stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b7059d523ed0f39ff3a33badee3022e4b00255d7
git.stella-ops.org/docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md
StellaOps Bot b6b9ffc050
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add PHP Analyzer Plugin and Composer Lock Data Handling 
- Implemented the PhpAnalyzerPlugin to analyze PHP projects.
- Created ComposerLockData class to represent data from composer.lock files.
- Developed ComposerLockReader to load and parse composer.lock files asynchronously.
- Introduced ComposerPackage class to encapsulate package details.
- Added PhpPackage class to represent PHP packages with metadata and evidence.
- Implemented PhpPackageCollector to gather packages from ComposerLockData.
- Created PhpLanguageAnalyzer to perform analysis and emit results.
- Added capability signals for known PHP frameworks and CMS.
- Developed unit tests for the PHP language analyzer and its components.
- Included sample composer.lock and expected output for testing.
- Updated project files for the new PHP analyzer library and tests.
2025-11-22 14:02:49 +02:00

2.4 KiB
Raw Blame History

SBOM Service Prep — PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB

Status: Published (2025-11-22)

Owners: SBOM Service Guild · Cartographer Guild · Observability Guild · Zastava Observer/Webhook Guilds · Security Guild

Scope: Capture a single readiness note for Runtime & Signals wave (0140) so SBOM-SERVICE-21-001..004 and SBOM-AIAI-31-001/002 can start once fixtures and AirGap approvals land.

Current inputs (as of 2025-11-22)

  • Link-Not-Merge v1 projection schema frozen on 2025-11-17 (per Sprint 0140 decisions); JSON fixtures have not been published.
  • Mock surface bundle v1 exists; real scanner cache ETA is still outstanding, so Graph/Zastava cannot validate parity yet.
  • CAS/provenance decisions are tracked under docs/signals/cas-promotion-24-002.md and docs/signals/provenance-24-003.md; SBOM events must align with these provenance fields.

Outstanding blockers to flip SBOM wave to DOING

  • Publish LNM v1 JSON fixtures with hash list to docs/modules/sbomservice/fixtures/lnm-v1/ plus SHA256SUMS. Owners: Concelier Core · Cartographer Guild.
  • Run AirGap parity review for /sbom/paths, /sbom/versions, and /sbom/events; template and minutes location published at docs/modules/sbomservice/runbooks/airgap-parity-review.md. Owner: Observability Guild with SBOM Service Guild.
  • Confirm scanner cache drop timeline and hash for the real surface cache; mirror in sprint 0140 tracker once published. Owner: Scanner Guild.

Ready-to-start checklist for SBOM-SERVICE-21-001..004

  • Verify fixtures landed at the path above and match the frozen field list; add deterministic fixture IDs to tests.
  • Emit projection change events with schema version and fixture set hash; expose counters and optional OTEL traces behind config.
  • Provide observability baselines (dashboards/alerts) for path/timeline endpoints with latency and error-rate SLOs.
  • Document tenant scoping and add-only evolution in API reference before exposing to Console and Advisory AI consumers.

Evidence

  • This prep note: docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md.
  • Blocker detail mirrored in docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md Delivery Tracker and Decisions & Risks.

Exit criteria

  • LNM v1 fixtures and AirGap review minutes committed and linked in sprints 0140 and 0142.
  • Sprint 0140 SBOM wave can move from BLOCKED to DOING with cache ETA recorded.