Add PHP Analyzer Plugin and Composer Lock Data Handling
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented the PhpAnalyzerPlugin to analyze PHP projects. - Created ComposerLockData class to represent data from composer.lock files. - Developed ComposerLockReader to load and parse composer.lock files asynchronously. - Introduced ComposerPackage class to encapsulate package details. - Added PhpPackage class to represent PHP packages with metadata and evidence. - Implemented PhpPackageCollector to gather packages from ComposerLockData. - Created PhpLanguageAnalyzer to perform analysis and emit results. - Added capability signals for known PHP frameworks and CMS. - Developed unit tests for the PHP language analyzer and its components. - Included sample composer.lock and expected output for testing. - Updated project files for the new PHP analyzer library and tests.
This commit is contained in:
StellaOps Bot
21
docs/modules/sbomservice/fixtures/lnm-v1/README.md
Normal file
21
docs/modules/sbomservice/fixtures/lnm-v1/README.md
Normal file
@@ -0,0 +1,21 @@
|
||||
# Link-Not-Merge v1 Fixtures
|
||||
|
||||
Status: Awaiting drop (2025-11-22)
|
||||
|
||||
Expected contents (all JSON, canonicalized, UTF-8):
|
||||
- `projections.json` — canonical SBOM projection payloads keyed by snapshot ID.
|
||||
- `assets.json` — asset metadata overlays (tenant-scoped, append-only).
|
||||
- `paths.json` — ordered dependency paths with runtime flags and blast-radius hints.
|
||||
- `events.json` — `sbom.version.created` envelopes aligned to CAS/provenance fields.
|
||||
- `schema-version.txt` — git SHA / semantic version of the frozen projection schema.
|
||||
- `SHA256SUMS` — checksums for all files above.
|
||||
|
||||
Drop instructions:
|
||||
- Place files in this directory and update `SHA256SUMS` via `sha256sum *.json *.txt > SHA256SUMS`.
|
||||
- Keep ordering stable; prefer NDJSON converted to JSON arrays only if deterministic sorting is applied.
|
||||
- Record drop commit in sprint 0140/0142 Execution Logs and link here.
|
||||
|
||||
Consumers:
|
||||
- SBOM-SERVICE-21-001..004 implementation and tests.
|
||||
- Advisory AI and Console replay suites.
|
||||
- AirGap parity review (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`).
|
||||
@@ -0,0 +1,31 @@
|
||||
# SBOM Service Prep — PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB
|
||||
|
||||
Status: Published (2025-11-22)
|
||||
|
||||
Owners: SBOM Service Guild · Cartographer Guild · Observability Guild · Zastava Observer/Webhook Guilds · Security Guild
|
||||
|
||||
Scope: Capture a single readiness note for Runtime & Signals wave (0140) so SBOM-SERVICE-21-001..004 and SBOM-AIAI-31-001/002 can start once fixtures and AirGap approvals land.
|
||||
|
||||
## Current inputs (as of 2025-11-22)
|
||||
- Link-Not-Merge v1 projection schema frozen on 2025-11-17 (per Sprint 0140 decisions); JSON fixtures have not been published.
|
||||
- Mock surface bundle v1 exists; real scanner cache ETA is still outstanding, so Graph/Zastava cannot validate parity yet.
|
||||
- CAS/provenance decisions are tracked under `docs/signals/cas-promotion-24-002.md` and `docs/signals/provenance-24-003.md`; SBOM events must align with these provenance fields.
|
||||
|
||||
## Outstanding blockers to flip SBOM wave to DOING
|
||||
- Publish LNM v1 JSON fixtures with hash list to `docs/modules/sbomservice/fixtures/lnm-v1/` plus `SHA256SUMS`. Owners: Concelier Core · Cartographer Guild.
|
||||
- Run AirGap parity review for `/sbom/paths`, `/sbom/versions`, and `/sbom/events`; template and minutes location published at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`. Owner: Observability Guild with SBOM Service Guild.
|
||||
- Confirm scanner cache drop timeline and hash for the real surface cache; mirror in sprint 0140 tracker once published. Owner: Scanner Guild.
|
||||
|
||||
## Ready-to-start checklist for SBOM-SERVICE-21-001..004
|
||||
- Verify fixtures landed at the path above and match the frozen field list; add deterministic fixture IDs to tests.
|
||||
- Emit projection change events with schema version and fixture set hash; expose counters and optional OTEL traces behind config.
|
||||
- Provide observability baselines (dashboards/alerts) for path/timeline endpoints with latency and error-rate SLOs.
|
||||
- Document tenant scoping and add-only evolution in API reference before exposing to Console and Advisory AI consumers.
|
||||
|
||||
## Evidence
|
||||
- This prep note: `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`.
|
||||
- Blocker detail mirrored in `docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md` Delivery Tracker and Decisions & Risks.
|
||||
|
||||
## Exit criteria
|
||||
- LNM v1 fixtures and AirGap review minutes committed and linked in sprints 0140 and 0142.
|
||||
- Sprint 0140 SBOM wave can move from BLOCKED to DOING with cache ETA recorded.
|
||||
31
docs/modules/sbomservice/runbooks/airgap-parity-review.md
Normal file
31
docs/modules/sbomservice/runbooks/airgap-parity-review.md
Normal file
@@ -0,0 +1,31 @@
|
||||
# AirGap Parity Review — SBOM Service runtime/signals (Sprint 0140/0142)
|
||||
|
||||
Status: Template published (2025-11-22)
|
||||
Owners: Observability Guild · SBOM Service Guild · Cartographer Guild · Runtime & Signals coordination (0140) · Concelier Core (schema fidelity)
|
||||
|
||||
## Purpose
|
||||
Document a repeatable AirGap parity review for `/sbom/paths`, `/sbom/versions`, and SBOM event streams so SBOM-SERVICE-21-001..004 can move from BLOCKED to DOING once fixtures land.
|
||||
|
||||
## Prerequisites
|
||||
- Link-Not-Merge v1 fixtures available under `docs/modules/sbomservice/fixtures/lnm-v1/` with `SHA256SUMS`.
|
||||
- Projection schema frozen (record SHA/commit).
|
||||
- Mock surface bundle hash and real scanner cache ETA published in sprint 0140 tracker.
|
||||
- CAS/provenance appendices (signals) frozen: `docs/signals/cas-promotion-24-002.md`, `docs/signals/provenance-24-003.md`.
|
||||
- Test environment with offline toggle enabled; mirrored packages only.
|
||||
|
||||
## Checklist
|
||||
- Verify fixture integrity: run `sha256sum -c SHA256SUMS` in `fixtures/lnm-v1`.
|
||||
- Replay fixtures in offline mode; capture latency/p95/p99 for `/sbom/paths` and `/sbom/versions` with deterministic seeds.
|
||||
- Confirm tenant scoping and add-only evolution (no in-place updates) using two-tenant replay script.
|
||||
- Validate event envelopes (`sbom.version.created`) against CAS/provenance requirements; ensure DSSE fields present or `skip_reason: offline`.
|
||||
- Check orchestrator backpressure behavior with AirGap throttling; record SLO thresholds.
|
||||
- Capture logs/traces snapshots (if enabled) and redact secrets before attaching.
|
||||
|
||||
## Outputs
|
||||
- Minutes + decisions appended to this file (Execution Notes section) with timestamps and owners.
|
||||
- Metrics table with p50/p95/p99 latency, error rate, and cache hit ratio.
|
||||
- Actions list with owners and due dates; blockers mirrored to sprint 0140/0142 Decisions & Risks.
|
||||
|
||||
## Execution Notes
|
||||
- 2025-11-22: Template published; awaiting fixtures and review scheduling.
|
||||
|
||||
Reference in New Issue
Block a user