stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b851aa8300b7febfb2e661443c8e39df13fa4e22
git.stella-ops.org/docs/features/checked/scanner/runtime-static-sbom-reconciliation.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.2 KiB
Raw Blame History

Runtime-Static SBOM Reconciliation

Module

Scanner

Status

VERIFIED

Description

Reconciles runtime process snapshots (from /proc filesystem) against static SBOM analysis to identify discrepancies between declared and actually-loaded libraries. Detects ghost libraries (loaded at runtime but missing from SBOM) and phantom libraries (in SBOM but not loaded).

Implementation Details

  • Runtime Reconciliation:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/EntryTraceRuntimeReconciler.cs - EntryTraceRuntimeReconciler reconciles runtime process snapshots against static SBOM analysis, detecting ghost libraries (runtime-only) and phantom libraries (SBOM-only)
  • Process Snapshots:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcFileSystemSnapshot.cs - Collects runtime process state from /proc filesystem
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcProcess.cs - Model for runtime processes
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraph.cs - Process dependency graph
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraphBuilder.cs - Builds process graphs from snapshots
  • Runtime-Static Merge:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/RuntimeStaticMerger.cs - RuntimeStaticMerger merges runtime observations with static analysis for comprehensive views

E2E Test Plan

  • Reconcile runtime process snapshots against static SBOM and verify ghost libraries (loaded at runtime but missing from SBOM) are detected
  • Verify phantom libraries (declared in SBOM but not loaded at runtime) are identified
  • Verify matching libraries (present in both runtime and SBOM) are confirmed as consistent
  • Verify the reconciliation report includes library name, version, and source (runtime vs static) for each discrepancy
  • Verify runtime-static merge correctly augments static reachability analysis with runtime-confirmed paths

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z