Add PHP Analyzer Plugin and Composer Lock Data Handling
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented the PhpAnalyzerPlugin to analyze PHP projects. - Created ComposerLockData class to represent data from composer.lock files. - Developed ComposerLockReader to load and parse composer.lock files asynchronously. - Introduced ComposerPackage class to encapsulate package details. - Added PhpPackage class to represent PHP packages with metadata and evidence. - Implemented PhpPackageCollector to gather packages from ComposerLockData. - Created PhpLanguageAnalyzer to perform analysis and emit results. - Added capability signals for known PHP frameworks and CMS. - Developed unit tests for the PHP language analyzer and its components. - Included sample composer.lock and expected output for testing. - Updated project files for the new PHP analyzer library and tests.
This commit is contained in:
StellaOps Bot
31
docs/modules/sbomservice/runbooks/airgap-parity-review.md
Normal file
31
docs/modules/sbomservice/runbooks/airgap-parity-review.md
Normal file
@@ -0,0 +1,31 @@
|
||||
# AirGap Parity Review — SBOM Service runtime/signals (Sprint 0140/0142)
|
||||
|
||||
Status: Template published (2025-11-22)
|
||||
Owners: Observability Guild · SBOM Service Guild · Cartographer Guild · Runtime & Signals coordination (0140) · Concelier Core (schema fidelity)
|
||||
|
||||
## Purpose
|
||||
Document a repeatable AirGap parity review for `/sbom/paths`, `/sbom/versions`, and SBOM event streams so SBOM-SERVICE-21-001..004 can move from BLOCKED to DOING once fixtures land.
|
||||
|
||||
## Prerequisites
|
||||
- Link-Not-Merge v1 fixtures available under `docs/modules/sbomservice/fixtures/lnm-v1/` with `SHA256SUMS`.
|
||||
- Projection schema frozen (record SHA/commit).
|
||||
- Mock surface bundle hash and real scanner cache ETA published in sprint 0140 tracker.
|
||||
- CAS/provenance appendices (signals) frozen: `docs/signals/cas-promotion-24-002.md`, `docs/signals/provenance-24-003.md`.
|
||||
- Test environment with offline toggle enabled; mirrored packages only.
|
||||
|
||||
## Checklist
|
||||
- Verify fixture integrity: run `sha256sum -c SHA256SUMS` in `fixtures/lnm-v1`.
|
||||
- Replay fixtures in offline mode; capture latency/p95/p99 for `/sbom/paths` and `/sbom/versions` with deterministic seeds.
|
||||
- Confirm tenant scoping and add-only evolution (no in-place updates) using two-tenant replay script.
|
||||
- Validate event envelopes (`sbom.version.created`) against CAS/provenance requirements; ensure DSSE fields present or `skip_reason: offline`.
|
||||
- Check orchestrator backpressure behavior with AirGap throttling; record SLO thresholds.
|
||||
- Capture logs/traces snapshots (if enabled) and redact secrets before attaching.
|
||||
|
||||
## Outputs
|
||||
- Minutes + decisions appended to this file (Execution Notes section) with timestamps and owners.
|
||||
- Metrics table with p50/p95/p99 latency, error rate, and cache hit ratio.
|
||||
- Actions list with owners and due dates; blockers mirrored to sprint 0140/0142 Decisions & Risks.
|
||||
|
||||
## Execution Notes
|
||||
- 2025-11-22: Template published; awaiting fixtures and review scheduling.
|
||||
|
||||
Reference in New Issue
Block a user