stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/features/unchecked/attestor/verifiable-sbom-to-vex-chain.md Normal file
View File

@@ -0,0 +1,34 @@
# Verifiable SBOM-to-VEX Chain
## Module
Attestor
## Status
IMPLEMENTED
## Description
VEX proof integrator links VEX statements to SBOM components with component ref extraction, SBOM linkage statements, and VEX attestation predicates for chain verification.
## Implementation Details
- **VEX Proof Integrator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates VEX proofs with SBOM component references, embedding proof metadata (proof_ref, proof_method, proof_confidence) into VEX verdicts.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- payload containing VEX verdict with proof references linking back to SBOM components.
- **Component Ref Extractor**: `Linking/ComponentRefExtractor.cs` (with `.Resolution`, `.Spdx`) -- extracts component references from SBOMs (CycloneDX bom-ref, SPDX SPDXID) for cross-linking with VEX statements.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- result of extracting component references from an SBOM document.
- **SBOM Linkage Payload**: `Statements/SbomLinkagePayload.cs` -- payload for SBOM-to-VEX linkage statements, binding SBOM digest to VEX document reference.
- **VEX Attestation Predicate**: `Predicates/VexAttestationPredicate.cs` -- attestation predicate for VEX statements with proof chain references.
- **VEX Verdict Summary**: `Predicates/VexVerdictSummary.cs` -- summary of VEX verdicts per component/CVE.
- **VEX Document Reference**: `Predicates/VexDocumentReference.cs` -- reference to a VEX document by digest and URI.
- **VEX Status Counts**: `Predicates/VexStatusCounts.cs` -- counts of VEX statuses (affected, not_affected, fixed, under_investigation).
- **SBOM Reference**: `Predicates/SbomReference.cs` -- reference to an SBOM document for linkage.
- **VEX Verdict Statement**: `Statements/VexVerdictStatement.cs` -- in-toto statement wrapping the VEX verdict.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`
## E2E Test Plan
- [ ] Extract component refs from a CycloneDX SBOM via `ComponentRefExtractor` and verify bom-ref IDs are captured for all components
- [ ] Extract component refs from an SPDX SBOM via `.Spdx` and verify SPDXID references are captured
- [ ] Create an `SbomLinkagePayload` linking an SBOM digest to a VEX document reference and verify the chain is valid
- [ ] Integrate a VEX proof via `VexProofIntegrator` and verify the `VexVerdictProofPayload` contains proof_ref, proof_method, and proof_confidence
- [ ] Build a `VexAttestationPredicate` with multiple component verdicts and verify each references the correct SBOM component ref
- [ ] Verify SBOM-to-VEX chain: given an SBOM with 5 components and VEX with 3 affected, verify `VexStatusCounts` shows 3 affected and 2 not_assessed
- [ ] Create a VEX verdict statement and verify it is a valid in-toto statement with SBOM linkage metadata
- [ ] Attempt to link a VEX to an SBOM with mismatched component refs and verify the integrator detects the mismatch