108d1c64b3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
47 lines
2.7 KiB
Markdown
47 lines
2.7 KiB
Markdown
# Dart & Swift Analyzer Scope Note (2025-12-09)
|
|
|
|
## Goals
|
|
- Define the initial analyzer scope for Dart (pub) and Swift (SwiftPM) with deterministic, offline-friendly behavior.
|
|
- Provide fixture/backlog list to unblock readiness tracking and align with Signals/Zastava expectations.
|
|
|
|
## Dart (pub)
|
|
- Inputs: `pubspec.yaml`, `pubspec.lock`, `.dart_tool/package_config.json`, and downloaded packages under `.dart_tool/pub`.
|
|
- Outputs:
|
|
- Inventory of `pkg:pub/<name>@<version>` with resolved source (hosted/path/git) and sha256 when present in lockfile.
|
|
- Dependency edges from `pubspec.lock`; dev dependencies emitted only when `include_dev=true`.
|
|
- Analyzer metadata: sdk constraint, null-safety flag, source type per package.
|
|
- Determinism:
|
|
- Sort packages and edges lexicographically.
|
|
- Normalize paths to POSIX; no network calls; rely only on lockfile/package_config on disk.
|
|
- Out of scope (v1):
|
|
- Flutter build graph, transitive runtime surface, and hosted index downloads.
|
|
- Git/path overrides beyond what is listed in lock/package_config.
|
|
- Fixtures/backlog:
|
|
- Hosted app with `pubspec.lock` and `.dart_tool/package_config.json` (dev deps included).
|
|
- Path dependency sample (relative and absolute).
|
|
- Git dependency sample with locked commit.
|
|
- Missing lockfile case (expect finding + no inventory).
|
|
|
|
## Swift (SwiftPM)
|
|
- Inputs: `Package.swift`, `Package.resolved` (v1/v2), `.build/` manifest cache when present.
|
|
- Outputs:
|
|
- Inventory of `pkg:swiftpm/<name>@<version>` with checksum from `Package.resolved` when available.
|
|
- Dependency edges from `Package.resolved` target graph; emit platforms/arch only when declared.
|
|
- Analyzer metadata: Swift tools version, resolution format, mirrors when specified.
|
|
- Determinism:
|
|
- Do not execute `swift package`; parse manifests/resolved files only.
|
|
- Stable ordering by package then target; normalize paths to POSIX.
|
|
- Out of scope (v1):
|
|
- Xcodeproj resolution, binary target downloads, and build artifacts hashing.
|
|
- Conditional target resolution beyond what `Package.resolved` records.
|
|
- Fixtures/backlog:
|
|
- Single-package app with `Package.resolved` v2 (checksum present).
|
|
- Nested target graph with products/targets/flexible platforms.
|
|
- Binary target entry (no download; expect metadata-only inventory).
|
|
- Missing `Package.resolved` case (emit finding, no inventory).
|
|
|
|
## Alignment & Next Steps
|
|
- Signals/Zastava: confirm package ID naming (`pkg:pub`, `pkg:swiftpm`) and dependency edge semantics for reachability ingestion.
|
|
- Add goldens/fixtures under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DartSwift.Tests/Fixtures/**`.
|
|
- Update readiness checkpoints once fixtures and parsers land; current scope note unblocks backlog creation only.
|