Add MongoDB storage library and update acceptance tests with deterministic stubs

- Created StellaOps.Notify.Storage.Mongo project with initial configuration. - Added expected output files for acceptance tests (at1.txt to at10.txt). - Added fixture input files for acceptance tests (at1 to at10). - Created input and signature files for test cases fc1 to fc5.
2025-12-05 22:56:01 +02:00
parent 18d87c64c5
commit 579236bfce
136 changed files with 5409 additions and 3753 deletions
--- a/docs/scripts/sbom-vex/README.md
+++ b/docs/scripts/sbom-vex/README.md
@@ -0,0 +1,15 @@
+# SBOM→VEX Offline Kit (Stub)
+
+This kit supports sprint task 6 (SBOM-VEX-GAPS-300-013).
+
+Contents (stub):
+- `verify.sh` – chain hash stub for SBOM + DSSE + Rekor + VEX
+- `chain-hash-recipe.md` – canonicalisation steps
+- `inputs.lock` – pinned tool versions and snapshot
+- `proof-manifest.json` – chain hash placeholder
+- `sbom-vex-blueprint.svg` – diagram placeholder
+
+Next steps:
+- Add real SBOM/VEX samples and Rekor bundle snapshot.
+- Produce DSSE signatures for proof manifest and scripts.
+- Include time-anchor and backpressure/error policy notes per BP1–BP10.
--- a/docs/scripts/sbom-vex/envelope.dsse
+++ b/docs/scripts/sbom-vex/envelope.dsse
@@ -0,0 +1,10 @@
+{
+  "payloadType": "application/vnd.cyclonedx+json",
+  "payload": "ewogICJib21Gb3JtYXQiOiAiQ3ljbG9uZURYIiwKICAic3BlY1ZlcnNpb24iOiAiMS41IiwKICAidmVyc2lvbiI6IDEsCiAgImNvbXBvbmVudHMiOiBbCiAgICB7InR5cGUiOiAiY29udGFpbmVyIiwgIm5hbWUiOiAiZXhhbXBsZSIsICJ2ZXJzaW9uIjogIjEuMC4wIn0KICBdCn0K",
+  "signatures": [
+    {
+      "keyid": "stub-key-id",
+      "sig": "stub-signature"
+    }
+  ]
+}
--- a/docs/scripts/sbom-vex/inputs.lock
+++ b/docs/scripts/sbom-vex/inputs.lock
@@ -0,0 +1,7 @@
+sbom_tool: "syft 1.1.0"
+vex_tool: "stella-vex 0.4.2"
+dsse_tool: "cosign 2.2.1"
+rekor_snapshot: "rekor-snapshot-2025-11-30.json"
+chain_hash_alg: "sha256"
+tz: "UTC"
+notes: "Offline kit; no live Rekor calls"
--- a/docs/scripts/sbom-vex/proof-manifest.json
+++ b/docs/scripts/sbom-vex/proof-manifest.json
@@ -0,0 +1,11 @@
+{
+  "version": "0.1.0-stub",
+  "chain_hash": "7d72ed74065e8e359af34c5bb1805fa62629e2444dbe77b89efbebe5c4ddb932",
+  "inputs": {
+    "sbom": "sbom.json",
+    "vex": "vex.json",
+    "dsse": "envelope.dsse",
+    "rekor_bundle": "rekor-bundle.json"
+  },
+  "lockfile": "inputs.lock"
+}
--- a/docs/scripts/sbom-vex/rekor-bundle.json
+++ b/docs/scripts/sbom-vex/rekor-bundle.json
@@ -0,0 +1,6 @@
+{
+  "kind": "rekor.bundle",
+  "apiVersion": "0.1.0",
+  "logIndex": 123456,
+  "payloadHash": "stub"
+}
--- a/docs/scripts/sbom-vex/sbom.json
+++ b/docs/scripts/sbom-vex/sbom.json
@@ -0,0 +1,8 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "components": [
+    {"type": "container", "name": "example", "version": "1.0.0"}
+  ]
+}
--- a/docs/scripts/sbom-vex/vex.json
+++ b/docs/scripts/sbom-vex/vex.json
@@ -0,0 +1,11 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "statements": [
+    {
+      "vulnerability": "CVE-2025-0001",
+      "products": ["pkg:container/example@1.0.0"],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present"
+    }
+  ]
+}