Refactor code structure for improved readability and maintainability; optimize performance in key functions.

2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 4602ccc3a3
1444 changed files with 109919 additions and 8058 deletions
--- a/docs/03_VISION.md
+++ b/docs/03_VISION.md
@@ -20,7 +20,7 @@ We ship containers. We need:

 ```mermaid
 flowchart LR
-    A[Source / Image / Rootfs] --> B[SBOM Producer\nCycloneDX 1.6]
+    A[Source / Image / Rootfs] --> B[SBOM Producer\nCycloneDX 1.7]
    B --> C[Signer\nin‑toto Attestation + DSSE]
    C --> D[Transparency\nSigstore Rekor - optional but RECOMMENDED]
    D --> E[Durable Storage\nSBOMs, Attestations, Proofs]
@@ -32,7 +32,7 @@ flowchart LR

 **Adopted standards (pinned for interoperability):**

-* **SBOM:** CycloneDX **1.6** (JSON/XML)
+* **SBOM:** CycloneDX **1.7** (JSON/XML; 1.6 accepted for ingest)
 * **Attestation & signing:** **in‑toto Attestations** (Statement + Predicate) in **DSSE** envelopes
 * **Transparency:** **Sigstore Rekor** (inclusion proofs, monitoring)
 * **Exploitability:** **OpenVEX** (statuses & justifications)
@@ -120,7 +120,7 @@ flowchart TB

 | Artifact             | MUST Persist                         | Why                          |
 | -------------------- | ------------------------------------ | ---------------------------- |
-| SBOM (CycloneDX 1.6) | Raw file + DSSE attestation          | Reproducibility, audit       |
+| SBOM (CycloneDX 1.7) | Raw file + DSSE attestation          | Reproducibility, audit       |
 | in‑toto Statement    | Full JSON                            | Traceability                 |
 | Rekor entry          | UUID + inclusion proof               | Tamper‑evidence              |
 | Scanner output       | SARIF + raw notes                    | Triage & tooling interop     |
@@ -193,7 +193,7 @@ violation[msg] {

 | Domain       | Standard       | Stella Pin       | Notes                                            |
 | ------------ | -------------- | ---------------- | ------------------------------------------------ |
-| SBOM         | CycloneDX      | **1.6**          | JSON or XML accepted; JSON preferred             |
+| SBOM         | CycloneDX      | **1.7**          | JSON or XML accepted; 1.6 ingest supported       |
 | Attestation  | in‑toto        | **Statement v1** | Predicates per use case (e.g., sbom, provenance) |
 | Envelope     | DSSE           | **v1**           | Canonical JSON payloads                          |
 | Transparency | Sigstore Rekor | **API stable**   | Inclusion proof stored alongside artifacts       |
@@ -208,7 +208,7 @@ violation[msg] {
 > Commands below are illustrative; wire them into CI with short‑lived credentials.

 ```bash
-# 1) Produce SBOM (CycloneDX 1.6) from image digest
+# 1) Produce SBOM (CycloneDX 1.7) from image digest
 syft registry:5000/myimg@sha256:... -o cyclonedx-json > sbom.cdx.json

 # 2) Create in‑toto DSSE attestation bound to the image digest
@@ -252,7 +252,7 @@ opa eval -i gate-input.json -d policy/ -f pretty "data.stella.policy.allow"
  "predicateType": "https://stella-ops.org/attestations/sbom/1",
  "predicate": {
    "sbomFormat": "CycloneDX",
-    "sbomVersion": "1.6",
+    "sbomVersion": "1.7",
    "mediaType": "application/vnd.cyclonedx+json",
    "location": "sha256:SBOM_BLOB_SHA256"
  }
@@ -349,7 +349,7 @@ opa eval -i gate-input.json -d policy/ -f pretty "data.stella.policy.allow"

 ## 15) Implementation Checklist

-* [ ] SBOM producer emits CycloneDX 1.6; bound to image digest.
+* [ ] SBOM producer emits CycloneDX 1.7; bound to image digest.
 * [ ] in‑toto+DSSE signing wired in CI; Rekor logging enabled.
 * [ ] Durable artifact store with WORM semantics.
 * [ ] Scanner produces explainable findings; SARIF optional.