feat(rust): Implement RustCargoLockParser and RustFingerprintScanner
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added RustCargoLockParser to parse Cargo.lock files and extract package information. - Introduced RustFingerprintScanner to scan for Rust fingerprint records in JSON files. - Created test fixtures for Rust language analysis, including Cargo.lock and fingerprint JSON files. - Developed tests for RustLanguageAnalyzer to ensure deterministic output based on provided fixtures. - Added expected output files for both simple and signed Rust applications.
This commit is contained in:
Vladimir Moushkov
@@ -1,7 +1,7 @@
|
||||
# EXCITITOR-ATTEST-01-003 - Verification & Observability Plan
|
||||
|
||||
- **Date:** 2025-10-19
|
||||
- **Status:** Draft
|
||||
- **Status:** In progress (2025-10-22)
|
||||
- **Owner:** Team Excititor Attestation
|
||||
- **Related tasks:** EXCITITOR-ATTEST-01-003 (Wave 0), EXCITITOR-WEB-01-003/004, EXCITITOR-WORKER-01-003
|
||||
- **Prerequisites satisfied:** EXCITITOR-ATTEST-01-002 (Rekor v2 client integration)
|
||||
@@ -141,9 +141,17 @@ Metrics must register via static helper using `Meter` and support offline operat
|
||||
- Do we need cross-module eventing when verification fails (e.g., notify Export module) or is logging sufficient in Wave 0? (Proposed: log + metrics now, escalate in later wave.)
|
||||
- Confirm whether Worker re-verification writes to Mongo or triggers Export module to re-sign artifacts automatically; placeholder: record status + timestamp only.
|
||||
|
||||
## 10. Acceptance Criteria
|
||||
## 10. Acceptance Criteria
|
||||
|
||||
- Plan approved by Attestation + WebService + Worker leads.
|
||||
- Metrics/logging names peer-reviewed to avoid collisions.
|
||||
- Test backlog items entered into respective `TASKS.md` once implementation starts.
|
||||
- Documentation (this plan) linked from `TASKS.md` notes for discoverability.
|
||||
- Documentation (this plan) linked from `TASKS.md` notes for discoverability.
|
||||
|
||||
## 11. 2025-10-22 Progress Notes
|
||||
|
||||
- Implemented `IVexAttestationVerifier`/`VexAttestationVerifier` with structural validation (subject/predicate checks, digest comparison, Rekor probes) and diagnostics map.
|
||||
- Added `VexAttestationVerificationOptions` (RequireTransparencyLog, AllowOfflineTransparency, MaxClockSkew) and wired configuration through WebService DI.
|
||||
- Created `VexAttestationMetrics` (`excititor.attestation.verify_total`, `excititor.attestation.verify_duration_seconds`) and hooked into verification flow with component/rekor tags.
|
||||
- `VexAttestationClient.VerifyAsync` now delegates to the verifier; DI registers metrics + verifier via `AddVexAttestation`.
|
||||
- Added unit coverage in `VexAttestationVerifierTests` (happy path, digest mismatch, offline Rekor) and updated client/export/webservice stubs to new verification signature.
|
||||
|
||||
Reference in New Issue
Block a user