2.0 KiB
2.0 KiB
Runtime-Static SBOM Reconciliation
Module
Scanner
Status
IMPLEMENTED
Description
Reconciles runtime process snapshots (from /proc filesystem) against static SBOM analysis to identify discrepancies between declared and actually-loaded libraries. Detects ghost libraries (loaded at runtime but missing from SBOM) and phantom libraries (in SBOM but not loaded).
Implementation Details
- Runtime Reconciliation:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/EntryTraceRuntimeReconciler.cs-EntryTraceRuntimeReconcilerreconciles runtime process snapshots against static SBOM analysis, detecting ghost libraries (runtime-only) and phantom libraries (SBOM-only)
- Process Snapshots:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcFileSystemSnapshot.cs- Collects runtime process state from /proc filesystemsrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcProcess.cs- Model for runtime processessrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraph.cs- Process dependency graphsrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraphBuilder.cs- Builds process graphs from snapshots
- Runtime-Static Merge:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/RuntimeStaticMerger.cs-RuntimeStaticMergermerges runtime observations with static analysis for comprehensive views
E2E Test Plan
- Reconcile runtime process snapshots against static SBOM and verify ghost libraries (loaded at runtime but missing from SBOM) are detected
- Verify phantom libraries (declared in SBOM but not loaded at runtime) are identified
- Verify matching libraries (present in both runtime and SBOM) are confirmed as consistent
- Verify the reconciliation report includes library name, version, and source (runtime vs static) for each discrepancy
- Verify runtime-static merge correctly augments static reachability analysis with runtime-confirmed paths