stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
8dc7273e272389ac700972aa782e23cfbbcf4e85
git.stella-ops.org/src/StellaOps.Scanner.Emit/TASKS.md
master 8dc7273e27 FUll implementation plan (first draft)
2025-10-19 00:28:48 +03:00

2.3 KiB
Raw Blame History

Scanner Emit Task Board (Sprint 10)

ID Status Owner(s) Depends on Description Exit Criteria
SCANNER-EMIT-10-601 TODO Emit Guild SCANNER-CACHE-10-101 Compose inventory SBOM (CycloneDX JSON/Protobuf) from layer fragments with deterministic ordering. Inventory SBOM validated against schema; fixtures confirm deterministic output.
SCANNER-EMIT-10-602 TODO Emit Guild SCANNER-EMIT-10-601 Compose usage SBOM leveraging EntryTrace to flag actual usage; ensure separate view toggles. Usage SBOM tests confirm correct subset; API contract documented.
SCANNER-EMIT-10-603 TODO Emit Guild SCANNER-EMIT-10-601 Generate BOM index sidecar (purl table + roaring bitmap + usedByEntrypoint flag). Index format validated; query helpers proven; stored artifacts hashed deterministically.
SCANNER-EMIT-10-604 TODO Emit Guild SCANNER-EMIT-10-602 Package artifacts for export + attestation (naming, compression, manifests). Export pipeline produces deterministic file paths/hashes; integration test with storage passes.
SCANNER-EMIT-10-605 TODO Emit Guild SCANNER-EMIT-10-603 Emit BOM-Index sidecar schema/fixtures (bom-index@1) and note CRITICAL PATH for Scheduler. Schema + fixtures in docs/artifacts/bom-index; tests BOMIndexGoldenIsStable green.
SCANNER-EMIT-10-606 TODO Emit Guild SCANNER-EMIT-10-605 Integrate EntryTrace usage flags into BOM-Index; document semantics. Usage bits present in sidecar; integration tests with EntryTrace fixtures pass.
SCANNER-EMIT-17-701 TODO Emit Guild, Native Analyzer Guild SCANNER-EMIT-10-602 Record GNU build-id for ELF components and surface it in inventory/usage SBOM plus diff payloads with deterministic ordering. Native analyzer emits buildId for every ELF executable/library, SBOM/diff fixtures updated with canonical buildId field, regression tests prove stability, docs call out debug-symbol lookup flow.
SCANNER-EMIT-10-607 TODO Emit Guild SCANNER-EMIT-10-604, POLICY-CORE-09-005 Embed scoring inputs, confidence band, and quietedBy provenance into CycloneDX 1.6 and DSSE predicates; verify deterministic serialization. SBOM/attestation fixtures include score, inputs, configVersion, quiet metadata; golden tests confirm canonical output.