news advisories
This commit is contained in:
StellaOps Bot
@@ -0,0 +1,108 @@
|
||||
Here’s a compact, diagram-first blueprint that shows how to turn a CycloneDX SBOM into signed, replay-safe proofs across DSSE/in-toto, Rekor v2 (tile-backed) receipts, and VEX—plus how to run this with the public instance or fully offline.
|
||||
|
||||
---
|
||||
|
||||
## 1) Mental model (one line per hop)
|
||||
|
||||
```
|
||||
[SBOM: CycloneDX JSON]
|
||||
└─(wrap as DSSE payload; predicate = CycloneDX)
|
||||
└─(optional: in-toto statement for context)
|
||||
└─(sign → cosign/fulcio or your own CA)
|
||||
└─(log entry → Rekor v2 / tiles)
|
||||
└─(checkpoint + inclusion proof + receipt)
|
||||
└─(VEX attestation references SBOM/log)
|
||||
└─(Authority anchors/keys + policies)
|
||||
```
|
||||
|
||||
* **CycloneDX SBOM** is your canonical inventory. ([cyclonedx.org][1])
|
||||
* **DSSE** provides a minimal, standard signing envelope; in-toto statements add supply-chain context. ([JFrog][2])
|
||||
* **Rekor v2** stores a hash of your attestation in a **tile-backed transparency log** and returns **checkpoint + inclusion proof** (small, verifiable). ([Sigstore Blog][3])
|
||||
* **VEX** conveys exploitability (e.g., “not affected”) and should reference the SBOM and, ideally, the Rekor receipt. ([cyclonedx.org][4])
|
||||
|
||||
---
|
||||
|
||||
## 2) Exact capture points (what to store)
|
||||
|
||||
* **SBOM artifact**: `sbom.cdx.json` (canonicalized bytes + SHA256). ([cyclonedx.org][1])
|
||||
* **DSSE envelope** over SBOM (or in-toto statement whose predicate is CycloneDX): keep the full JSON + signature. ([JFrog][2])
|
||||
* **Rekor v2 receipt**:
|
||||
|
||||
* **Checkpoint** (signed tree head)
|
||||
* **Inclusion proof** (audit path)
|
||||
* **Entry leaf hash / UUID**
|
||||
Persist these with your build to enable offline verification. ([Sigstore Blog][3])
|
||||
* **VEX attestation** (CycloneDX VEX): include references (by digest/URI) to the **SBOM** and the **Rekor entry/receipt** used for the SBOM attestation. ([cyclonedx.org][4])
|
||||
* **Authority anchors**: publish the verifying keys (or TUF-root if using Sigstore public good), plus your policy describing accepted issuers and algorithms. ([Sigstore][5])
|
||||
|
||||
---
|
||||
|
||||
## 3) Field-level linkage (IDs you’ll wire together)
|
||||
|
||||
* **`subject.digest`** in DSSE/in-toto ↔ **SBOM SHA256**. ([OpenSSF][6])
|
||||
* **Rekor entry** ↔ **DSSE envelope digest** (leaf/UUID recorded in receipt). ([GitHub][7])
|
||||
* **VEX `affects` / `analysis`** entries ↔ **components in SBOM** (use purl/coordinates) and include **`evidence`/`justification`** with **Rekor proof URI**. ([cyclonedx.org][4])
|
||||
|
||||
---
|
||||
|
||||
## 4) Verification flow (online or air-gapped)
|
||||
|
||||
**Online (public good):**
|
||||
|
||||
1. Verify DSSE signature against accepted keys/issuers. ([Sigstore][5])
|
||||
2. Verify Rekor **checkpoint signature** and **inclusion proof** for the logged DSSE digest. ([Go Packages][8])
|
||||
3. Validate VEX against the same SBOM digest (and optionally that its own attestation is also logged). ([cyclonedx.org][4])
|
||||
|
||||
**Air-gapped / sovereign:**
|
||||
|
||||
* Mirror/export **Rekor tiles + checkpoints** on a courier medium; keep receipts small by shipping only tiles covering the ranges you need.
|
||||
* Run **self-hosted Rekor v2** or a **local tile cache**; verifiers check **checkpoint signatures** and **consistency proofs** exactly the same way. ([Sigstore Blog][3])
|
||||
|
||||
---
|
||||
|
||||
## 5) Public instance vs self-hosted (decision notes)
|
||||
|
||||
* **Public**: zero-ops, audited community infra; you still archive receipts with your releases. ([Sigstore][5])
|
||||
* **Self-hosted Rekor v2 (tiles)**: cheaper/simpler than v1, tile export makes **offline kits** practical; publish your **root keys** as organization anchors. ([Sigstore Blog][3])
|
||||
|
||||
---
|
||||
|
||||
## 6) Minimal CLI recipe (illustrative)
|
||||
|
||||
* Generate SBOM → wrap → attest → log → emit receipt:
|
||||
|
||||
* Create CycloneDX JSON; compute digest. ([cyclonedx.org][1])
|
||||
* Create **DSSE** or **in-toto** attestation for the SBOM; sign (cosign or your CA). ([JFrog][2])
|
||||
* Submit to **Rekor v2**; store **checkpoint + inclusion proof + UUID** with the build. ([Sigstore Blog][3])
|
||||
* Emit **VEX** referencing the SBOM digest **and** the Rekor entry (URI/UUID). ([cyclonedx.org][4])
|
||||
|
||||
---
|
||||
|
||||
## 7) Developer guardrails (to keep proofs replay-safe)
|
||||
|
||||
* **Canonical bytes only** (stable JSON ordering/whitespace) before hashing/signing. ([JFrog][2])
|
||||
* **Pin algorithms** (e.g., SHA-256 + key types) in policy; reject drift. ([Sigstore][5])
|
||||
* **Always persist**: SBOM, DSSE envelope, Rekor receipt, VEX, and your **accepted-keys manifest** with version. ([Sigstore Blog][3])
|
||||
* **Test offline**: verification must pass using only tiles + receipts you ship. ([Go Packages][9])
|
||||
|
||||
---
|
||||
|
||||
## 8) Optional niceties
|
||||
|
||||
* Gate deployments on “image must have **signed SBOM** (attestation)”. Sigstore Policy Controller example exists. ([Stackable Documentation][10])
|
||||
* Track CVE status via **CycloneDX VEX** in your UI (“affected/not affected” with evidence links to Rekor). ([cyclonedx.org][4])
|
||||
|
||||
---
|
||||
|
||||
If you want, I can turn this into a **Stella Ops** diagram + drop-in `docs/blueprints/sbom-to-vex-rekor.md` with exact JSON stubs for: DSSE envelope, in-toto statement, Rekor receipt example, and a CycloneDX VEX snippet wired to the receipt.
|
||||
|
||||
[1]: https://cyclonedx.org/specification/overview/?utm_source=chatgpt.com "Specification Overview"
|
||||
[2]: https://jfrog.com/blog/introducing-dsse-attestation-online-decoder/?utm_source=chatgpt.com "Introducing the DSSE Attestation Online Decoder"
|
||||
[3]: https://blog.sigstore.dev/rekor-v2-ga/?utm_source=chatgpt.com "Rekor v2 GA - Cheaper to run, simpler to maintain"
|
||||
[4]: https://cyclonedx.org/capabilities/vex/?utm_source=chatgpt.com "Vulnerability Exploitability eXchange (VEX)"
|
||||
[5]: https://docs.sigstore.dev/logging/overview/?utm_source=chatgpt.com "Rekor"
|
||||
[6]: https://openssf.org/blog/2024/06/26/a-deep-dive-into-sbomit-and-attestations/?utm_source=chatgpt.com "A Deep Dive into SBOMit and Attestations"
|
||||
[7]: https://github.com/sigstore/rekor?utm_source=chatgpt.com "sigstore/rekor: Software Supply Chain Transparency Log"
|
||||
[8]: https://pkg.go.dev/github.com/sigstore/rekor-tiles/v2/pkg/verify?utm_source=chatgpt.com "verify package - github.com/sigstore/rekor-tiles/v2/pkg/verify"
|
||||
[9]: https://pkg.go.dev/github.com/sigstore/rekor-tiles?utm_source=chatgpt.com "rekor-tiles module - github.com/sigstore/rekor-tiles"
|
||||
[10]: https://docs.stackable.tech/home/stable/guides/viewing-and-verifying-sboms/?utm_source=chatgpt.com "Viewing and verifying SBOMs of the Stackable Data Platform"
|
||||
Reference in New Issue
Block a user