# Java Analyzer Release Plan (DEVOPS-SCANNER-JAVA-21-011-REL)

## Goal
Publish the Java analyzer plug-in with signed artifacts and offline-ready bundles for CLI/Offline Kit.

## Inputs
- Analyzer JAR(s) + native helpers from dev task 21-011.
- SBOM (SPDX JSON) for plugin + native components.
- Test suite outputs (unit + integration).

## Artifacts
- OCI image (optional) or zip bundle containing:
  - `analyzer.jar`
  - `lib/` natives (if any)
  - `LICENSE`, `NOTICE`
  - `SBOM` (spdx.json)
  - `SIGNATURES` (cosign/PGP)
- Cosign attestations for OCI/zip (provenance + SBOM).
- Checksums: `SHA256SUMS`, `SHA256SUMS.sig`.
- Offline kit slice: tarball with bundle + attestations + SBOM.

## Pipeline steps
1) **Build**: run gradle/mvn with `--offline` using vendored deps; produce JAR + natives.
2) **SBOM**: `syft packages -o spdx-json` over build output.
3) **Package**: zip bundle with fixed ordering (`zip -X`) and normalized timestamps (`SOURCE_DATE_EPOCH`).
4) **Sign**:
   - cosign sign blob (zip) and/or image.
   - generate in-toto provenance (SLSA level 1) referencing git commit + toolchain hashes.
5) **Checksums**: create `SHA256SUMS` and sign with cosign/PGP.
6) **Verify stage**: pipeline step runs `cosign verify-blob`, `sha256sum --check`, and `syft validate spdx`.
7) **Publish**:
   - Upload to artifact store (release bucket) with metadata (version, commit, digest).
   - Produce offline kit slice tarball (`scanner-java-<ver>-offline.tgz`) containing bundle, SBOM, attestations, checksums.

## Security/hardening
- Non-root build container; disable gradle/mvn network (`--offline`).
- Strip debug info unless required; ensure reproducible JAR (sorted entries, normalized timestamps).
- Telemetry disabled.

## Evidence to capture
- Bundle SHA256, cosign signatures, provenance statement.
- SBOM hash.
- Verification logs from pipeline.

## Owners
- Build/pipeline: DevOps Guild
- Signing policy: Platform Security
- Consumer integration: CLI Guild / Offline Kit Guild