stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: add PolicyPackSelectorComponent with tests and integration

Browse Source 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
This commit is contained in:
StellaOps Bot
2025-12-05 21:24:34 +02:00
parent 347c88342c
commit 18d87c64c5
220 changed files with 7700 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docs/scripts/sbom-vex/chain-hash-recipe.md Normal file
View File

@@ -0,0 +1,25 @@
# SBOM→VEX Chain Hash Recipe (Stub)
Use with sprint task 6 (SBOM-VEX-GAPS-300-013).
- Inputs: sorted SBOM documents, VEX statements, DSSE envelopes, Rekor bundle snapshot.
- Hashing: deterministic ordering (UTF-8, LF), SHA-256 over concatenated canonical JSON.
- Chain: derive cumulative hash for (SBOM → DSSE → Rekor → VEX) and store in proof manifest.
- Offline: no network; bundle Rekor root + snapshot; include `inputs.lock` with tool versions.
Example (stub):
```bash
sbom_files=(sbom.json)
vex_files=(vex.json)
dsse=envelope.dsse
rekor=rekor-bundle.json
cat "${sbom_files[@]}" | jq -S . > /tmp/sbom.canon
cat "${vex_files[@]}" | jq -S . > /tmp/vex.canon
cat "$dsse" | jq -S . > /tmp/dsse.canon
cat "$rekor" | jq -S . > /tmp/rekor.canon
cat /tmp/sbom.canon /tmp/dsse.canon /tmp/rekor.canon /tmp/vex.canon | sha256sum | awk '{print $1}' > proof.chainhash
echo "chain-hash: $(cat proof.chainhash)"
```

33
docs/scripts/sbom-vex/verify.sh Normal file
View File

@@ -0,0 +1,33 @@
#!/usr/bin/env bash
set -euo pipefail
# Offline verifier stub for SBOM -> VEX proof bundles.
# Expected inputs: path to DSSE envelope, Rekor log snapshot, and bundled trust roots.
if [ "$#" -lt 4 ]; then
echo "usage: $0 <sbom.json> <vex.json> <dsse.envelope> <rekor-bundle.json>" >&2
exit 1
fi
SBOM="$1"
VEX="$2"
DSSE="$3"
REKOR="$4"
if ! command -v jq >/dev/null; then
echo "jq is required (offline-capable)." >&2
exit 2
fi
echo "[stub] canonicalising inputs..." >&2
tmpdir=$(mktemp -d)
trap 'rm -rf "$tmpdir"' EXIT
jq -S . "$SBOM" > "$tmpdir/sbom.canon"
jq -S . "$VEX" > "$tmpdir/vex.canon"
jq -S . "$DSSE" > "$tmpdir/dsse.canon"
jq -S . "$REKOR" > "$tmpdir/rekor.canon"
cat "$tmpdir/sbom.canon" "$tmpdir/dsse.canon" "$tmpdir/rekor.canon" "$tmpdir/vex.canon" | sha256sum | awk '{print $1}' > "$tmpdir/proof.hash"
echo "chain-hash (sbom+dsse+rekor+vex): $(cat "$tmpdir/proof.hash")"
echo "[stub] verify DSSE signatures and Rekor inclusion separately; add manifests to DSSE envelope for full proof"