stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
79b8e53441e92dbc63684f42072434d40b80275f
git.stella-ops.org/docs/modules/scanner/prep/2025-11-20-java-21-008-prep.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

1.3 KiB
Raw Blame History

Java Analyzer Prep — SCANNER-ANALYZERS-JAVA-21-008

Status: Draft (2025-11-20) Owners: Java Analyzer Guild Scope: Resolver + AOC writer emitting entrypoints/components/edges with reason codes/confidence; depends on 21-007 outputs.

Dependencies

  • 21-007 manifest metadata collector outputs (signers, manifest attributes) required to seed resolver inputs.
  • CoreLinksets/Concelier build health to allow Java analyzer test runs.

Proposed resolver outputs

  • entrypoints[]: {id, path, manifest_main_class?, agent_class?, start_class?, module}.
  • components[]: modules/JARs with {purl?, sha256, module_name?, signed?, signer_ids[]}.
  • edges[]: {from_entrypoint, to_component, reason_code (jpms|cp|spi|reflect|jni|runtime), confidence, evidence}.
  • Deterministic ordering: sort edges by (from_entrypoint, to_component, reason_code).

Tests/fixtures

  • Place fixtures under src/Scanner/__Tests/Fixtures/java/21-008/* covering jpms, classpath, SPI, reflection, JNI cases.
  • Regression tests: ResolverOutputs_AreDeterministic and EdgesIncludeReasonAndConfidence.

Open decisions

  • Exact confidence scale (01 vs categorical) to align with downstream Surface.
  • Whether to emit runtime edges in this task vs deferring to 21-010.

Handoff

Use this doc as the PREP artefact for 21-008; update once 21-007 outputs and confidence scale are finalized.