stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/features/unchecked/attestor/sbom-linkage-statement.md Normal file
View File

@@ -0,0 +1,31 @@
# SBOM Linkage Statement (in-toto predicate)
## Module
Attestor
## Status
IMPLEMENTED
## Description
SBOM linkage statement model with SBOM descriptor (format, spec version, digest), generator info, incomplete subjects tracking, and tags for tenant/project/pipeline.
## Implementation Details
- **SBOM Linkage Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs` -- in-toto statement wrapping the SBOM linkage predicate.
- **SBOM Linkage Payload**: `Statements/SbomLinkagePayload.cs` -- payload containing SBOM descriptor, generator info, incomplete subjects, and tags.
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- descriptor with format (CycloneDX 1.6, SPDX 3.0.1), spec version, and content digest.
- **Generator Descriptor**: `Statements/GeneratorDescriptor.cs` -- metadata about the SBOM generation tool (name, version, timestamp).
- **Incomplete Subject**: `Statements/IncompleteSubject.cs` -- tracks subjects that could not be fully resolved during SBOM generation (missing digests, unresolved PURLs).
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds SBOM linkage statements with proper subject bindings.
- **Proof Subject**: `Builders/ProofSubject.cs` -- subject with name and digest map for the SBOM linkage.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs SBOM linkage statements.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomLinkageTests.cs`
## E2E Test Plan
- [ ] Create an `SbomLinkageStatement` with a CycloneDX SBOM descriptor and verify the statement structure
- [ ] Verify `SbomDescriptor` captures format="CycloneDX", specVersion="1.6", and the SHA-256 digest of the SBOM document
- [ ] Verify `GeneratorDescriptor` captures the tool name, version, and generation timestamp
- [ ] Add `IncompleteSubject` entries for unresolved components and verify they are tracked in the payload
- [ ] Build the statement via `StatementBuilder` with subject bindings and verify the in-toto subject list
- [ ] Sign the SBOM linkage statement into a DSSE envelope and verify the signature
- [ ] Add tags (tenant, project, pipeline) to the payload and verify they are present in the signed statement
- [ ] Create an SPDX linkage statement and verify the format field is "SPDX" with specVersion="3.0.1"