108d1c64b3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
2.5 KiB
2.5 KiB
Runtime Parity Plan (Java / .NET / PHP) — Scanner Aú · Signals Alignment (2025-12-09)
Objectives
- Close runtime parity gaps by pairing static analyzer hooks with runtime evidence for Java, .NET, and PHP.
- Produce deterministic artefacts (TRX/binlogs + NDJSON) that Signals can ingest for runtime reconciliation.
Scope & Hooks
- Java (21-005..011): jar/classpath resolution,
Main-Class, module-info, shaded jars. Runtime hook: capture resolved classpath + main entry via proc snapshot or launcher args. - .NET (11-001..005):
.deps.json, RID-graph, single-file/trimmed detection,runtimeconfig.json. Runtime hook: capture host command line + loaded assembly list via Signals proc trace. - PHP (27-001): composer autoload graph (
vendor/composer/autoload_*.php), package metadata, runtime entry (fpm/cli). Runtime hook: map autoloaded files to runtime include graph when proc snapshot present.
Evidence Plan
- Static: ensure analyzers emit deterministically ordered inventories + edges with layer attribution (already enforced across analyzers).
- Runtime capture (requires Signals):
- Provide proc snapshot schema to Scanner (cmdline, env, cwd, loaded modules/files).
- Export runtime observations as NDJSON with stable ordering (path, module, hash).
- Reconciliation:
- Join static entries to runtime observations on normalized path + hash.
- Emit
runtime.match/runtime.missdiagnostics with counts per analyzer.
- Artefacts:
- CI: TRX/binlog per analyzer suite.
- NDJSON samples: runtime reconciliation outputs for each language (hosted under
src/Scanner/__Tests/.../Fixtures/RuntimeParity).
Task Backlog
- T1: Wire proc snapshot ingestion for Java/.NET/PHP analyzers (Signals contract).
- T2: Add runtime reconciliation step with deterministic ordering and diagnostics.
- T3: Author runtime fixtures (one per language) and goldens for reconciliation output.
- T4: Document runtime parity expectations in readiness checkpoints and surfaces guides.
Constraints
- Offline-friendly: no network calls during reconciliation; rely solely on provided proc snapshot.
- Deterministic: stable sort (layer, path, name), UTC timestamps, no random seeds.
- Security: avoid executing payloads; treat proc snapshot as data only.
Dependencies
- Signals to confirm proc snapshot schema and DSSE/NDJSON event shape for runtime observations.
- Dedicated CI runner (DEVOPS-SCANNER-CI-11-001) to record TRX/binlogs for Java/.NET suites.