stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
6e45066e371667ef96fbd4cc99a05223f151f12c
git.stella-ops.org/docs/modules/scanner/language-analyzers-contract.md
StellaOps Bot 6e45066e37
Some checks failed
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
up
2025-12-13 09:37:15 +02:00

111 lines
6.3 KiB
Markdown
Raw Blame History

# Scanner Language Analyzer Contracts (Identity / Evidence / Container Layout)
This document freezes the cross-analyzer contracts that are shared by the language analyzers (Java, .NET, Python, Node, Bun). These rules exist to prevent false matches, keep outputs deterministic, and protect against host-path leakage.
## 1) Identity Safety Contract (PURL vs Explicit Key)
### 1.1 Goals
- **No fake versions**: never encode version ranges, tags, local paths, or git URLs as a versioned PURL.
- **No collisions**: explicit-key identities must not collide with concrete PURLs and must be deterministic across OS path separators.
- **Proof-first**: emit concrete PURLs only when the analyzer has concrete, replayable evidence for the version.
### 1.2 When to emit a concrete PURL
Emit a concrete (versioned) PURL only when **both** are true:
1) The analyzer can determine a **concrete version** (ecosystem-specific) for the component.
2) The version is backed by **replayable evidence** (e.g., installed artifact metadata or lockfile-resolved entry).
Typical sources that qualify:
- **Installed inventory** (e.g., `node_modules/**/package.json`, Python `*.dist-info/METADATA`, .NET `deps.json` entries).
- **Lockfile-resolved inventory** (e.g., `bun.lock` entry with `name@version` and integrity/resolved URL).
### 1.3 When to emit an explicit-key component (required)
Emit an explicit-key component when the dependency is **declared-only** or otherwise **non-concrete**:
- Version ranges / operators (`^`, `~`, `>=`, `<`, `*`, `x`, `latest`, etc.).
- Workspace/link/file dependencies (`workspace:*`, `link:`, `file:`, local path refs, editable installs).
- Git dependencies (git URL / commit / ref) when a concrete semantic version is not provable from local evidence.
- Unknown / missing version.
**Rule:** If the analyzer cannot prove a concrete version from local evidence, it must not emit a versioned PURL for that dependency.
### 1.4 Explicit-key format (canonical)
For declared-only / non-concrete identities, analyzers must emit:
- `componentKey`: `explicit::<analyzerId>::<ecosystem>::<name>::sha256:<digest>`
- `purl`: `null`
- `version`: `null`
Where `<digest>` is `sha256` of the canonical UTF-8 string:
```
<ecosystem>\n<normalizedName>\n<normalizedSpec>\n<originLocator>
```
Canonicalization rules:
- `<normalizedName>` uses ecosystem naming rules (e.g., npm scoped names keep `@scope/name`).
- `<normalizedSpec>` is the **original declared specifier** (range/tag/url/path), trimmed; for unknown, use `""`.
- `<originLocator>` is project-relative with `/` separators (e.g., `package.json#dependencies`, `requirements.txt`, `Directory.Packages.props#PackageVersion:Foo`).
- No absolute paths, drive letters, or host roots appear in any input to the digest.
### 1.5 Required metadata for explicit-key components
Explicit-key components must include (at minimum) these metadata keys:
- `declaredOnly=true`
- `declared.source=<file>` (e.g., `package.json`, `Directory.Packages.props`)
- `declared.locator=<originLocator>` (same string used in digest)
- `declared.versionSpec=<normalizedSpec>` (original specifier or empty)
- `declared.scope=<prod|dev|peer|optional|unknown>` when applicable
- `declared.sourceType=<range|tag|git|tarball|file|link|workspace|path|editable|unknown>`
## 2) Evidence Locator Contract
### 2.1 General rules
- Evidence locators are **external-facing** and must be stable and parseable.
- Every locator is **project-relative** with `/` separators (never absolute).
- Evidence content/hashing must be bounded; when bounds are exceeded, emit deterministic `skipped` markers in metadata instead of silently omitting.
### 2.2 Locator formats (canonical)
**File evidence**
- `locator`: `<relativePath>` (e.g., `packages/app/package.json`)
- `source`: a stable discriminator (e.g., `package.json`, `pom.xml`, `METADATA`)
**Lockfile entry evidence**
- `locator`: `<lockfileRelativePath>:<selector>`
- Examples:
- Node package-lock: `package-lock.json:packages/app/node_modules/foo`
- Bun lock: `bun.lock:packages[foo@1.2.3]`
- Maven/Gradle lock: `gradle.lockfile:com.example:foo:1.2.3`
**Nested artifact evidence**
- `locator`: `<outer>!<inner>!<path>`
- Example: `demo-jni.jar!META-INF/native-image/demo/jni-config.json`
**Derived evidence**
- `locator`: a stable synthetic name (e.g., `phase22.ndjson`)
- `source`: a stable synthetic source (e.g., `node.observation`)
### 2.3 Hashing rules (baseline)
- Hash only bounded inputs (default: 1 MiB per evidence value/file; analyzers may choose a tighter cap).
- Hash algorithm: `sha256` over UTF-8 bytes for textual evidence, raw bytes for file evidence.
- If hashing is skipped due to bounds or errors, emit deterministic metadata markers (e.g., `hashSkipped=true`, `hashSkipped.reason=sizeCap`).
## 3) Container Layout Discovery Contract
### 3.1 Layer root candidates
Language analyzers that support container-root discovery must treat these as **candidate roots** under the analysis root:
- `layers/*` (direct children)
- `.layers/*` (direct children; **must not be skipped**)
- `layer*` (direct children of the analysis root, e.g., `layer1/`, `layer2/`)
Each candidate root is scanned independently for projects.
### 3.2 Bounds and traversal safety (required)
- Deterministic traversal (sorted directory enumeration).
- Depth caps per candidate root; hard cap on total discovered project roots.
- Must never recurse into `node_modules/` (Node/Bun) or equivalent heavy dirs.
- Hidden directories may be skipped **except** `.layers` which is treated as a top-level candidate root.
- No symlink escape: if symlinks are followed, resolved targets must remain within the candidate root prefix and cycles must be prevented.
### 3.3 Overlay/whiteout semantics
- If an analyzer implements overlay semantics (notably Python container adapters), whiteouts and precedence rules must be explicit, deterministic, and fixture-tested.
- If an analyzer does **not** implement overlay semantics, it must still keep discovery bounded and must not silently drop projects; emit deterministic "skipped" markers when bounds prevent full traversal.
## Compliance
Sprints `docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md` through `docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md` (and the program sprint `docs/implplan/SPRINT_0408_0001_0001_scanner_language_detection_gaps_program.md`) carry the per-analyzer implementation and test evidence required to enforce this contract.
Reference in New Issue View Git Blame Copy Permalink