108d1c64b3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
38 lines
2.5 KiB
Markdown
38 lines
2.5 KiB
Markdown
# Runtime Parity Plan (Java / .NET / PHP) — Scanner Aú · Signals Alignment (2025-12-09)
|
|
|
|
## Objectives
|
|
- Close runtime parity gaps by pairing static analyzer hooks with runtime evidence for Java, .NET, and PHP.
|
|
- Produce deterministic artefacts (TRX/binlogs + NDJSON) that Signals can ingest for runtime reconciliation.
|
|
|
|
## Scope & Hooks
|
|
- **Java (21-005..011)**: jar/classpath resolution, `Main-Class`, module-info, shaded jars. Runtime hook: capture resolved classpath + main entry via proc snapshot or launcher args.
|
|
- **.NET (11-001..005)**: `.deps.json`, RID-graph, single-file/trimmed detection, `runtimeconfig.json`. Runtime hook: capture host command line + loaded assembly list via Signals proc trace.
|
|
- **PHP (27-001)**: composer autoload graph (`vendor/composer/autoload_*.php`), package metadata, runtime entry (fpm/cli). Runtime hook: map autoloaded files to runtime include graph when proc snapshot present.
|
|
|
|
## Evidence Plan
|
|
1) **Static**: ensure analyzers emit deterministically ordered inventories + edges with layer attribution (already enforced across analyzers).
|
|
2) **Runtime capture** (requires Signals):
|
|
- Provide proc snapshot schema to Scanner (cmdline, env, cwd, loaded modules/files).
|
|
- Export runtime observations as NDJSON with stable ordering (path, module, hash).
|
|
3) **Reconciliation**:
|
|
- Join static entries to runtime observations on normalized path + hash.
|
|
- Emit `runtime.match` / `runtime.miss` diagnostics with counts per analyzer.
|
|
4) **Artefacts**:
|
|
- CI: TRX/binlog per analyzer suite.
|
|
- NDJSON samples: runtime reconciliation outputs for each language (hosted under `src/Scanner/__Tests/.../Fixtures/RuntimeParity`).
|
|
|
|
## Task Backlog
|
|
- T1: Wire proc snapshot ingestion for Java/.NET/PHP analyzers (Signals contract).
|
|
- T2: Add runtime reconciliation step with deterministic ordering and diagnostics.
|
|
- T3: Author runtime fixtures (one per language) and goldens for reconciliation output.
|
|
- T4: Document runtime parity expectations in readiness checkpoints and surfaces guides.
|
|
|
|
## Constraints
|
|
- Offline-friendly: no network calls during reconciliation; rely solely on provided proc snapshot.
|
|
- Deterministic: stable sort (layer, path, name), UTC timestamps, no random seeds.
|
|
- Security: avoid executing payloads; treat proc snapshot as data only.
|
|
|
|
## Dependencies
|
|
- Signals to confirm proc snapshot schema and DSSE/NDJSON event shape for runtime observations.
|
|
- Dedicated CI runner (DEVOPS-SCANNER-CI-11-001) to record TRX/binlogs for Java/.NET suites.
|