git.stella-ops.org/devops/services/scanner-java/release-plan.md

Java Analyzer Release Plan (DEVOPS-SCANNER-JAVA-21-011-REL)

Goal

Publish the Java analyzer plug-in with signed artifacts and offline-ready bundles for CLI/Offline Kit.

Inputs

• Analyzer JAR(s) + native helpers from dev task 21-011.
• SBOM (SPDX JSON) for plugin + native components.
• Test suite outputs (unit + integration).

Artifacts

• OCI image (optional) or zip bundle containing:
  • analyzer.jar
  • lib/ natives (if any)
  • LICENSE, NOTICE
  • SBOM (spdx.json)
  • SIGNATURES (cosign/PGP)
• Cosign attestations for OCI/zip (provenance + SBOM).
• Checksums: SHA256SUMS, SHA256SUMS.sig.
• Offline kit slice: tarball with bundle + attestations + SBOM.

Pipeline steps

1. Build: run gradle/mvn with --offline using vendored deps; produce JAR + natives.
2. SBOM: syft packages -o spdx-json over build output.
3. Package: zip bundle with fixed ordering (zip -X) and normalized timestamps (SOURCE_DATE_EPOCH).
4. Sign:
   • cosign sign blob (zip) and/or image.
   • generate in-toto provenance (SLSA level 1) referencing git commit + toolchain hashes.
5. Checksums: create SHA256SUMS and sign with cosign/PGP.
6. Verify stage: pipeline step runs cosign verify-blob, sha256sum --check, and syft validate spdx.
7. Publish:
   • Upload to artifact store (release bucket) with metadata (version, commit, digest).
   • Produce offline kit slice tarball (scanner-java-<ver>-offline.tgz) containing bundle, SBOM, attestations, checksums.

Security/hardening

• Non-root build container; disable gradle/mvn network (--offline).
• Strip debug info unless required; ensure reproducible JAR (sorted entries, normalized timestamps).
• Telemetry disabled.

Evidence to capture

• Bundle SHA256, cosign signatures, provenance statement.
• SBOM hash.
• Verification logs from pipeline.

Owners

• Build/pipeline: DevOps Guild
• Signing policy: Platform Security
• Consumer integration: CLI Guild / Offline Kit Guild