feat(audit): Apply TreatWarningsAsErrors=true to 160+ production csproj files
Sprint: SPRINT_20251229_049_BE_csproj_audit_maint_tests Tasks: AUDIT-0001 through AUDIT-0147 APPLY tasks (approved decisions 1-9) Changes: - Set TreatWarningsAsErrors=true for all production .NET projects - Fixed nullable warnings in Scanner.EntryTrace, Scanner.Evidence, Scheduler.Worker, Concelier connectors, and other modules - Injected TimeProvider/IGuidProvider for deterministic time/ID generation - Added path traversal validation in AirGap.Bundle - Fixed NULL handling in various cursor classes - Third-party GostCryptography retains TreatWarningsAsErrors=false (preserves original) - Test projects excluded per user decision (rejected decision 10) Note: All 17 ACSC connector tests pass after snapshot fixture sync
This commit is contained in:
StellaOps Bot
31
CLAUDE.md
31
CLAUDE.md
@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
|
||||
|
||||
## Project Overview
|
||||
|
||||
StellaOps is a self-hostable, sovereign container-security platform released under AGPL-3.0-or-later. It provides reproducible vulnerability scanning with VEX-first decisioning, SBOM generation (SPDX 3.0.1 and CycloneDX 1.6), in-toto/DSSE attestations, and optional Sigstore Rekor transparency. The platform is designed for offline/air-gapped operation with regional crypto support (eIDAS/FIPS/GOST/SM).
|
||||
StellaOps is a self-hostable, sovereign container-security platform released under AGPL-3.0-or-later. It provides reproducible vulnerability scanning with VEX-first decisioning, SBOM generation (SPDX 3.0.1 and CycloneDX 1.7), in-toto/DSSE attestations, and optional Sigstore Rekor transparency. The platform is designed for offline/air-gapped operation with regional crypto support (eIDAS/FIPS/GOST/SM).
|
||||
|
||||
## Build Commands
|
||||
|
||||
@@ -227,6 +227,35 @@ public class GoodService(TimeProvider timeProvider, IGuidGenerator guidGenerator
|
||||
}
|
||||
```
|
||||
|
||||
### 8.2.1) Resolver Version Tracking
|
||||
|
||||
| Rule | Guidance |
|
||||
|------|----------|
|
||||
| **Include resolver/engine version in snapshots** | For strict reproducibility verification, include the resolver or engine version digest in `KnowledgeSnapshot` and similar input manifests. This ensures that identical inputs processed by different engine versions can be detected and flagged. |
|
||||
|
||||
```csharp
|
||||
// BAD - snapshot missing engine version
|
||||
public sealed record KnowledgeSnapshot
|
||||
{
|
||||
public required ImmutableArray<SbomRef> Sboms { get; init; }
|
||||
public required ImmutableArray<VexDocRef> VexDocuments { get; init; }
|
||||
// Missing: engine version that produced the verdict
|
||||
}
|
||||
|
||||
// GOOD - includes engine version for reproducibility verification
|
||||
public sealed record KnowledgeSnapshot
|
||||
{
|
||||
public required ImmutableArray<SbomRef> Sboms { get; init; }
|
||||
public required ImmutableArray<VexDocRef> VexDocuments { get; init; }
|
||||
public required EngineVersionRef EngineVersion { get; init; }
|
||||
}
|
||||
|
||||
public sealed record EngineVersionRef(
|
||||
string EngineName, // e.g., "VexConsensusEngine"
|
||||
string Version, // e.g., "2.1.0"
|
||||
string SourceDigest); // SHA-256 of engine source or build artifact
|
||||
```
|
||||
|
||||
### 8.3) ASCII-Only Output
|
||||
|
||||
| Rule | Guidance |
|
||||
|
||||
Reference in New Issue
Block a user