stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/features/unchecked/attestor/sbom-to-vex-proof-pipeline.md Normal file
View File

@@ -0,0 +1,34 @@
# SBOM-to-VEX Proof Pipeline
## Module
Attestor
## Status
IMPLEMENTED
## Description
Full SBOM-to-VEX proof pipeline with pipeline request/result models, SBOM component extraction, VEX proof integration, and Rekor transparency log entries.
## Implementation Details
- **Pipeline Request/Result**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/ProofChainRequest.cs`, `ProofChainResult.cs` -- pipeline orchestration models.
- **Pipeline Subject**: `Pipeline/PipelineSubject.cs` -- subject being processed through the pipeline.
- **Rekor Entry**: `Pipeline/RekorEntry.cs` -- Rekor transparency log entry from pipeline output.
- **Component Ref Extractor**: `Linking/ComponentRefExtractor.cs` (with `.Resolution`, `.Spdx`) -- extracts SBOM component references for VEX linkage.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- extracted components for VEX matching.
- **VEX Proof Integrator**: `Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates extracted SBOM components with VEX decisions.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- combined SBOM-component-linked VEX proof.
- **VEX Verdict Statement**: `Statements/VexVerdictStatement.cs` -- in-toto VEX verdict statement.
- **Proof Spine Assembly**: `Assembly/ProofSpineRequest.cs`, `ProofSpineResult.cs` -- assembles pipeline outputs into a verifiable spine.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs all pipeline outputs.
- **Rekor Submission**: `StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs` -- publishes to transparency log.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomToVexPipelineTests.cs`
## E2E Test Plan
- [ ] Run the SBOM-to-VEX pipeline via `ProofChainRequest` with an SBOM input and VEX data; verify `ProofChainResult` contains linked attestations
- [ ] Verify `ComponentRefExtractor` extracts component references from the input SBOM
- [ ] Verify `VexProofIntegrator` matches SBOM components to VEX statements and produces `VexVerdictProofPayload`
- [ ] Verify the VEX verdict statement is signed into a DSSE envelope
- [ ] Verify the pipeline output includes a Rekor entry with the signed VEX verdict
- [ ] Assemble pipeline outputs into a proof spine and verify the Merkle root covers both SBOM and VEX attestations
- [ ] Verify the pipeline handles components with no VEX coverage and reports them as unassessed
- [ ] Verify bidirectional traceability: from VEX verdict to SBOM component and from SBOM component to VEX verdict