stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add tests for SBOM generation determinism across multiple formats

Browse Source 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
This commit is contained in:
master
2025-12-23 18:56:12 +02:00
committed by StellaOps Bot
parent 7ac70ece71
commit 491e883653
409 changed files with 23797 additions and 17779 deletions
Download Patch File Download Diff File Expand all files Collapse all files

297
docs/product-advisories/IMPLEMENTATION_STATUS.md
View File

@@ -1,297 +0,0 @@
# Implementation Status: Competitor Gap Closure
> **Date:** 2025-12-23
> **Status:** Phase 1 In Progress
> **Sprint:** SPRINT_3000_0100_0001 (Signed Delta-Verdicts)
---
## ✅ Completed Artifacts
### Documentation (100% Complete)
| Document | Status | Location |
|----------|--------|----------|
| **Sprint Plans** | ✅ Complete (5 sprints) | `docs/implplan/SPRINT_*.md` |
| **JSON Schemas** | ✅ Complete (2 schemas) | `docs/schemas/` |
| **Verdict Attestations Guide** | ✅ Complete | `docs/policy/verdict-attestations.md` |
| **Evidence Pack Schema Guide** | ✅ Complete | `docs/evidence-locker/evidence-pack-schema.md` |
| **Implementation Summary** | ✅ Complete | `docs/product-advisories/23-Dec-2026 - Implementation Summary - Competitor Gap Closure.md` |
### Code Implementation (Phase 1: 40% Complete)
#### Policy Engine - Verdict Attestation (✅ 60% Complete)
| Component | Status | File |
|-----------|--------|------|
| **VerdictPredicate Models** | ✅ Complete | `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictPredicate.cs` |
| **VerdictPredicateBuilder** | ✅ Complete | `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictPredicateBuilder.cs` |
| **IVerdictAttestationService** | ✅ Complete | `src/Policy/StellaOps.Policy.Engine/Attestation/IVerdictAttestationService.cs` |
| **VerdictAttestationService** | ✅ Complete | `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs` |
| **HttpAttestorClient** | ✅ Complete | `src/Policy/StellaOps.Policy.Engine/Attestation/HttpAttestorClient.cs` |
| Integration with Policy Run | ⏳ Pending | Policy execution workflow |
| DI Registration | ⏳ Pending | `DependencyInjection/` |
| Unit Tests | ⏳ Pending | `__Tests/StellaOps.Policy.Engine.Tests/` |
---
## 🚧 In Progress
### SPRINT_3000_0100_0001: Signed Delta-Verdicts
**Overall Progress:** 40%
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| ✅ Define verdict attestation predicate schema | Complete | Policy Guild | JSON schema validated |
| ✅ Design Policy Engine → Attestor integration contract | Complete | Both guilds | HTTP API contract defined |
| ⏳ Define storage schema for verdict attestations | In Progress | Evidence Locker | PostgreSQL schema needed |
| ✅ Create JSON schema for verdict predicate | Complete | Policy Guild | `stellaops-policy-verdict.v1.schema.json` |
| ✅ Implement `VerdictAttestationRequest` DTO | Complete | Policy Guild | Done in `IVerdictAttestationService.cs` |
| ✅ Implement `VerdictPredicateBuilder` | Complete | Policy Guild | Done |
| ⏳ Wire Policy Engine to emit attestation requests | Pending | Policy Guild | Post-evaluation hook needed |
| ⏳ Implement verdict attestation handler in Attestor | Pending | Attestor Guild | Handler + DSSE signing |
| ⏳ Implement Evidence Locker storage for verdicts | Pending | Evidence Locker Guild | PostgreSQL + object store |
| ⏳ Create API endpoint `GET /api/v1/verdicts/{verdictId}` | Pending | Evidence Locker | Return DSSE envelope |
| ⏳ Create API endpoint `GET /api/v1/runs/{runId}/verdicts` | Pending | Evidence Locker | List verdicts |
| ⏳ Unit tests for predicate builder | Pending | Policy Guild | Schema validation, determinism |
| ⏳ Integration test: Policy Run → Verdict Attestation | Pending | Policy Guild | End-to-end flow |
| ⏳ CLI verification test | Pending | CLI Guild | `stella verdict verify` |
| ⏳ Document verdict attestation schema | Complete | Policy Guild | `docs/policy/verdict-attestations.md` |
| ⏳ Document API endpoints | Pending | Locker Guild | OpenAPI spec updates |
---
## 📦 Files Created (This Session)
### Policy Engine Attestation Components
```
src/Policy/StellaOps.Policy.Engine/Attestation/
├── VerdictPredicate.cs # Core predicate models
├── VerdictPredicateBuilder.cs # Builder service (trace → predicate)
├── IVerdictAttestationService.cs # Service interface
├── VerdictAttestationService.cs # Service implementation
└── HttpAttestorClient.cs # HTTP client for Attestor API
```
### Documentation & Schemas
```
docs/
├── implplan/
│ ├── SPRINT_3000_0100_0001_signed_verdicts.md # HIGH priority
│ ├── SPRINT_3000_0100_0002_evidence_packs.md # HIGH priority
│ ├── SPRINT_4000_0100_0001_proof_panels.md # MEDIUM priority
│ ├── SPRINT_4000_0100_0002_vuln_annotation.md # MEDIUM priority
│ └── SPRINT_3000_0100_0003_base_image.md # MEDIUM priority
├── schemas/
│ ├── stellaops-policy-verdict.v1.schema.json # Verdict predicate schema
│ └── stellaops-evidence-pack.v1.schema.json # Evidence pack schema
├── policy/
│ └── verdict-attestations.md # Comprehensive guide
├── evidence-locker/
│ └── evidence-pack-schema.md # Pack format guide
└── product-advisories/
├── 23-Dec-2026 - Implementation Summary - Competitor Gap Closure.md
└── IMPLEMENTATION_STATUS.md (this file)
```
---
## ⏳ Next Steps (Priority Order)
### Immediate (This Week)
1. **Create Evidence Locker Module Structure**
- Directory: `src/EvidenceLocker/StellaOps.EvidenceLocker/`
- PostgreSQL migrations for `verdict_attestations` table
- API endpoints: `GET /api/v1/verdicts/{verdictId}`, `GET /api/v1/runs/{runId}/verdicts`
2. **Implement Attestor Handler**
- Directory: `src/Attestor/`
- `VerdictAttestationHandler.cs` - Accept, validate, sign, store
- DSSE envelope creation
- Optional Rekor anchoring
3. **Wire Policy Engine Integration**
- Modify `src/Policy/StellaOps.Policy.Engine/` policy execution workflow
- Call `VerdictAttestationService.AttestVerdictAsync()` after each finding evaluation
- Feature flag: `PolicyEngineOptions.VerdictAttestationsEnabled`
4. **Create Unit Tests**
- `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Attestation/`
- Test `VerdictPredicateBuilder.Build()` with sample `PolicyExplainTrace`
- Test JSON schema validation
- Test determinism hash computation
### Week 2
5. **Integration Tests**
- End-to-end: Policy Run → Verdict Attestation → Storage → Retrieval
- Test with Testcontainers (PostgreSQL)
- Verify DSSE envelope structure
6. **CLI Commands**
- `src/Cli/StellaOps.Cli/Commands/`
- `stella verdict get <verdictId>`
- `stella verdict verify <verdict.json> --public-key <key>`
- `stella verdict list --run <runId> --status blocked`
7. **Database Migration Scripts**
- PostgreSQL schema for `verdict_attestations`
- Indexes on `run_id`, `finding_id`, `tenant_id`, `evaluated_at`
---
## 🏗️ Module Structure (To Be Created)
### Evidence Locker Module
```
src/EvidenceLocker/
├── StellaOps.EvidenceLocker/
│ ├── Storage/
│ │ ├── VerdictRepository.cs
│ │ └── IVerdictRepository.cs
│ ├── Api/
│ │ ├── VerdictEndpoints.cs
│ │ └── VerdictContracts.cs
│ ├── Migrations/
│ │ └── 001_CreateVerdictAttestations.sql
│ └── StellaOps.EvidenceLocker.csproj
├── __Tests/
│ └── StellaOps.EvidenceLocker.Tests/
│ ├── VerdictRepositoryTests.cs
│ └── VerdictEndpointsTests.cs
└── AGENTS.md
```
### Attestor Module Enhancements
```
src/Attestor/
├── Handlers/
│ └── VerdictAttestationHandler.cs
├── DSSE/
│ └── DsseEnvelopeService.cs
└── Rekor/
└── RekorClient.cs
```
---
## 📊 Progress Metrics
### Overall Implementation Progress
| Sprint | Priority | Progress | Status |
|--------|----------|----------|--------|
| **SPRINT_3000_0100_0001** - Signed Verdicts | HIGH | 40% | 🟡 In Progress |
| **SPRINT_3000_0100_0002** - Evidence Packs | HIGH | 0% | ⚪ Not Started |
| **SPRINT_4000_0100_0001** - Proof Panels UI | MEDIUM | 0% | ⚪ Not Started |
| **SPRINT_4000_0100_0002** - Vuln Annotation UI | MEDIUM | 0% | ⚪ Not Started |
| **SPRINT_3000_0100_0003** - Base Image Detection | MEDIUM | 0% | ⚪ Not Started |
### Code Completion by Module
| Module | Files Created | Files Pending | Completion % |
|--------|---------------|---------------|--------------|
| **Policy.Engine (Attestation)** | 5/8 | 3 | 62% |
| **Attestor (Handler)** | 0/3 | 3 | 0% |
| **Evidence Locker** | 0/5 | 5 | 0% |
| **CLI (Verdict Commands)** | 0/4 | 4 | 0% |
| **Tests** | 0/6 | 6 | 0% |
---
## 🎯 Success Criteria (SPRINT_3000_0100_0001)
### Must Have (MVP)
- [ ] Every policy run produces signed verdict attestations
- [ ] Verdicts stored in Evidence Locker with DSSE envelopes
- [ ] API endpoints return verdict attestations with valid signatures
- [ ] CLI can verify verdict signatures offline
- [ ] Integration test: full flow from policy run → signed verdict → retrieval → verification
### Should Have
- [ ] Rekor anchoring integration (optional)
- [ ] Batch verdict signing optimization
- [ ] Comprehensive error handling and retry logic
- [ ] Metrics and observability
### Nice to Have
- [ ] Verdict attestation caching
- [ ] Webhook notifications on verdict creation
- [ ] Verdict comparison/diff tooling
---
## 🔧 Technical Debt & Known Gaps
### Current Limitations
1. **Evidence Locker Module Missing**
- Need to scaffold entire module structure
- PostgreSQL schema not yet defined
- API endpoints not implemented
2. **Attestor Handler Not Implemented**
- DSSE signing logic needed
- Rekor integration pending
- Validation logic incomplete
3. **Policy Engine Integration Incomplete**
- Policy execution workflow not modified to call attestation service
- Feature flags not wired
- DI registration incomplete
4. **No Tests Yet**
- Unit tests for VerdictPredicateBuilder needed
- Integration tests for end-to-end flow needed
- Schema validation tests needed
### Required Dependencies
1. **DSSE Library** - For envelope creation and signing
2. **Rekor Client** - For transparency log anchoring
3. **PostgreSQL** - For verdict storage
4. **HTTP Client** - Already using `HttpClient` for Attestor communication
---
## 📈 Velocity Estimate
Based on current sprint scope:
| Week | Focus | Deliverables |
|------|-------|--------------|
| **Week 1** | Backend Core | Evidence Locker, Attestor Handler, Integration |
| **Week 2** | CLI & Tests | CLI commands, unit tests, integration tests |
| **Week 3** | Polish & Docs | Error handling, observability, documentation updates |
| **Week 4** | SPRINT_3000_0100_0002 | Evidence Pack assembly (next sprint) |
**Estimated Completion for SPRINT_3000_0100_0001:** End of Week 3
---
## 📝 Notes
- All C# code follows .NET 10 conventions with latest C# preview features
- Determinism is enforced via canonical JSON serialization and sorted collections
- Offline-first design: no hard-coded external dependencies
- Air-gap support: signatures verifiable without network
- Feature-flagged: `VerdictAttestationsEnabled` defaults to `false` for safety
---
## 🔗 References
- **Gap Analysis:** `docs/product-advisories/23-Dec-2026 - Competitor Scanner UI Breakdown.md`
- **Implementation Plan:** `docs/product-advisories/23-Dec-2026 - Implementation Summary - Competitor Gap Closure.md`
- **Sprint Details:** `docs/implplan/SPRINT_3000_0100_0001_signed_verdicts.md`
- **Schema:** `docs/schemas/stellaops-policy-verdict.v1.schema.json`
- **API Docs:** `docs/policy/verdict-attestations.md`

0
docs/product-advisories/22-Dec-2026 - Better testing strategy.md → docs/product-advisories/archived/22-Dec-2026 - Better testing strategy.md
View File