master
c72621c71a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added `PolicyFindings` property to `SbomCompositionRequest` to include policy findings in SBOM. - Implemented `NormalizePolicyFindings` method to process and validate policy findings. - Updated `SbomCompositionRequest.Create` method to accept policy findings as an argument. - Upgraded CycloneDX.Core package from version 5.1.0 to 10.0.1. - Marked several tasks as DONE in TASKS.md, reflecting completion of SBOM-related features. - Introduced telemetry metrics for Go analyzer to track heuristic fallbacks. - Added performance benchmarks for .NET and Go analyzers. - Created new test fixtures for .NET applications, including dependencies and runtime configurations. - Added licenses and nuspec files for logging and toolkit packages used in tests. - Implemented `SbomPolicyFinding` record to encapsulate policy finding details and normalization logic.
Scanner Analyzer Microbench Harness
The bench harness exercises the language analyzers against representative filesystem layouts so that regressions are caught before they ship.
Layout
StellaOps.Bench.ScannerAnalyzers/– .NET 10 console harness that executes the real language analyzers (and fallback metadata walks for ecosystems that are still underway).config.json– Declarative list of scenarios the harness executes. Each scenario points at a directory insamples/.baseline.csv– Reference numbers captured on the 4 vCPU warm rig described indocs/12_PERFORMANCE_WORKBOOK.md. CI publishes fresh CSVs so perf trends stay visible.
Current scenarios
node_monorepo_walk→ runs the Node analyzer acrosssamples/runtime/npm-monorepo.java_demo_archive→ runs the Java analyzer againstsamples/runtime/java-demo/libs/demo.jar.python_site_packages_walk→ temporary metadata walk oversamples/runtime/python-venvuntil the Python analyzer lands.
Running locally
dotnet run \
--project bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \
-- \
--repo-root . \
--out bench/Scanner.Analyzers/baseline.csv
The harness prints a table to stdout and writes the CSV (if --out is specified) with the following headers:
scenario,iterations,sample_count,mean_ms,p95_ms,max_ms
Use --iterations to override the default (5 passes per scenario) and --threshold-ms to customize the failure budget. Budgets default to 5 000 ms (or per-scenario overrides in config.json), aligned with the SBOM compose objective.
Adding scenarios
- Drop the fixture tree under
samples/<area>/.... - Append a new scenario entry to
config.jsondescribing:id– snake_case scenario name (also used in CSV).label– human-friendly description shown in logs.root– path to the directory that will be scanned.- For analyzer-backed scenarios, set
analyzersto the list of language analyzer ids (for example,["node"]). - For temporary metadata walks (used until the analyzer ships), provide
parser(nodeorpython) and thematcherglob describing files to parse.
- Re-run the harness (
dotnet run … --out baseline.csv). - Commit both the fixture and updated baseline.