79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced `SbomService` tasks documentation. - Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`. - Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace. - Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories. - Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests. - Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace. - Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
3.1 KiB
3.1 KiB
Scanner Analyzers PREP Notes — 2025-11-20
Owner: Scanner EPDR Guild · Signals Guild · SBOM Service Guild · Native Analyzer Guild Scope: Prep deliverables for PREP-SCANNER-ANALYZERS-LANG-11-003-DEPENDS-ON, PREP-SCANNER-ANALYZERS-LANG-11-004-DEPENDS-ON, and PREP-SCANNER-ANALYZERS-NATIVE-20-002-AWAIT-DE.
1) LANG-11-003 runtime evidence ingest (dependent on 11-002)
- Required upstream: static analyzer outputs from 11-002 (AssemblyRef/ModuleRef/PInvoke/reflection edges with reason codes/confidence).
- Runtime harness spec (draft):
- Listener surfaces
AssemblyLoad,Resolving,FirstChanceExceptionevents; optional OS-specific providers gated by feature flagscanner:analyzers:dotnet:runtime-capture(default off). - Output shape fed into merger:
runtime_edges[]with fields{from_entrypoint, to_identity, reason_code, confidence, evidence};evidencecaptures event type, payload fragment, timestamp (UTC ISO-8601), and source provider. - Merge rules: prefer static edges; runtime edges only add new edges or upgrade confidence; no removals.
- Listener surfaces
- Test plan stub: targeted harness tests under
StellaOps.Scanner.Analyzers.Lang.DotNet.Testsusing recorded ETW/EventListener traces; determinism enforced via sorted edges and normalized timestamps.
2) LANG-11-004 normalized observation export (dependent on 11-003)
- Export contract (AOC compliant) to Scanner writer:
entrypoints[]with{id, assembly_name, mvid, tfm, rid, kind}.dependency_edges[]with{from_entrypoint, to_component, reason_code, confidence, source={static|runtime|declared}, evidence_ref}.environment_profiles[]capturing loader configuration (search paths, probing settings) without host-specific absolute paths; deterministic ordering.
- Integration expectations:
- Writer API endpoint path:
scanner/writer/analyzers/dotnet/runtime-static-fusion(to be aligned with writer team). - SBOM tagging: entrypoints annotated with export IDs; avoid adding derived severity.
- Writer API endpoint path:
- Testing hook: golden JSON exports under
src/Scanner/__Tests/Fixtures/lang11/export/*.json, referenced byObservationExportTestsonce 11-003 is ready.
3) NATIVE-20-002 declared-dependency writer (await declared-dependency contract)
- Scope: emit declared dependencies from ELF dynamic sections with
reason_code=elf-dtneeded, includerpath/runpathand symbol version needs when present. - Contract expectations:
- Writer record fields:
{binary_id, needed_soname, search_path_hint[], runpath[], build_id, interpreter, version_need[]}; all ordered deterministically. - Input parser must normalize duplicate
DT_NEEDEDentries and preserve order of appearance.
- Writer record fields:
- Dependencies: needs finalized declared-dependency writer interface from Scanner writer team; block remains until contract lands, but this prep defines expected payload shape and ordering.
- Test stub guidance: place fixtures under
src/Scanner/__Tests/Fixtures/native/elf-dtneeded/*with baseline YAML/JSON; benchmark target <25ms per binary on baseline fixtures.
Handoff
- This document is the published prep artefact requested by the above PREP tasks. Implementation tasks should cite this file until upstream contracts arrive.