CD/CD consolidation

devops/services/scanner-java/package-analyzer.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+# Package Java analyzer plugin for release/offline distribution
+# Usage: ./package-analyzer.sh [version] [output-dir]
+# Example: ./package-analyzer.sh 2025.10.0 ./dist
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+
+VERSION="${1:-$(date +%Y.%m.%d)}"
+OUTPUT_DIR="${2:-${SCRIPT_DIR}/../artifacts/scanner-java}"
+PROJECT_PATH="src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj"
+
+# Freeze timestamps for reproducibility
+export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1704067200}
+
+echo "==> Packaging Java analyzer v${VERSION}"
+mkdir -p "${OUTPUT_DIR}"
+
+# Build for all target RIDs
+RIDS=("linux-x64" "linux-arm64" "osx-x64" "osx-arm64" "win-x64")
+
+for RID in "${RIDS[@]}"; do
+  echo "==> Building for ${RID}..."
+  dotnet publish "${REPO_ROOT}/${PROJECT_PATH}" \
+    --configuration Release \
+    --runtime "${RID}" \
+    --self-contained false \
+    --output "${OUTPUT_DIR}/java-analyzer-${VERSION}-${RID}" \
+    /p:Version="${VERSION}" \
+    /p:PublishTrimmed=false \
+    /p:DebugType=None
+done
+
+# Create combined archive
+ARCHIVE_NAME="scanner-java-analyzer-${VERSION}"
+echo "==> Creating archive ${ARCHIVE_NAME}.tar.gz..."
+cd "${OUTPUT_DIR}"
+tar -czf "${ARCHIVE_NAME}.tar.gz" java-analyzer-${VERSION}-*/
+
+# Generate checksums
+echo "==> Generating checksums..."
+sha256sum "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sha256"
+for RID in "${RIDS[@]}"; do
+  (cd "java-analyzer-${VERSION}-${RID}" && sha256sum *.dll *.json 2>/dev/null > ../java-analyzer-${VERSION}-${RID}.sha256 || true)
+done
+
+# Generate SBOM if syft available
+if command -v syft &>/dev/null; then
+  echo "==> Generating SBOM..."
+  syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o spdx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.spdx.json"
+  syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o cyclonedx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.cdx.json"
+fi
+
+# Sign if cosign available
+if command -v cosign &>/dev/null && [[ -n "${COSIGN_KEY:-}" ]]; then
+  echo "==> Signing archive..."
+  cosign sign-blob --key "${COSIGN_KEY}" "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sig"
+fi
+
+# Create manifest
+cat > "${OUTPUT_DIR}/manifest.json" <<EOF
+{
+  "analyzer": "scanner-java",
+  "version": "${VERSION}",
+  "archive": "${ARCHIVE_NAME}.tar.gz",
+  "checksumFile": "${ARCHIVE_NAME}.tar.gz.sha256",
+  "rids": $(printf '%s\n' "${RIDS[@]}" | jq -R . | jq -s .),
+  "sbom": {
+    "spdx": "${ARCHIVE_NAME}.spdx.json",
+    "cyclonedx": "${ARCHIVE_NAME}.cdx.json"
+  },
+  "createdAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+  "sourceDateEpoch": "${SOURCE_DATE_EPOCH}",
+  "components": [
+    "Maven/Gradle parsing",
+    "JAR/WAR/EAR analysis",
+    "Java callgraph builder",
+    "JNI native bridge detection",
+    "Service provider scanning",
+    "Shaded JAR detection"
+  ]
+}
+EOF
+
+echo "==> Java analyzer packaged to ${OUTPUT_DIR}"
+echo "    Archive: ${ARCHIVE_NAME}.tar.gz"
+echo "    RIDs: ${RIDS[*]}"

devops/services/scanner-java/release-plan.md

@@ -0,0 +1,48 @@
+# Java Analyzer Release Plan (DEVOPS-SCANNER-JAVA-21-011-REL)
+
+## Goal
+Publish the Java analyzer plug-in with signed artifacts and offline-ready bundles for CLI/Offline Kit.
+
+## Inputs
+- Analyzer JAR(s) + native helpers from dev task 21-011.
+- SBOM (SPDX JSON) for plugin + native components.
+- Test suite outputs (unit + integration).
+
+## Artifacts
+- OCI image (optional) or zip bundle containing:
+  - `analyzer.jar`
+  - `lib/` natives (if any)
+  - `LICENSE`, `NOTICE`
+  - `SBOM` (spdx.json)
+  - `SIGNATURES` (cosign/PGP)
+- Cosign attestations for OCI/zip (provenance + SBOM).
+- Checksums: `SHA256SUMS`, `SHA256SUMS.sig`.
+- Offline kit slice: tarball with bundle + attestations + SBOM.
+
+## Pipeline steps
+1) **Build**: run gradle/mvn with `--offline` using vendored deps; produce JAR + natives.
+2) **SBOM**: `syft packages -o spdx-json` over build output.
+3) **Package**: zip bundle with fixed ordering (`zip -X`) and normalized timestamps (`SOURCE_DATE_EPOCH`).
+4) **Sign**:
+   - cosign sign blob (zip) and/or image.
+   - generate in-toto provenance (SLSA level 1) referencing git commit + toolchain hashes.
+5) **Checksums**: create `SHA256SUMS` and sign with cosign/PGP.
+6) **Verify stage**: pipeline step runs `cosign verify-blob`, `sha256sum --check`, and `syft validate spdx`.
+7) **Publish**:
+   - Upload to artifact store (release bucket) with metadata (version, commit, digest).
+   - Produce offline kit slice tarball (`scanner-java-<ver>-offline.tgz`) containing bundle, SBOM, attestations, checksums.
+
+## Security/hardening
+- Non-root build container; disable gradle/mvn network (`--offline`).
+- Strip debug info unless required; ensure reproducible JAR (sorted entries, normalized timestamps).
+- Telemetry disabled.
+
+## Evidence to capture
+- Bundle SHA256, cosign signatures, provenance statement.
+- SBOM hash.
+- Verification logs from pipeline.
+
+## Owners
+- Build/pipeline: DevOps Guild
+- Signing policy: Platform Security
+- Consumer integration: CLI Guild / Offline Kit Guild