git.stella-ops.org/docs/modules/scanner/design/dotnet-analyzer-11-001.md

.NET Analyzer Design · 11-001 Entrypoint Resolver (2025-12-09)

Goals

• Resolve .NET entrypoints deterministically from project/publish artefacts and emit normalized identities (assembly name, MVID, TFM, RID, host kind, publish mode).
• Capture environment profiles (single-file, trimmed, self-contained vs framework-dependent, ALC hints) without executing payloads.
• Produce deterministic evidence aligned to dotnet-il-metadata.schema.json for downstream analyzers 11-002..005.

Inputs

• *.csproj/*.fsproj metadata (TargetFrameworks, RuntimeIdentifiers, PublishSingleFile/Trim options).
• Publish outputs: apphost (*.exe), *.dll, *.deps.json, *.runtimeconfig.json, *.targets cache.
• RID graph from SDK (offline snapshot in repo), deterministic time provider.

Outputs

• entrypoints[] records: assembly, mvid, tfm, rid, hostKind (apphost/framework-dependent/self-contained), publishMode (single-file/trimmed), alcHints (AssemblyLoadContext names), probingPaths, nativeDeps (apphost bundles).
• Evidence: LanguageComponentEvidence entries per entrypoint with locator = publish path, hash over file bytes for determinism.
• Diagnostics: missing deps/runtimeconfig, mixed RID publish, single-file without extractor support.

Algorithm (deterministic)

1. Parse project: target frameworks, RIDs, publish flags; normalize to ordered sets.
2. Discover publish artefacts under bin/<Configuration>/<TFM>/... and publish/ folders; prefer *.runtimeconfig.json when present.
3. Read *.deps.json to extract runtime targets and resolve primary entry assembly; fall back to apphost name.
4. Compute MVID from PE header; compute SHA-256 over *.dll/*.exe bytes; capture file size.
5. Classify host:
   • apphost present -> hostKind = apphost; detect single-file bundle via marker sections.
   • Framework-dependent -> hostKind = framework-dependent; use runtimeconfig probing paths.
6. Infer ALC hints: scan deps for runtimeconfig.dev.json probing paths and additionalProbingPaths; add known SDK paths.
7. Emit entrypoint with deterministic ordering: sort by assembly name, then RID, then TFM.

Determinism & Offline

• No network access; relies solely on on-disk project/publish artefacts.
• Stable ordering and casing (Ordinal sort), UTC time provider.
• Hashes: SHA-256 over file bytes; no timestamps.

Test & Fixture Plan

• Existing suite: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests (now green; TRX at TestResults/dotnet/dotnet-tests.trx).
• Fixtures to maintain:
  • Framework-dependent app with deps/runtimeconfig.
  • Self-contained single-file publish (bundle) with apphost.
  • Trimmed publish with ALC hints.
  • Multi-RID publish verifying RID selection and deterministic ordering.
• Add new fixtures under ...DotNet.Tests/Fixtures/ when new host kinds are supported; keep hashes stable.

Next Steps

• Wire readiness checkpoints to mark 11-001 design+tests complete; keep CI runner validation optional (DEVOPS-SCANNER-CI-11-001) for reproducibility.
• Feed outputs into 11-002..005 analyzers once entrypoint metadata is consumed by downstream IL/reflection pipelines.