audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

2026-01-07 18:49:59 +02:00
parent 04ec098046
commit 608a7f85c0
866 changed files with 56323 additions and 6231 deletions
--- a/docs/modules/attestor/samples/sbom-vex/README.md
+++ b/docs/modules/attestor/samples/sbom-vex/README.md
@@ -0,0 +1,15 @@
+# SBOM→VEX Offline Kit (Stub)
+
+This kit supports sprint task 6 (SBOM-VEX-GAPS-300-013).
+
+Contents (stub):
+- `verify.sh` – chain hash stub for SBOM + DSSE + Rekor + VEX
+- `chain-hash-recipe.md` – canonicalisation steps
+- `inputs.lock` – pinned tool versions and snapshot
+- `proof-manifest.json` – chain hash placeholder
+- ~~`sbom-vex-blueprint.svg`~~ – archived (empty placeholder)
+
+Next steps:
+- Add real SBOM/VEX samples and Rekor bundle snapshot.
+- Produce DSSE signatures for proof manifest and scripts.
+- Include time-anchor and backpressure/error policy notes per BP1–BP10.
--- a/docs/modules/attestor/samples/sbom-vex/chain-hash-recipe.md
+++ b/docs/modules/attestor/samples/sbom-vex/chain-hash-recipe.md
@@ -0,0 +1,25 @@
+# SBOM→VEX Chain Hash Recipe (Stub)
+
+Use with sprint task 6 (SBOM-VEX-GAPS-300-013).
+
+- Inputs: sorted SBOM documents, VEX statements, DSSE envelopes, Rekor bundle snapshot.
+- Hashing: deterministic ordering (UTF-8, LF), SHA-256 over concatenated canonical JSON.
+- Chain: derive cumulative hash for (SBOM → DSSE → Rekor → VEX) and store in proof manifest.
+- Offline: no network; bundle Rekor root + snapshot; include `inputs.lock` with tool versions.
+
+Example (stub):
+
+```bash
+sbom_files=(sbom.json)
+vex_files=(vex.json)
+dsse=envelope.dsse
+rekor=rekor-bundle.json
+
+cat "${sbom_files[@]}" | jq -S . > /tmp/sbom.canon
+cat "${vex_files[@]}" | jq -S . > /tmp/vex.canon
+cat "$dsse" | jq -S . > /tmp/dsse.canon
+cat "$rekor" | jq -S . > /tmp/rekor.canon
+
+cat /tmp/sbom.canon /tmp/dsse.canon /tmp/rekor.canon /tmp/vex.canon | sha256sum | awk '{print $1}' > proof.chainhash
+echo "chain-hash: $(cat proof.chainhash)"
+```
--- a/docs/modules/attestor/samples/sbom-vex/envelope.dsse
+++ b/docs/modules/attestor/samples/sbom-vex/envelope.dsse
@@ -0,0 +1,10 @@
+{
+  "payloadType": "application/vnd.cyclonedx+json",
+  "payload": "ewogICJib21Gb3JtYXQiOiAiQ3ljbG9uZURYIiwKICAic3BlY1ZlcnNpb24iOiAiMS41IiwKICAidmVyc2lvbiI6IDEsCiAgImNvbXBvbmVudHMiOiBbCiAgICB7InR5cGUiOiAiY29udGFpbmVyIiwgIm5hbWUiOiAiZXhhbXBsZSIsICJ2ZXJzaW9uIjogIjEuMC4wIn0KICBdCn0K",
+  "signatures": [
+    {
+      "keyid": "stub-key-id",
+      "sig": "stub-signature"
+    }
+  ]
+}
--- a/docs/modules/attestor/samples/sbom-vex/inputs.lock
+++ b/docs/modules/attestor/samples/sbom-vex/inputs.lock
@@ -0,0 +1,7 @@
+sbom_tool: "syft 1.1.0"
+vex_tool: "stella-vex 0.4.2"
+dsse_tool: "cosign 2.2.1"
+rekor_snapshot: "rekor-snapshot-2025-11-30.json"
+chain_hash_alg: "sha256"
+tz: "UTC"
+notes: "Offline kit; no live Rekor calls"
--- a/docs/modules/attestor/samples/sbom-vex/proof-manifest.json
+++ b/docs/modules/attestor/samples/sbom-vex/proof-manifest.json
@@ -0,0 +1,11 @@
+{
+  "version": "0.1.0-stub",
+  "chain_hash": "7d72ed74065e8e359af34c5bb1805fa62629e2444dbe77b89efbebe5c4ddb932",
+  "inputs": {
+    "sbom": "sbom.json",
+    "vex": "vex.json",
+    "dsse": "envelope.dsse",
+    "rekor_bundle": "rekor-bundle.json"
+  },
+  "lockfile": "inputs.lock"
+}
--- a/docs/modules/attestor/samples/sbom-vex/rekor-bundle.json
+++ b/docs/modules/attestor/samples/sbom-vex/rekor-bundle.json
@@ -0,0 +1,6 @@
+{
+  "kind": "rekor.bundle",
+  "apiVersion": "0.1.0",
+  "logIndex": 123456,
+  "payloadHash": "stub"
+}
--- a/docs/modules/attestor/samples/sbom-vex/sbom.json
+++ b/docs/modules/attestor/samples/sbom-vex/sbom.json
@@ -0,0 +1,8 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "components": [
+    {"type": "container", "name": "example", "version": "1.0.0"}
+  ]
+}
--- a/docs/modules/attestor/samples/sbom-vex/verify.sh
+++ b/docs/modules/attestor/samples/sbom-vex/verify.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Offline verifier stub for SBOM -> VEX proof bundles.
+# Expected inputs: path to DSSE envelope, Rekor log snapshot, and bundled trust roots.
+
+if [ "$#" -lt 4 ]; then
+  echo "usage: $0 <sbom.json> <vex.json> <dsse.envelope> <rekor-bundle.json>" >&2
+  exit 1
+fi
+
+SBOM="$1"
+VEX="$2"
+DSSE="$3"
+REKOR="$4"
+
+if ! command -v jq >/dev/null; then
+  echo "jq is required (offline-capable)." >&2
+  exit 2
+fi
+
+echo "[stub] canonicalising inputs..." >&2
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+jq -S . "$SBOM" > "$tmpdir/sbom.canon"
+jq -S . "$VEX" > "$tmpdir/vex.canon"
+jq -S . "$DSSE" > "$tmpdir/dsse.canon"
+jq -S . "$REKOR" > "$tmpdir/rekor.canon"
+
+cat "$tmpdir/sbom.canon" "$tmpdir/dsse.canon" "$tmpdir/rekor.canon" "$tmpdir/vex.canon" | sha256sum | awk '{print $1}' > "$tmpdir/proof.hash"
+echo "chain-hash (sbom+dsse+rekor+vex): $(cat "$tmpdir/proof.hash")"
+echo "[stub] verify DSSE signatures and Rekor inclusion separately; add manifests to DSSE envelope for full proof"
--- a/docs/modules/attestor/samples/sbom-vex/vex.json
+++ b/docs/modules/attestor/samples/sbom-vex/vex.json
@@ -0,0 +1,11 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "statements": [
+    {
+      "vulnerability": "CVE-2025-0001",
+      "products": ["pkg:container/example@1.0.0"],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present"
+    }
+  ]
+}