29 lines
2.0 KiB
Markdown
29 lines
2.0 KiB
Markdown
# Runtime-Static SBOM Reconciliation
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Reconciles runtime process snapshots (from /proc filesystem) against static SBOM analysis to identify discrepancies between declared and actually-loaded libraries. Detects ghost libraries (loaded at runtime but missing from SBOM) and phantom libraries (in SBOM but not loaded).
|
|
|
|
## Implementation Details
|
|
- **Runtime Reconciliation**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/EntryTraceRuntimeReconciler.cs` - `EntryTraceRuntimeReconciler` reconciles runtime process snapshots against static SBOM analysis, detecting ghost libraries (runtime-only) and phantom libraries (SBOM-only)
|
|
- **Process Snapshots**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcFileSystemSnapshot.cs` - Collects runtime process state from /proc filesystem
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcProcess.cs` - Model for runtime processes
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraph.cs` - Process dependency graph
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraphBuilder.cs` - Builds process graphs from snapshots
|
|
- **Runtime-Static Merge**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/RuntimeStaticMerger.cs` - `RuntimeStaticMerger` merges runtime observations with static analysis for comprehensive views
|
|
|
|
## E2E Test Plan
|
|
- [ ] Reconcile runtime process snapshots against static SBOM and verify ghost libraries (loaded at runtime but missing from SBOM) are detected
|
|
- [ ] Verify phantom libraries (declared in SBOM but not loaded at runtime) are identified
|
|
- [ ] Verify matching libraries (present in both runtime and SBOM) are confirmed as consistent
|
|
- [ ] Verify the reconciliation report includes library name, version, and source (runtime vs static) for each discrepancy
|
|
- [ ] Verify runtime-static merge correctly augments static reachability analysis with runtime-confirmed paths
|