stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
c72621c71afae3b0c74687dc0ff58b8438b45bc7
git.stella-ops.org/bench/Scanner.Analyzers/lang/README.md
master c72621c71a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Enhance SBOM composition with policy findings and update CycloneDX package 
- Added `PolicyFindings` property to `SbomCompositionRequest` to include policy findings in SBOM.
- Implemented `NormalizePolicyFindings` method to process and validate policy findings.
- Updated `SbomCompositionRequest.Create` method to accept policy findings as an argument.
- Upgraded CycloneDX.Core package from version 5.1.0 to 10.0.1.
- Marked several tasks as DONE in TASKS.md, reflecting completion of SBOM-related features.
- Introduced telemetry metrics for Go analyzer to track heuristic fallbacks.
- Added performance benchmarks for .NET and Go analyzers.
- Created new test fixtures for .NET applications, including dependencies and runtime configurations.
- Added licenses and nuspec files for logging and toolkit packages used in tests.
- Implemented `SbomPolicyFinding` record to encapsulate policy finding details and normalization logic.
2025-10-23 07:57:27 +03:00

2.1 KiB
Raw Blame History

Scanner Language Analyzer Benchmarks

This directory will capture benchmark results for language analyzers (Node, Python, Go, .NET, Rust).

Pending tasks:

  • LA1: Node analyzer microbench CSV + flamegraph.
  • LA2: Python hash throughput CSV.
  • LA3: Go build info extraction benchmarks.
  • LA4: .NET RID dedupe performance matrix.
  • LA5: Rust heuristic coverage comparisons.

Results should be committed as deterministic CSV/JSON outputs with accompanying methodology notes.

Sprint LA3 — Go Analyzer Benchmark Notes (2025-10-22)

  • Scenario go_buildinfo_fixture captures our Go analyzer running against the basic build-info fixture. The Oct23baseline (baseline.csv) shows a mean duration of 35.03ms (p95136.55ms, max170.16ms) over 5 iterations on the current rig; earlier Oct21 measurement recorded 4.02ms mean when the analyzer was profiled on the warm perf runner.
  • Comparative run against Syft v1.29.1 on the same fixture (captured 2025-10-21) reported a mean of 5.18ms (p9518.64ms, max23.51ms); raw measurements live in go/syft-comparison-20251021.csv.
  • Bench command (from repo root):
    dotnet run --project bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --config bench/Scanner.Analyzers/config.json --out bench/Scanner.Analyzers/baseline.csv

Sprint LA4 — .NET Analyzer Benchmark Notes (2025-10-23)

  • Scenario dotnet_multirid_fixture exercises the .NET analyzer against the multi-RID test fixture that merges two applications and four runtime identifiers. Latest baseline run (Release build, 5 iterations) records a mean duration of 29.19ms (p95106.62ms, max132.30ms) with a stable component count of 2.
  • Syft v1.29.1 scanning the same fixture (syft scan dir:…) averaged 1546ms (p95≈2100ms, max≈2100ms) while also reporting duplicate packages; raw numbers captured in dotnet/syft-comparison-20251023.csv.
  • The new scenario is declared in bench/Scanner.Analyzers/config.json; rerun the bench command above after rebuilding analyzers to refresh baselines and comparison data.