semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/scanner/third-party-scanner-output-ingestion.md
+++ b/docs/features/unchecked/scanner/third-party-scanner-output-ingestion.md
@@ -0,0 +1,36 @@
+# Third-Party Scanner Output Ingestion (Syft/Grype/Trivy/Clair/Xray Compatibility)
+
+## Module
+Scanner
+
+## Status
+IMPLEMENTED
+
+## Description
+CycloneDX, SPDX, and SLSA provenance parsers enable ingesting outputs from third-party scanners. VEX normalization and SBOM comparison/round-trip tests ensure compatibility with standard formats used by Syft, Grype, Trivy, and other tools.
+
+## Implementation Details
+- **CycloneDX Parser**:
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs` - `CycloneDxPredicateParser` parsing CycloneDX SBOM documents
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.ExtractSbom.cs` - SBOM extraction logic
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.ExtractMetadata.cs` - Metadata extraction
+- **SPDX Parser**:
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.cs` - `SpdxPredicateParser` parsing SPDX SBOM documents
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.ExtractSbom.cs` - SBOM extraction logic
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.ExtractMetadata.cs` - Metadata extraction
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.Validation.cs` - Validation logic
+- **SLSA Provenance Parser**:
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs` - `SlsaProvenancePredicateParser` parsing SLSA provenance attestations
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.ExtractMetadata.cs` - Metadata extraction
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.Validation.cs` - Validation logic
+- **CycloneDX/SPDX Writers** (for round-trip compatibility):
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.Convert.cs` - CycloneDX output writer
+  - `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/SpdxWriter.Convert.cs` - SPDX output writer
+
+## E2E Test Plan
+- [ ] Ingest a Syft-generated CycloneDX SBOM and verify all components are parsed with correct names, versions, and PURLs
+- [ ] Ingest a Trivy-generated SPDX SBOM and verify packages are extracted with correct metadata
+- [ ] Ingest a SLSA provenance attestation and verify build metadata (builder, source, materials) is correctly extracted
+- [ ] Verify round-trip compatibility: parse a CycloneDX SBOM, write it back, and verify the output validates against the CycloneDX schema
+- [ ] Verify VEX statements from third-party scanners are correctly normalized into the internal representation
+- [ ] Verify the parsers handle format variations across tool versions (e.g., CycloneDX 1.4 vs 1.5 vs 1.6)