consolidation of some of the modules, localization fixes, product advisories work, qa work
This commit is contained in:
master
@@ -51,7 +51,13 @@ src/
|
||||
└─ StellaOps.Scanner.Sbomer.DockerImage/ # CLI‑driven scanner container
|
||||
```
|
||||
|
||||
Per-analyzer notes (language analyzers):
|
||||
### 1.0 Cartographer Ownership (Sprint 201)
|
||||
|
||||
- Cartographer is owned by Scanner and implemented at `src/Scanner/StellaOps.Scanner.Cartographer/`.
|
||||
- The service remains a separate deployable endpoint (`cartographer.stella-ops.local`, slot 21, ports 10210/10211) while living inside the Scanner domain.
|
||||
- Legacy `src/Cartographer/` paths are retired; operational and build references now resolve through Scanner-owned solution/project paths.
|
||||
|
||||
Per-analyzer notes (language analyzers):
|
||||
- `docs/modules/scanner/analyzers-java.md` — Java/Kotlin (Maven, Gradle, fat archives)
|
||||
- `docs/modules/scanner/dotnet-analyzer.md` — .NET (deps.json, NuGet, packages.lock.json, declared-only)
|
||||
- `docs/modules/scanner/analyzers-python.md` — Python (pip, Poetry, pipenv, conda, editables, vendored)
|
||||
@@ -742,6 +748,31 @@ The user can expand to see the full call chain.
|
||||
|
||||
#### Source Snippet Integration
|
||||
|
||||
When source mappings are provided (keyed by `file:line`), the service attaches
|
||||
`SourceSnippet` records to matching frames. This enables syntax-highlighted code
|
||||
display in the UI without requiring the scanner to store full source files.
|
||||
When source mappings are provided (keyed by `file:line`), the service attaches
|
||||
`SourceSnippet` records to matching frames. This enables syntax-highlighted code
|
||||
display in the UI without requiring the scanner to store full source files.
|
||||
|
||||
## Advisory Commitments (2026-02-26 Batch)
|
||||
|
||||
- `SPRINT_20260226_224_Scanner_oci_referrers_runtime_stack_and_replay_data` is the scanner execution contract for:
|
||||
- OCI 1.1 referrer capability probing and fallback handling.
|
||||
- DSSE verification during slice retrieval/publish paths.
|
||||
- CAS-backed replay data resolution and deterministic command generation.
|
||||
- persisted reachability stack and deterministic runtime collector fixture flows.
|
||||
|
||||
## Advisory Gap Status (2026-03-05 Update)
|
||||
|
||||
Gaps translated in the 2026-03-04 advisory batch are now implemented in Scanner:
|
||||
|
||||
- `SCN-001` closed: `DeltaCompareService` now computes deterministic snapshot deltas, persists by deterministic `comparisonId`, and supports retrieval.
|
||||
- `SCN-002` closed: actionables are generated from actual delta findings/policy changes with deterministic ordering by priority then actionable ID.
|
||||
- `SCN-003` closed: `ChangeTraceBuilder` no longer uses placeholder traces; subject digests are content-addressed and binary comparison uses real file bytes/hashes.
|
||||
- `SCN-004` closed: runtime ingestion now indexes scan-to-trace relationships and returns deterministically ordered trace lists.
|
||||
- `SCN-005` closed: exploitable/likely/possible stack verdicts emit `ReachabilityResult.Affected(PathWitness)` when witness context exists, with explicit unknown fallback when entrypoint evidence is absent.
|
||||
- `SCN-006` closed: score replay contracts now expose `/api/v1/scans/{scanId}/score/*` as primary routes with `/api/v1/score/{scanId}/*` compatibility aliases.
|
||||
- `SCN-007` closed: deterministic scoring now emits factorized vectors (`cvss`, `epss`, `reachability`, `provenance`) plus canonical input hash/payload metadata for replay verification.
|
||||
|
||||
Delivered in:
|
||||
|
||||
- `docs/implplan/SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion.md`
|
||||
- `docs/implplan/SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment.md`
|
||||
|
||||
@@ -355,7 +355,21 @@ diff trace1.json trace2.json # Should be empty
|
||||
- [BinaryIndex Architecture](../../modules/binary-index/architecture.md)
|
||||
- [VexLens Architecture](../../modules/vexlens/architecture.md)
|
||||
|
||||
## Implementation Status Note (2026-03-05)
|
||||
|
||||
The previously documented advisory-translation gaps are closed:
|
||||
|
||||
- `ChangeTraceBuilder` no longer uses placeholder trace generation in production flow.
|
||||
- scan and binary traces now emit content-addressed subject digests (`sha256:*`) with deterministic ordering.
|
||||
- binary comparison paths use real file bytes/hashes for symbol/byte delta generation.
|
||||
- runtime trace ingestion now persists deterministic scan-to-trace indexes and returns deterministic trace lists for scan lookup.
|
||||
- Scanner WebService delta/actionables APIs are backed by deterministic delta payloads instead of static sample records.
|
||||
|
||||
Closure sprints:
|
||||
- `docs/implplan/SPRINT_20260304_302_Scanner_trace_delta_and_actionables_completion.md`
|
||||
- `docs/implplan/SPRINT_20260304_303_Scanner_score_replay_contract_and_formula_alignment.md`
|
||||
|
||||
---
|
||||
|
||||
*Document Version: 1.0.0*
|
||||
*Last Updated: 2026-01-12*
|
||||
*Last Updated: 2026-03-05*
|
||||
|
||||
Reference in New Issue
Block a user