docs consolidation work
This commit is contained in:
StellaOps Bot
48
docs/modules/sbomservice/README.md
Normal file
48
docs/modules/sbomservice/README.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# SbomService
|
||||
|
||||
**Status:** Implemented
|
||||
**Source:** `src/SbomService/`
|
||||
**Owner:** Scanner Guild
|
||||
|
||||
## Purpose
|
||||
|
||||
SbomService provides SBOM storage, versioning, and lineage tracking. Maintains the canonical SBOM repository with support for SPDX 3.0.1 and CycloneDX 1.6 formats, including temporal queries and dependency graph analysis.
|
||||
|
||||
## Components
|
||||
|
||||
**Services:**
|
||||
- `StellaOps.SbomService` - Main SBOM service with API and business logic
|
||||
|
||||
**Libraries:**
|
||||
- `StellaOps.SbomService.Storage.Postgres` - PostgreSQL storage adapter for SBOM persistence
|
||||
- `StellaOps.SbomService.Storage.Postgres.Tests` - Storage layer integration tests
|
||||
|
||||
## Configuration
|
||||
|
||||
Configuration is embedded in the service module settings.
|
||||
|
||||
Key settings:
|
||||
- PostgreSQL connection (schema: `sbom_service`)
|
||||
- Authority integration
|
||||
- SBOM format support (SPDX, CycloneDX)
|
||||
- Versioning and lineage policies
|
||||
- Retention settings
|
||||
|
||||
## Dependencies
|
||||
|
||||
- PostgreSQL (schema: `sbom_service`)
|
||||
- Authority (authentication)
|
||||
- Scanner (SBOM generation source)
|
||||
- Attestor (SBOM attestation integration)
|
||||
- ExportCenter (SBOM export and distribution)
|
||||
|
||||
## Related Documentation
|
||||
|
||||
- Architecture: `./architecture.md`
|
||||
- Scanner: `../scanner/`
|
||||
- Attestor: `../attestor/`
|
||||
- Data Schemas: `../../11_DATA_SCHEMAS.md`
|
||||
|
||||
## Current Status
|
||||
|
||||
Implemented with PostgreSQL storage backend. Supports SBOM ingestion, versioning, and lineage tracking. Provides API for SBOM queries and temporal analysis.
|
||||
@@ -44,7 +44,7 @@ Operational rules:
|
||||
## 3) APIs (first wave)
|
||||
- `GET /sbom/paths?purl=...&artifact=...&scope=...&env=...` — returns ordered paths with runtime_flag/blast_radius and nearest-safe-version hint; supports `cursor` pagination.
|
||||
- `GET /sbom/versions?artifact=...` – time-ordered SBOM version timeline for Advisory AI; include provenance and source bundle hash.
|
||||
- `POST /sbom/upload` – BYOS upload endpoint; validates/normalizes SPDX 2.3/3.0 or CycloneDX 1.4–1.7 and registers a ledger version.
|
||||
- `POST /sbom/upload` – BYOS upload endpoint; validates/normalizes SPDX 2.3/3.0.1 or CycloneDX 1.4–1.7 and registers a ledger version.
|
||||
- `GET /sbom/ledger/history` – list version history for an artifact (cursor pagination).
|
||||
- `GET /sbom/ledger/point` – resolve the SBOM version at a specific timestamp.
|
||||
- `GET /sbom/ledger/range` – query versions within a time range.
|
||||
@@ -77,7 +77,7 @@ Operational rules:
|
||||
- See `docs/modules/sbomservice/byos-ingestion.md` for supported formats and troubleshooting.
|
||||
|
||||
## 4) Ingestion & orchestrator integration
|
||||
- Ingest sources: Scanner pipeline (preferred) or uploaded SPDX 2.3/3.0 and CycloneDX 1.4–1.6 bundles.
|
||||
- Ingest sources: Scanner pipeline (preferred) or uploaded SPDX 2.3/3.0.1 and CycloneDX 1.4–1.7 bundles.
|
||||
- Orchestrator: register SBOM ingest/index jobs; worker SDK emits artifact hash + job metadata; honor pause/throttle; report backpressure metrics; support watermark-based backfill for idempotent replays.
|
||||
- Idempotency: combine `(tenant, artifactDigest, sbomVersion)` as primary key; duplicate ingests short-circuit.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user