7040984215
- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events. - Defined the Mongo schema for event patches, including key fields for provenance and trust verification. - Documented the write path for ingesting provenance metadata and backfilling historical events. - Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata. - Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases. - Outlined policy gates for managing VEX decisions based on provenance verification. - Included UI nudges for displaying provenance information and implementation tasks for future enhancements. --- Implement reachability lattice and scoring model - Developed a comprehensive document detailing the reachability lattice and scoring model. - Defined core types for reachability states, evidence, and mitigations with corresponding C# models. - Established a scoring policy with base score contributions from various evidence classes. - Mapped reachability states to VEX gates and provided a clear overview of evidence sources. - Documented the event graph schema for persisting reachability data in MongoDB. - Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks. --- Introduce uncertainty states and entropy scoring - Created a draft document for tracking uncertainty states and their impact on risk scoring. - Defined core uncertainty states with associated entropy values and evidence requirements. - Established a schema for storing uncertainty states alongside findings. - Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments. - Provided policy guidelines for handling uncertainty in decision-making processes. - Outlined UI guidelines for displaying uncertainty information and suggested remediation actions. --- Add Ruby package inventory management - Implemented Ruby package inventory management with corresponding data models and storage mechanisms. - Created C# records for Ruby package inventory, artifacts, provenance, and runtime details. - Developed a repository for managing Ruby package inventory documents in MongoDB. - Implemented a service for storing and retrieving Ruby package inventories. - Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.
6.3 KiB
6.3 KiB
Sprint 138 - Scanner & Surface
Phase focus: Scanner.IX — Ruby analyzer parity & supporting readiness.
- Depends on: Sprint 137 · Scanner.VIII (gap designs locked) and Sprint 135 · Scanner.VI (EntryTrace foundations).
- Feeds: Sprint 139 and CLI releases once Ruby analyzer + policy/CLI/licensing tracks land.
| Task ID | State | Summary | Owner / Source | Depends On |
|---|---|---|---|---|
SCANNER-ENG-0008 |
TODO | Maintain EntryTrace heuristic cadence per docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md, including quarterly pattern reviews + explain-trace updates. |
EntryTrace Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | — |
SCANNER-ENG-0009 |
DOING (2025-11-02) | Deliver Ruby analyzer parity and observation pipeline (lockfiles, runtime graph, policy signals) per the gap doc. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ANALYZERS-RUBY-28-001..012 |
SCANNER-ENG-0010 |
TODO | Ship the PHP analyzer pipeline (composer lock, autoload graph, capability signals) to close comparison gaps. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php) | SCANNER-ANALYZERS-PHP-27-001..012 |
SCANNER-ENG-0011 |
TODO | Scope the Deno runtime analyzer (lockfile resolver, import graphs) based on competitor techniques to extend beyond Sprint 130 coverage. | Language Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | — |
SCANNER-ENG-0012 |
TODO | Evaluate Dart analyzer requirements (pubspec parsing, AOT artifacts) and split implementation tasks. | Language Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart) | — |
SCANNER-ENG-0013 |
TODO | Plan Swift Package Manager coverage (Package.resolved, xcframeworks, runtime hints) with policy hooks. | Swift Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Swift) | — |
SCANNER-ENG-0014 |
TODO | Align Kubernetes/VM target coverage between Scanner and Zastava per comparison findings; publish joint roadmap. | Runtime Guild, Zastava Guild (docs/modules/scanner) | — |
SCANNER-ENG-0015 |
DOING (2025-11-09) | Document DSSE/Rekor operator enablement guidance and rollout levers surfaced in the gap analysis. | Export Center Guild, Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0016 |
DONE (2025-11-10) | RubyLockCollector and vendor ingestion finalized: Bundler config overrides honoured, workspace lockfiles merged, vendor bundles normalised, and deterministic fixtures added. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ENG-0009 |
SCANNER-ENG-0017 |
DONE (2025-11-09) | Build the runtime require/autoload graph builder with tree-sitter Ruby per design §4.4 and integrate EntryTrace hints. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ENG-0016 |
SCANNER-ENG-0018 |
DONE (2025-11-09) | Emit Ruby capability + framework surface signals as defined in design §4.5 with policy predicate hooks. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ENG-0017 |
SCANNER-ENG-0019 |
DOING (2025-11-10) | Ship Ruby CLI verbs (`stella ruby inspect | resolve`) and Offline Kit packaging per design §4.6. | Ruby Analyzer Guild, CLI Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) |
SCANNER-LIC-0001 |
DONE (2025-11-10) | Tree-sitter licensing captured, NOTICE.md updated, and Offline Kit now mirrors third-party-licenses/ with ruby artifacts. |
Scanner Guild, Legal Guild (docs/modules/scanner) | SCANNER-ENG-0016 |
SCANNER-POLICY-0001 |
DONE (2025-11-10) | Ruby predicates shipped: Policy Engine exposes sbom.any_component + ruby.*, tests updated, DSL/offline-kit docs refreshed. |
Policy Guild, Ruby Analyzer Guild (docs/modules/scanner) | SCANNER-ENG-0018 |
SCANNER-CLI-0001 |
DONE (2025-11-10) | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | SCANNER-ENG-0019 |
Updates — 2025-11-09
SCANNER-CLI-0001: Completed Spectre table wrapping fix for runtime/lockfile columns, expanded Ruby resolve JSON assertions, removed ad-hoc debug artifacts, and drafted CLI docs coveringstellaops-cli ruby inspect|resolve. Pending: final verification + handoff once docs/tests merge.SCANNER-CLI-0001: Wiredstellaops-cli ruby inspect|resolveintoCommandFactoryso the verbs are available viaSystem.CommandLinewith the expected--root,--image/--scan-id, and--formatoptions;dotnet test ... --filter Rubypasses.SCANNER-CLI-0001: Added CLI unit tests (CommandFactoryTests, Ruby inspect JSON assertions) to guard the new verbs and runtime metadata output;dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj --filter "CommandFactoryTests|Ruby"now covers the CLI surface.SCANNER-ENG-0016: 2025-11-10 — Completed Ruby lock collector and vendor ingestion work: honour.bundle/configoverrides, fold workspace lockfiles, emit bundler groups, add Ruby analyzer fixtures/goldens (including new git/path offline kit mirror), anddotnet test ... --filter Rubypasses.SCANNER-ENG-0009: Emitted observation payload +ruby-observationcomponent summarising packages, runtime edges, and capability flags for Policy/Surface exports; fixtures updated for determinism and Offline Kit now ships the observation JSON.SCANNER-ENG-0009: 2025-11-12 — Added bundler-version metadata to observation payloads, introduced thecomplex-appfixture to cover vendor caches/BUNDLE_PATH overrides, and taughtstellaops-cli ruby inspectto print the observation banner (bundler/runtime/capabilities) alongside JSONobservationblocks.SCANNER-ENG-0009: 2025-11-12 — Ruby package inventories now flow intoRubyPackageInventoryStore;SurfaceManifestStageExecutorbuilds the package list, persists it via Mongo, and Scanner.WebService exposes the data throughGET /api/scans/{scanId}/ruby-packagesfor CLI/Policy consumers.SCANNER-ENG-0009: 2025-11-12 — Ruby package inventory API now returns a typed envelope (scanId/imageDigest/generatedAt + packages) backed byruby.packages; Worker/WebService DI registers the real store when Mongo is enabled, CLIruby resolveconsumes the new payload/warns when inventories are still warming, and docs/OpenAPI references were refreshed.