stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7c24ed96ee4ae2ae87c7ad94c670f2e4c8ecbb33
git.stella-ops.org/ops/devops/scanner-java/release-plan.md
StellaOps Bot 44171930ff
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
feat: Add UI benchmark driver and scenarios for graph interactions 
- Introduced `ui_bench_driver.mjs` to read scenarios and fixture manifest, generating a deterministic run plan.
- Created `ui_bench_plan.md` outlining the purpose, scope, and next steps for the benchmark.
- Added `ui_bench_scenarios.json` containing various scenarios for graph UI interactions.
- Implemented tests for CLI commands, ensuring bundle verification and telemetry defaults.
- Developed schemas for orchestrator components, including replay manifests and event envelopes.
- Added mock API for risk management, including listing and statistics functionalities.
- Implemented models for risk profiles and query options to support the new API.
2025-12-02 01:28:17 +02:00

1.9 KiB
Raw Blame History

Java Analyzer Release Plan (DEVOPS-SCANNER-JAVA-21-011-REL)

Goal

Publish the Java analyzer plug-in with signed artifacts and offline-ready bundles for CLI/Offline Kit.

Inputs

  • Analyzer JAR(s) + native helpers from dev task 21-011.
  • SBOM (SPDX JSON) for plugin + native components.
  • Test suite outputs (unit + integration).

Artifacts

  • OCI image (optional) or zip bundle containing:
    • analyzer.jar
    • lib/ natives (if any)
    • LICENSE, NOTICE
    • SBOM (spdx.json)
    • SIGNATURES (cosign/PGP)
  • Cosign attestations for OCI/zip (provenance + SBOM).
  • Checksums: SHA256SUMS, SHA256SUMS.sig.
  • Offline kit slice: tarball with bundle + attestations + SBOM.

Pipeline steps

  1. Build: run gradle/mvn with --offline using vendored deps; produce JAR + natives.
  2. SBOM: syft packages -o spdx-json over build output.
  3. Package: zip bundle with fixed ordering (zip -X) and normalized timestamps (SOURCE_DATE_EPOCH).
  4. Sign:
    • cosign sign blob (zip) and/or image.
    • generate in-toto provenance (SLSA level 1) referencing git commit + toolchain hashes.
  5. Checksums: create SHA256SUMS and sign with cosign/PGP.
  6. Verify stage: pipeline step runs cosign verify-blob, sha256sum --check, and syft validate spdx.
  7. Publish:
    • Upload to artifact store (release bucket) with metadata (version, commit, digest).
    • Produce offline kit slice tarball (scanner-java-<ver>-offline.tgz) containing bundle, SBOM, attestations, checksums.

Security/hardening

  • Non-root build container; disable gradle/mvn network (--offline).
  • Strip debug info unless required; ensure reproducible JAR (sorted entries, normalized timestamps).
  • Telemetry disabled.

Evidence to capture

  • Bundle SHA256, cosign signatures, provenance statement.
  • SBOM hash.
  • Verification logs from pipeline.

Owners

  • Build/pipeline: DevOps Guild
  • Signing policy: Platform Security
  • Consumer integration: CLI Guild / Offline Kit Guild