save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/scanner/runtime-static-sbom-reconciliation.md
+++ b/docs/features/checked/scanner/runtime-static-sbom-reconciliation.md
@@ -0,0 +1,39 @@
+# Runtime-Static SBOM Reconciliation
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Reconciles runtime process snapshots (from /proc filesystem) against static SBOM analysis to identify discrepancies between declared and actually-loaded libraries. Detects ghost libraries (loaded at runtime but missing from SBOM) and phantom libraries (in SBOM but not loaded).
+
+## Implementation Details
+- **Runtime Reconciliation**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/EntryTraceRuntimeReconciler.cs` - `EntryTraceRuntimeReconciler` reconciles runtime process snapshots against static SBOM analysis, detecting ghost libraries (runtime-only) and phantom libraries (SBOM-only)
+- **Process Snapshots**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcFileSystemSnapshot.cs` - Collects runtime process state from /proc filesystem
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcProcess.cs` - Model for runtime processes
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraph.cs` - Process dependency graph
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraphBuilder.cs` - Builds process graphs from snapshots
+- **Runtime-Static Merge**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/RuntimeStaticMerger.cs` - `RuntimeStaticMerger` merges runtime observations with static analysis for comprehensive views
+
+## E2E Test Plan
+- [ ] Reconcile runtime process snapshots against static SBOM and verify ghost libraries (loaded at runtime but missing from SBOM) are detected
+- [ ] Verify phantom libraries (declared in SBOM but not loaded at runtime) are identified
+- [ ] Verify matching libraries (present in both runtime and SBOM) are confirmed as consistent
+- [ ] Verify the reconciliation report includes library name, version, and source (runtime vs static) for each discrepancy
+- [ ] Verify runtime-static merge correctly augments static reachability analysis with runtime-confirmed paths
+
+---
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source files exist | PASS |
+| Tier 1 - Build + code review | PASS |
+| Tier 2 - Integration tests | PASS |
+| Verified | 2026-02-13T18:10:00Z |