stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docs/features/unchecked/scanner/signed-sbom-archive-format.md Normal file
View File

@@ -0,0 +1,25 @@
# Signed SBOM Archive Format (SignedSbomArchiveBuilder)
## Module
Scanner
## Status
IMPLEMENTED
## Description
Service for building signed SBOM archive bundles (tar.gz with DSSE envelope, SBOM document, and Rekor receipt) suitable for offline transfer and air-gapped verification.
## Implementation Details
- **Archive Builder**:
- `src/Scanner/StellaOps.Scanner.WebService/Services/SignedSbomArchiveBuilder.cs` - `SignedSbomArchiveBuilder` building tar.gz archives containing the SBOM document, DSSE envelope with signature, and Rekor transparency log receipt for offline verification
- **Export Endpoint**:
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ExportEndpoints.cs` - Export endpoints providing download of signed SBOM archives
- **Tests**:
- `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/SignedSbomArchiveBuilderTests.cs` - Unit tests for archive building and content verification
## E2E Test Plan
- [ ] Build a signed SBOM archive for a scan result and verify the tar.gz contains the SBOM document, DSSE envelope, and Rekor receipt
- [ ] Extract the archive and verify the DSSE envelope signature validates against the signing key
- [ ] Verify the Rekor receipt in the archive matches the transparency log entry
- [ ] Transfer the archive to an air-gapped environment and verify offline verification succeeds using only the archive contents
- [ ] Verify the archive format is deterministic (same inputs produce byte-identical archives excluding timestamps)