885ce86af4
- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing. - Defined load test parameters and SLOs for VEX Lens API and Issuer Directory. - Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates. - Established offline posture guidelines for CI jobs and load testing. feat: Implement deterministic projection verification script - Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes. - Ensured robust error handling for missing files and hash mismatches. feat: Develop Vuln Explorer CI and Ops Plan - Created CI jobs for Vuln Explorer, including build, test, and replay verification. - Implemented backup and disaster recovery strategies for MongoDB and Redis. - Established Merkle anchoring verification and automation for ledger projector. feat: Introduce EventEnvelopeHasher for hashing event envelopes - Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes. feat: Add Risk Store and Dashboard components - Developed `RiskStore` for managing risk data and state. - Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities. - Implemented unit tests for `RiskStore` and `RiskDashboardComponent`. feat: Enhance Vulnerability Detail Component - Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities. - Implemented error handling for missing vulnerability IDs and loading failures.
21 KiB
21 KiB
Sprint 136 - Scanner & Surface
Implementation order remains sequential across Sprint 130–139. Complete each sprint in order before pulling tasks from the next file.
7. Scanner.VII — Scanner & Surface focus on Scanner (phase VII).
Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (phase VI).
| Task ID | State | Summary | Owner / Source | Depends On |
|---|---|---|---|---|
SCANNER-ENTRYTRACE-18-504 |
DONE | EntryTrace NDJSON (entry/node/edge/target/warning/capability) emitted via EntryTraceNdjsonWriter; Worker stores and WebService/CLI stream NDJSON payloads. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-503 |
SCANNER-ENTRYTRACE-18-505 |
DONE | ProcGraph replay integrated: runtime snapshot reconciler matches terminals/wrappers, adjusts plan confidence, and emits diagnostics for agreements/mismatches. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-504 |
SCANNER-ENTRYTRACE-18-506 |
DONE | EntryTrace graph and confidence exposed via WebService /scans/{id}/entrytrace and CLI (stella scan entrytrace, NDJSON option) with target summaries. |
EntryTrace Guild, Scanner WebService Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-505 |
SCANNER-ENV-01 |
DONE (2025-11-18) | Worker already wired to AddSurfaceEnvironment/ISurfaceEnvironment for cache roots + CAS endpoints; no remaining ad-hoc env reads. |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) | — |
SCANNER-ENV-02 |
DONE (2025-11-27) | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-ENV-01 |
SCANNER-ENV-03 |
DONE (2025-11-27) | Surface.Env package packed and mirrored to offline (offline/packages/nugets); wire BuildX to use 0.1.0-alpha.20251123 and update restore feeds. |
BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-ENV-02 |
SURFACE-ENV-01 |
DONE (2025-11-13) | Draft surface-env.md enumerating environment variables, defaults, and air-gap behaviour for Surface consumers. |
Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | — |
SURFACE-ENV-02 |
DONE (2025-11-18) | Strongly-typed env accessors implemented; validation covers required endpoint, bounds, TLS cert path; regression tests passing. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-01 |
SURFACE-ENV-03 |
DONE (2025-11-27) | Adopt the env helper across Scanner Worker/WebService/BuildX plug-ins. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-02 |
SURFACE-ENV-04 |
DONE (2025-11-27) | Wire env helper into Zastava Observer/Webhook containers. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-02 |
SURFACE-ENV-05 |
DONE | Update Helm/Compose/offline kit templates with new env knobs and documentation. | Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-03, SURFACE-ENV-04 |
SCANNER-EVENTS-16-301 |
BLOCKED (2025-10-26) | Emit orchestrator-compatible envelopes (scanner.event.*) and update integration tests to verify Notifier ingestion (no Redis queue coupling). |
Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-GRAPH-21-001 |
DONE (2025-11-27) | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. | Scanner WebService Guild, Cartographer Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-LNM-21-001 |
BLOCKED (2025-11-27) | Update /reports and /policy/runtime payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. Blocked: requires Concelier HTTP client integration or shared library; no existing Concelier dependency in Scanner WebService. |
Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
SCANNER-LNM-21-002 |
TODO | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-LNM-21-001 |
SCANNER-SECRETS-03 |
DONE (2025-11-27) | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-SECRETS-02 |
SURFACE-SECRETS-01 |
DONE (2025-11-23) | Security-approved schema published at docs/modules/scanner/design/surface-secrets-schema.md; proceed to provider wiring. |
Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | — |
SURFACE-SECRETS-02 |
DONE (2025-11-23) | Provider chain implemented (primary + fallback) with DI wiring; tests updated (StellaOps.Scanner.Surface.Secrets.Tests). |
Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-01 |
SURFACE-SECRETS-03 |
DONE (2025-11-27) | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-04 |
DONE (2025-11-27) | Integrate Surface.Secrets into Scanner Worker/WebService/BuildX for registry + CAS creds. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-05 |
DONE (2025-11-27) | Invoke Surface.Secrets from Zastava Observer/Webhook for CAS & attestation secrets. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
SURFACE-SECRETS-06 |
BLOCKED (2025-11-27) | Update deployment manifests/offline kit bundles to provision secret references instead of raw values. Requires Ops Guild input on Helm/Compose patterns for Surface.Secrets provider configuration. | Ops Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-03 |
SCANNER-ENG-0020 |
DONE (2025-11-28) | Implement Homebrew collector & fragment mapper per design/macos-analyzer.md §3.1. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0021 |
DONE (2025-11-28) | Implement pkgutil receipt collector per design/macos-analyzer.md §3.2. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0022 |
DONE (2025-11-28) | Implement macOS bundle inspector & capability overlays per design/macos-analyzer.md §3.3. |
Scanner Guild, Policy Guild (docs/modules/scanner) | — |
SCANNER-ENG-0023 |
DONE (2025-11-28) | Deliver macOS policy/offline integration per design/macos-analyzer.md §5–6. |
Scanner Guild, Offline Kit Guild, Policy Guild (docs/modules/scanner) | — |
SCANNER-ENG-0024 |
DONE (2025-11-28) | Implement Windows MSI collector per design/windows-analyzer.md §3.1. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0025 |
DONE (2025-11-28) | Implement WinSxS manifest collector per design/windows-analyzer.md §3.2. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0026 |
DONE (2025-11-28) | Implement Windows Chocolatey & registry collectors per design/windows-analyzer.md §3.3–3.4. |
Scanner Guild (docs/modules/scanner) | — |
SCANNER-ENG-0027 |
DONE (2025-11-28) | Deliver Windows policy/offline integration per design/windows-analyzer.md §5–6. |
Scanner Guild, Policy Guild, Offline Kit Guild (docs/modules/scanner) | — |
SCHED-SURFACE-02 |
TODO | Integrate Scheduler worker prefetch using Surface manifest reader and persist manifest pointers with rerun plans. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | SURFACE-FS-02, SCHED-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §3 for implementation checklist |
ZASTAVA-SURFACE-02 |
DONE (2025-12-01) | Surface manifest CAS/sha resolver wired into Observer drift evidence with failure metrics. | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) | SURFACE-FS-02, ZASTAVA-SURFACE-01. Reference docs/modules/scanner/design/surface-fs-consumers.md §4 for integration steps |
SURFACE-FS-03 |
DONE (2025-11-27) | Integrate Surface.FS writer into Scanner Worker analyzer pipeline to persist layer + entry-trace fragments. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02 |
SURFACE-FS-04 |
DONE (2025-11-27) | Integrate Surface.FS reader into Zastava Observer runtime drift loop. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02 |
SURFACE-FS-05 |
DONE (2025-11-27) | Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. | Scanner Guild, Scheduler Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-03 |
SURFACE-FS-06 |
DONE (2025-11-28) | Update scanner-engine guide and offline kit docs with Surface.FS workflow. | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SURFACE-FS-02..05 |
SCANNER-SURFACE-04 |
TODO | DSSE-sign every layer.fragments payload, emit _composition.json/composition.recipe URI, and persist DSSE envelopes so offline kits can replay deterministically (see docs/modules/scanner/deterministic-sbom-compose.md §2.1). |
Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) | SCANNER-SURFACE-01, SURFACE-FS-03 |
SURFACE-FS-07 |
TODO | Extend Surface.FS manifest schema with composition.recipe, fragment attestation metadata, and verification helpers per deterministic SBOM spec. |
Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SCANNER-SURFACE-04 |
SCANNER-EMIT-15-001 |
DOING (2025-12-01) | CycloneDX artifacts now carry content hash, merkle root (= recipe hash), composition recipe URI, and emit _composition.json + DSSE envelopes for recipe and layer fragments. DSSE signing is still deterministic-local; replace with real signing. |
Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | SCANNER-SURFACE-04 |
SCANNER-SORT-02 |
DONE (2025-12-01) | Layer fragment ordering by digest implemented in ComponentGraphBuilder; determinism regression test added. | Scanner Core Guild (src/Scanner/__Libraries/StellaOps.Scanner.Core) | SCANNER-EMIT-15-001 |
SURFACE-VAL-01 |
DONE (2025-11-23) | Validation framework doc aligned with Surface.Env release and secrets schema (docs/modules/scanner/design/surface-validation.md v1.1). |
Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-FS-01, SURFACE-ENV-01 |
SURFACE-VAL-02 |
DONE (2025-11-23) | Validation library now enforces secrets schema, fallback/provider checks, and inline/file guardrails; tests added. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-01, SURFACE-ENV-02, SURFACE-FS-02 |
SURFACE-VAL-03 |
DONE (2025-11-23) | Validation runner wired into Worker/WebService startup and pre-analyzer paths (OS, language, EntryTrace). | Scanner Guild, Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
SURFACE-VAL-04 |
DONE (2025-11-27) | Expose validation helpers to Zastava and other runtime consumers for preflight checks. | Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
SURFACE-VAL-05 |
DONE | Document validation extensibility, registration, and customization in scanner-engine guides. | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-11-27 | Added missing package references to BuildX plugin (Configuration.EnvironmentVariables, DependencyInjection, Logging); refactored to use public AddSurfaceEnvironment API instead of internal SurfaceEnvironmentFactory; build passes. SCANNER-ENV-03 DONE. | Implementer |
| 2025-11-27 | Created SurfaceFeatureFlagsConfigurator to merge Surface.Env feature flags into WebService FeatureFlagOptions.Experimental dictionary; registered configurator in Program.cs. Cache roots and feature flags now wired from Surface.Env. SCANNER-ENV-02 DONE. | Implementer |
| 2025-11-27 | Verified SURFACE-ENV-03: Scanner Worker (SCANNER-ENV-01), WebService (SCANNER-ENV-02), and BuildX (SCANNER-ENV-03) all wire Surface.Env helpers; task complete. SURFACE-ENV-03 DONE. | Implementer |
| 2025-11-27 | Added CachingSurfaceSecretProvider (deterministic TTL cache), AuditingSurfaceSecretProvider (structured audit logging), and OfflineSurfaceSecretProvider (integrity-verified offline kit support); wired into ServiceCollectionExtensions with configurable options. SURFACE-SECRETS-03 DONE. | Implementer |
| 2025-11-27 | Added Surface.Validation project references to Zastava Observer and Webhook; wired AddSurfaceValidation() in service extensions for preflight checks. SURFACE-VAL-04 DONE. | Implementer |
| 2025-11-27 | Verified Zastava Observer and Webhook already have AddSurfaceEnvironment() wired with ZASTAVA prefixes; SURFACE-ENV-04 DONE. | Implementer |
| 2025-11-27 | Added Surface.Secrets project reference to BuildX plugin; implemented TryResolveAttestationToken() to fetch attestation secrets from Surface.Secrets; Worker/WebService already had configurators for CAS/registry/attestation secrets. SURFACE-SECRETS-04 DONE. | Implementer |
| 2025-11-27 | Verified Zastava Observer/Webhook already have ObserverSurfaceSecrets/WebhookSurfaceSecrets classes using ISurfaceSecretProvider for CAS and attestation secrets. SURFACE-SECRETS-05 DONE. | Implementer |
| 2025-11-27 | SURFACE-SECRETS-06 marked BLOCKED: requires Ops Guild input on Helm/Compose patterns for Surface.Secrets provider configuration (kubernetes/file/inline). Added to Decisions & Risks. | Implementer |
| 2025-11-27 | Integrated ISurfaceManifestWriter into SurfaceManifestStageExecutor to persist manifest documents to file-system store for offline/air-gapped scenarios; build verified. SURFACE-FS-03 DONE. | Implementer |
| 2025-11-27 | Added IRuntimeSurfaceFsClient injection to RuntimePostureEvaluator, enriching drift evidence with manifest digest/artifacts/metadata; added zastava_surface_manifest_failures_total metric with reason labels. SURFACE-FS-04 DONE. |
Implementer |
| 2025-11-27 | Added TryResolveCasCredentials() to BuildX plugin using Surface.Secrets to fetch CAS access credentials; fixed attestation token resolution to use correct parser method. SCANNER-SECRETS-03 DONE. | Implementer |
| 2025-11-27 | Verified SurfacePointerService already exposes Surface.FS pointers (SurfaceManifestDocument, SurfaceManifestArtifact, manifest URI/digest) via reports endpoint. SURFACE-FS-05 DONE. | Implementer |
| 2025-11-27 | Added POST /policy/overlay endpoint for Cartographer integration: accepts graph nodes, returns deterministic overlays with sha256(tenant|nodeId|overlayKind) IDs, includes runtime evidence. Added PolicyOverlayRequestDto/ResponseDto contracts. SCANNER-GRAPH-21-001 DONE. | Implementer |
| 2025-11-27 | SCANNER-LNM-21-001 marked BLOCKED: Scanner WebService has no existing Concelier integration; requires HTTP client or shared library reference to Concelier.Core for linkset consumption. Added to Decisions & Risks. | Implementer |
| 2025-12-01 | EntryTrace NDJSON emission, runtime reconciliation, and WebService/CLI exposure completed (18-504/505/506). | EntryTrace Guild |
| 2025-12-01 | ZASTAVA-SURFACE-02: Observer resolves Surface manifest digests and cas:// URIs, enriches drift evidence with artifact metadata, and counts failures via zastava_surface_manifest_failures_total. |
Implementer |
| 2025-12-01 | SCANNER-SORT-02: ComponentGraphBuilder sorts layer fragments by digest; regression test added. | Implementer |
| 2025-12-01 | SCANNER-EMIT-15-001: CycloneDX artifacts now publish ContentHash, carry Merkle/recipe URIs, emit _composition.json + DSSE envelopes (recipe & layer.fragments), and Surface manifests reference those attestations. Real DSSE signing still pending. |
Implementer |
| 2025-12-01 | SCANNER-SORT-02 completed: ComponentGraphBuilder sorts layer fragments by digest with regression test Build_SortsLayersByDigest. | Implementer |
| 2025-12-01 | ZASTAVA-SURFACE-02: Observer now resolves Surface manifest digests and cas:// URIs, enriches drift evidence with artifact metadata, and counts failures via zastava_surface_manifest_failures_total. |
Implementer |
| 2025-11-23 | Published Security-approved Surface.Secrets schema (docs/modules/scanner/design/surface-secrets-schema.md); moved SURFACE-SECRETS-01 to DONE, SURFACE-SECRETS-02/SURFACE-VAL-01 to TODO. |
Security Guild |
| 2025-11-23 | Implemented Surface.Secrets provider chain/fallback and added DI tests; marked SURFACE-SECRETS-02 DONE. | Scanner Guild |
| 2025-11-23 | Pinned Surface.Env package version 0.1.0-alpha.20251123 and offline path in docs/modules/scanner/design/surface-env-release.md; SCANNER-ENV-03 moved to TODO. |
BuildX Plugin Guild |
| 2025-11-23 | Updated Surface.Validation doc to v1.1, binding to Surface.Env release and secrets schema; marked SURFACE-VAL-01 DONE. | Scanner Guild |
| 2025-11-23 | Strengthened Surface.Validation secrets checks (provider/fallback/inline/file root) and added unit tests; marked SURFACE-VAL-02 DONE. | Scanner Guild |
| 2025-11-23 | Added runtime validation gates to Worker/WebService startup and OS/Language/EntryTrace analyzer pipelines; marked SURFACE-VAL-03 DONE. | Scanner Guild |
| 2025-11-23 | Packed Surface.Env 0.1.0-alpha.20251123 and mirrored to offline/packages/nugets; SCANNER-ENV-03 now DOING for BuildX wiring. |
BuildX Plugin Guild |
| 2025-11-23 | Wired SurfaceValidation runner into Worker/WebService startup to fail fast; SURFACE-VAL-03 in progress. | Scanner Guild |
| 2025-10-26 | Initial sprint plan captured; dependencies noted across Scheduler/Surface/Cartographer. | Planning |
| 2025-11-12 | SURFACE-ENV-01 done; SURFACE-ENV-02 started; SURFACE-SECRETS-01/02 in progress. | Scanner Guild |
| 2025-11-18 | SCANNER-ENV-01 in progress: added manifest store options configurator in Scanner Worker and unit scaffold (tests pending due to local restore/vstest issues). | Implementer |
| 2025-11-18 | SCANNER-ENV-02 started: wired Surface manifest store options into Scanner WebService and unit scaffold added; tests pending (nuget.org restore cancelled locally). | Implementer |
| 2025-11-18 | Attempted dotnet test for Worker Surface manifest configurator; restore failed fetching StackExchange.Redis from nuget.org (network timeout); tests still pending CI. |
Implementer |
| 2025-11-18 | SCANNER-ENV-03 started: BuildX plugin now loads Surface.Env defaults (SCANNER/SURFACE prefixes) for cache root/bucket/tenant when args/env missing; tests not yet added. | Implementer |
| 2025-11-19 | Marked SCANNER-ENV-03, SURFACE-SECRETS-01/02, and SURFACE-VAL-01 BLOCKED pending Security/Surface schema approvals and published env/secrets artifacts; move back to TODO once upstream contracts land. | Implementer |
| 2025-11-28 | Created docs/modules/scanner/guides/surface-validation-extensibility.md covering custom validators, reporters, configuration, and testing; SURFACE-VAL-05 DONE. |
Implementer |
| 2025-11-28 | Created docs/modules/scanner/guides/surface-fs-workflow.md with end-to-end workflow including artefact generation, storage layout, consumption, and offline kit handling; SURFACE-FS-06 DONE. |
Implementer |
| 2025-11-28 | Created StellaOps.Scanner.Analyzers.OS.Homebrew library with HomebrewReceiptParser (INSTALL_RECEIPT.json parsing), HomebrewPackageAnalyzer (Cellar discovery for Intel/Apple Silicon), and HomebrewAnalyzerPlugin; added BuildHomebrew PURL builder, HomebrewCellar evidence source; 23 tests passing. SCANNER-ENG-0020 DONE. |
Implementer |
| 2025-11-28 | Created StellaOps.Scanner.Analyzers.OS.Pkgutil library with PkgutilReceiptParser (plist parsing), BomParser (BOM file enumeration), PkgutilPackageAnalyzer (receipt discovery from /var/db/receipts), and PkgutilAnalyzerPlugin; added BuildPkgutil PURL builder, PkgutilReceipt evidence source; 9 tests passing. SCANNER-ENG-0021 DONE. |
Implementer |
| 2025-11-28 | Created StellaOps.Scanner.Analyzers.OS.Windows.Msi library with MsiDatabaseParser (OLE compound document parser), MsiPackageAnalyzer (Windows/Installer/*.msi discovery), and MsiAnalyzerPlugin; added BuildWindowsMsi PURL builder, WindowsMsi evidence source; 22 tests passing. SCANNER-ENG-0024 DONE. |
Implementer |
| 2025-11-28 | Created StellaOps.Scanner.Analyzers.OS.Windows.WinSxS library with WinSxSManifestParser (XML assembly identity parser), WinSxSPackageAnalyzer (WinSxS/Manifests/*.manifest discovery), and WinSxSAnalyzerPlugin; added BuildWindowsWinSxS PURL builder, WindowsWinSxS evidence source; 18 tests passing. SCANNER-ENG-0025 DONE. |
Implementer |
| 2025-11-28 | Created StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey library with NuspecParser (nuspec + directory name fallback), ChocolateyPackageAnalyzer (ProgramData/Chocolatey/lib discovery), and ChocolateyAnalyzerPlugin; added BuildChocolatey PURL builder, WindowsChocolatey evidence source; 44 tests passing. SCANNER-ENG-0026 DONE. |
Implementer |
| 2025-11-28 | Updated docs/modules/scanner/design/windows-analyzer.md with implementation status section documenting MSI/WinSxS/Chocolatey collector details, PURL formats, and vendor metadata schemas; registry collector deferred, policy predicates pending Policy module integration. SCANNER-ENG-0027 DONE. |
Implementer |