertyName("changes")]
public required IReadOnlyList<MaterialChangeCard> Changes { get; init; }
/// <summary>Summary counts by category.</summary>
[JsonPropertyName("summary")]
public required ChangesSummary Summary { get; init; }
/// <summary>Unknowns encountered during analysis.</summary>
[JsonPropertyName("unknowns")]
public required UnknownsSummary Unknowns { get; init; }
/// <summary>When this report was generated (UTC).</summary>
[JsonPropertyName("generated_at")]
public required DateTimeOffset GeneratedAt { get; init; }
/// <summary>Input digests for reproducibility.</summary>
[JsonPropertyName("input_digests")]
public required ReportInputDigests InputDigests { get; init; }
}
/// <summary>Reference to a scan snapshot.</summary>
public sealed record SnapshotReference
{
[JsonPropertyName("snapshot_id")]
public required string SnapshotId { get; init; }
[JsonPropertyName("artifact_digest")]
public required string ArtifactDigest { get; init; }
[JsonPropertyName("artifact_name")]
public string? ArtifactName { get; init; }
[JsonPropertyName("scanned_at")]
public required DateTimeOffset ScannedAt { get; init; }
}
/// <summary>
/// A compact card representing a single material change.
/// Format: what changed -> why it matters -> next action
/// </summary>
public sealed record MaterialChangeCard
{
/// <summary>Unique card ID within the report.</summary>
[JsonPropertyName("card_id")]
public required string CardId { get; init; }
/// <summary>Category of change.</summary>
[JsonPropertyName("category")]
public required ChangeCategory Category { get; init; }
/// <summary>Scope: package, file, symbol, or layer.</summary>
[JsonPropertyName("scope")]
public required ChangeScope Scope { get; init; }
/// <summary>Priority score (0-100, higher = more urgent).</summary>
[JsonPropertyName("priority")]
public required int Priority { get; init; }
/// <summary>What changed (first line).</summary>
[JsonPropertyName("what")]
public required WhatChanged What { get; init; }
/// <summary>Why it matters (second line).</summary>
[JsonPropertyName("why")]
public required WhyItMatters Why { get; init; }
/// <summary>Recommended next action (third line).</summary>
[JsonPropertyName("action")]
public required NextAction Action { get; init; }
/// <summary>Source modules that contributed to this card.</summary>
[JsonPropertyName("sources")]
public required IReadOnlyList<ChangeSource> Sources { get; init; }
/// <summary>Related CVEs (if applicable).</summary>
[JsonPropertyName("cves")]
public IReadOnlyList<string>? Cves { get; init; }
/// <summary>Unknown items related to this change.</summary>
[JsonPropertyName("related_unknowns")]
public IReadOnlyList<RelatedUnknown>? RelatedUnknowns { get; init; }
}
/// <summary>Category of change.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ChangeCategory
{
/// <summary>Security-relevant change (CVE, VEX, reachability).</summary>
Security,
/// <summary>ABI/symbol change that may affect compatibility.</summary>
Abi,
/// <summary>Package version or dependency change.</summary>
Package,
/// <summary>File content change.</summary>
File,
/// <summary>Unknown or ambiguous change.</summary>
Unknown
}
/// <summary>Scope of change.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ChangeScope
{
Package,
File,
Symbol,
Layer
}
/// <summary>What changed (the subject of the change).</summary>
public sealed record WhatChanged
{
/// <summary>Subject identifier (PURL, path, symbol name).</summary>
[JsonPropertyName("subject")]
public required string Subject { get; init; }
/// <summary>Human-readable subject name.</summary>
[JsonPropertyName("subject_display")]
public required string SubjectDisplay { get; init; }
/// <summary>Type of change.</summary>
[JsonPropertyName("change_type")]
public required string ChangeType { get; init; }
/// <summary>Before value (if applicable).</summary>
[JsonPropertyName("before")]
public string? Before { get; init; }
/// <summary>After value (if applicable).</summary>
[JsonPropertyName("after")]
public string? After { get; init; }
/// <summary>Rendered text for display.</summary>
[JsonPropertyName("text")]
public required string Text { get; init; }
}
/// <summary>Why this change matters.</summary>
public sealed record WhyItMatters
{
/// <summary>Impact category.</summary>
[JsonPropertyName("impact")]
public required string Impact { get; init; }
/// <summary>Severity level.</summary>
[JsonPropertyName("severity")]
public required string Severity { get; init; }
/// <summary>Additional context (CVE link, ABI breaking, etc.).</summary>
[JsonPropertyName("context")]
public string? Context { get; init; }
/// <summary>Rendered text for display.</summary>
[JsonPropertyName("text")]
public required string Text { get; init; }
}
/// <summary>Recommended next action.</summary>
public sealed record NextAction
{
/// <summary>Action type: review, upgrade, investigate, accept, etc.</summary>
[JsonPropertyName("type")]
public required string Type { get; init; }
/// <summary>Specific action to take.</summary>
[JsonPropertyName("action")]
public required string ActionText { get; init; }
/// <summary>Link to more information (KB article, advisory, etc.).</summary>
[JsonPropertyName("link")]
public string? Link { get; init; }
/// <summary>Rendered text for display.</summary>
[JsonPropertyName("text")]
public required string Text { get; init; }
}
/// <summary>Source module that contributed to the change.</summary>
public sealed record ChangeSource
{
[JsonPropertyName("module")]
public required string Module { get; init; }
[JsonPropertyName("source_id")]
public required string SourceId { get; init; }
[JsonPropertyName("confidence")]
public double? Confidence { get; init; }
}
/// <summary>Related unknown item.</summary>
public sealed record RelatedUnknown
{
[JsonPropertyName("unknown_id")]
public required string UnknownId { get; init; }
[JsonPropertyName("kind")]
public required string Kind { get; init; }
[JsonPropertyName("hint")]
public string? Hint { get; init; }
}
/// <summary>Summary of changes by category.</summary>
public sealed record ChangesSummary
{
[JsonPropertyName("total")]
public int Total { get; init; }
[JsonPropertyName("by_category")]
public required IReadOnlyDictionary<ChangeCategory, int> ByCategory { get; init; }
[JsonPropertyName("by_scope")]
public required IReadOnlyDictionary<ChangeScope, int> ByScope { get; init; }
[JsonPropertyName("by_priority")]
public required PrioritySummary ByPriority { get; init; }
}
/// <summary>Priority breakdown.</summary>
public sealed record PrioritySummary
{
[JsonPropertyName("critical")]
public int Critical { get; init; }
[JsonPropertyName("high")]
public int High { get; init; }
[JsonPropertyName("medium")]
public int Medium { get; init; }
[JsonPropertyName("low")]
public int Low { get; init; }
}
/// <summary>Unknowns summary for the report.</summary>
public sealed record UnknownsSummary
{
[JsonPropertyName("total")]
public int Total { get; init; }
[JsonPropertyName("new")]
public int New { get; init; }
[JsonPropertyName("resolved")]
public int Resolved { get; init; }
[JsonPropertyName("by_kind")]
public IReadOnlyDictionary<string, int>? ByKind { get; init; }
}
/// <summary>Input digests for reproducibility.</summary>
public sealed record ReportInputDigests
{
[JsonPropertyName("base_sbom_digest")]
public required string BaseSbomDigest { get; init; }
[JsonPropertyName("target_sbom_digest")]
public required string TargetSbomDigest { get; init; }
[JsonPropertyName("smart_diff_digest")]
public string? SmartDiffDigest { get; init; }
[JsonPropertyName("symbol_diff_digest")]
public string? SymbolDiffDigest { get; init; }
[JsonPropertyName("unknowns_digest")]
public string? UnknownsDigest { get; init; }
}

82
src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/MaterialChangesServiceExtensions.cs Normal file
View File

@@ -0,0 +1,82 @@
// -----------------------------------------------------------------------------
// MaterialChangesServiceExtensions.cs
// Sprint: SPRINT_20260106_001_004_LB_material_changes_orchestrator
// Task: MCO-015 - Add service registration extensions
// Description: DI registration for material changes orchestrator
// -----------------------------------------------------------------------------
using Microsoft.Extensions.DependencyInjection;
namespace StellaOps.Scanner.MaterialChanges;
/// <summary>
/// Service collection extensions for material changes orchestrator.
/// </summary>
public static class MaterialChangesServiceExtensions
{
/// <summary>
/// Adds material changes orchestrator and related services.
/// </summary>
public static IServiceCollection AddMaterialChangesOrchestrator(this IServiceCollection services)
{
// Core orchestrator
services.AddSingleton<IMaterialChangesOrchestrator, MaterialChangesOrchestrator>();
// Card generators
services.AddSingleton<ISecurityCardGenerator, SecurityCardGenerator>();
services.AddSingleton<IAbiCardGenerator, AbiCardGenerator>();
services.AddSingleton<IPackageCardGenerator, PackageCardGenerator>();
services.AddSingleton<IUnknownsCardGenerator, UnknownsCardGenerator>();
// Cache
services.AddSingleton<IReportCache, InMemoryReportCache>();
return services;
}
/// <summary>
/// Adds custom snapshot provider.
/// </summary>
public static IServiceCollection AddSnapshotProvider<TProvider>(this IServiceCollection services)
where TProvider : class, ISnapshotProvider
{
services.AddSingleton<ISnapshotProvider, TProvider>();
return services;
}
/// <summary>
/// Adds custom report cache.
/// </summary>
public static IServiceCollection AddReportCache<TCache>(this IServiceCollection services)
where TCache : class, IReportCache
{
services.AddSingleton<IReportCache, TCache>();
return services;
}
}
/// <summary>
/// In-memory report cache for development and testing.
/// </summary>
public sealed class InMemoryReportCache : IReportCache
{
private readonly Dictionary<string, MaterialChangesReport> _cache = new();
private readonly object _lock = new();
public Task StoreAsync(MaterialChangesReport report, CancellationToken ct)
{
lock (_lock)
{
_cache[report.ReportId] = report;
}
return Task.CompletedTask;
}
public Task<MaterialChangesReport?> GetAsync(string reportId, CancellationToken ct)
{
lock (_lock)
{
return Task.FromResult(_cache.GetValueOrDefault(reportId));
}
}
}

24
src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/StellaOps.Scanner.MaterialChanges.csproj Normal file
View File

@@ -0,0 +1,24 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<RootNamespace>StellaOps.Scanner.MaterialChanges</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.Scanner.SmartDiff\StellaOps.Scanner.SmartDiff.csproj" />
<ProjectReference Include="..\StellaOps.Scanner.Diff\StellaOps.Scanner.Diff.csproj" />
<ProjectReference Include="..\..\..\..\BinaryIndex\__Libraries\StellaOps.BinaryIndex.Builders\StellaOps.BinaryIndex.Builders.csproj" />
<ProjectReference Include="..\..\..\..\Unknowns\StellaOps.Unknowns.Core\StellaOps.Unknowns.Core.csproj" />
</ItemGroup>
</Project>

3
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/EdgeBundlePublisher.cs
View File

@@ -1,4 +1,5 @@
using System;
using System.Globalization;
using System.IO;
using System.Security.Cryptography;
using System.Text;
@@ -147,7 +148,7 @@ public sealed class EdgeBundlePublisher : IEdgeBundlePublisher
graphHash = bundle.GraphHash,
bundleReason = bundle.BundleReason.ToString(),
customReason = bundle.CustomReason,
generatedAt = bundle.GeneratedAt.ToString("O"),
generatedAt = bundle.GeneratedAt.ToString("O", CultureInfo.InvariantCulture),
edges = bundle.Edges.Select(e => new
{
from = e.From,

7
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ReachabilityUnionWriter.cs
View File

@@ -1,6 +1,7 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
@@ -289,11 +290,11 @@ public sealed class ReachabilityUnionWriter
jw.WriteNumber("call_count", fact.Samples?.CallCount ?? 0);
if (fact.Samples?.FirstSeenUtc is not null)
{
jw.WriteString("first_seen_utc", fact.Samples.FirstSeenUtc.Value.ToUniversalTime().ToString("O"));
jw.WriteString("first_seen_utc", fact.Samples.FirstSeenUtc.Value.ToUniversalTime().ToString("O", CultureInfo.InvariantCulture));
}
if (fact.Samples?.LastSeenUtc is not null)
{
jw.WriteString("last_seen_utc", fact.Samples.LastSeenUtc.Value.ToUniversalTime().ToString("O"));
jw.WriteString("last_seen_utc", fact.Samples.LastSeenUtc.Value.ToUniversalTime().ToString("O", CultureInfo.InvariantCulture));
}
jw.WriteEndObject();
@@ -402,7 +403,7 @@ public sealed class ReachabilityUnionWriter
writer.WriteStartObject();
writer.WriteString("schema", "reachability-union@0.1");
writer.WriteString("generated_at", timeProvider.GetUtcNow().ToString("O"));
writer.WriteString("generated_at", timeProvider.GetUtcNow().ToString("O", CultureInfo.InvariantCulture));
writer.WritePropertyName("files");
writer.WriteStartArray();
WriteMetaFile(writer, nodes);

5
src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciArtifactPusher.cs
View File

@@ -1,4 +1,5 @@
using System.Net;
using System.Globalization;
using System.Net;
using System.Net.Http.Headers;
using System.Text.Json;
using Microsoft.Extensions.Logging;
@@ -122,7 +123,7 @@ public sealed class OciArtifactPusher
annotations = new SortedDictionary<string, string>(StringComparer.Ordinal);
}
annotations["org.opencontainers.image.created"] = _timeProvider.GetUtcNow().ToString("O");
annotations["org.opencontainers.image.created"] = _timeProvider.GetUtcNow().ToString("O", CultureInfo.InvariantCulture);
annotations["org.opencontainers.image.title"] = request.ArtifactType;
return new OciArtifactManifest

3
src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/VerdictOciPublisher.cs
View File

@@ -6,6 +6,7 @@
// -----------------------------------------------------------------------------
using System.Diagnostics;
using System.Globalization;
using StellaOps.Scanner.Storage.Oci.Diagnostics;
namespace StellaOps.Scanner.Storage.Oci;
@@ -152,7 +153,7 @@ public sealed class VerdictOciPublisher
if (request.VerdictTimestamp.HasValue)
{
annotations[OciAnnotations.StellaVerdictTimestamp] = request.VerdictTimestamp.Value.ToString("O");
annotations[OciAnnotations.StellaVerdictTimestamp] = request.VerdictTimestamp.Value.ToString("O", CultureInfo.InvariantCulture);
}
// Sprint: SPRINT_4300_0002_0002 - Unknowns Attestation Predicates