stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/features/unchecked/attestor/sbom-spine.md Normal file
View File

@@ -0,0 +1,32 @@
# SBOM Spine (Image to SBOM to DSSE to Transparency Log)
## Module
Attestor
## Status
IMPLEMENTED
## Description
The full SBOM spine (SBOM generation in CycloneDX/SPDX, DSSE signing, Rekor transparency log integration) is implemented.
## Implementation Details
- **SBOM Linkage Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs` -- in-toto statement linking image digest to SBOM. `SbomLinkagePayload.cs` -- linkage payload.
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- SBOM format, spec version, and content digest.
- **CycloneDX Writer**: `__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs` (with partials) -- generates CycloneDX SBOMs.
- **SPDX Writer**: `Writers/SpdxWriter.cs` (with partials) -- generates SPDX SBOMs.
- **DSSE Signing**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` -- signs SBOM linkage statements into DSSE envelopes.
- **Rekor Submission**: `StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs` -- submits signed SBOM attestations to Rekor.
- **Proof Spine**: `Assembly/ProofSpineRequest.cs`, `ProofSpineResult.cs` -- assembles SBOM attestation into proof spine with Merkle root.
- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs` -- publishes SBOM as OCI referrer.
- **Persistence**: `__Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs` -- persists SBOM entries. `RekorEntryEntity.cs` -- persists Rekor entries.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomSpineTests.cs`
## E2E Test Plan
- [ ] Generate a CycloneDX SBOM from an image scan, create an `SbomLinkageStatement` with the image digest as subject, and verify the linkage
- [ ] Sign the SBOM linkage statement into a DSSE envelope via `ProofChainSigner` and verify the envelope
- [ ] Submit the signed SBOM attestation to Rekor and verify a log entry is created with log index
- [ ] Assemble the SBOM attestation into a proof spine via `ProofSpineRequest` and verify the Merkle root
- [ ] Publish the SBOM to OCI via `SbomOciPublisher` and verify it is discoverable as a referrer
- [ ] Persist the SBOM entry and Rekor entry and verify retrieval
- [ ] Verify the full spine: Image -> SBOM -> DSSE Envelope -> Rekor Entry, each step linked and verifiable
- [ ] Generate an SPDX SBOM and repeat the spine verification to confirm format-agnostic support