audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

2026-01-07 18:49:59 +02:00
parent 04ec098046
commit 608a7f85c0
866 changed files with 56323 additions and 6231 deletions
--- a/docs/modules/attestor/samples/sbom-vex/verify.sh
+++ b/docs/modules/attestor/samples/sbom-vex/verify.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Offline verifier stub for SBOM -> VEX proof bundles.
+# Expected inputs: path to DSSE envelope, Rekor log snapshot, and bundled trust roots.
+
+if [ "$#" -lt 4 ]; then
+  echo "usage: $0 <sbom.json> <vex.json> <dsse.envelope> <rekor-bundle.json>" >&2
+  exit 1
+fi
+
+SBOM="$1"
+VEX="$2"
+DSSE="$3"
+REKOR="$4"
+
+if ! command -v jq >/dev/null; then
+  echo "jq is required (offline-capable)." >&2
+  exit 2
+fi
+
+echo "[stub] canonicalising inputs..." >&2
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+jq -S . "$SBOM" > "$tmpdir/sbom.canon"
+jq -S . "$VEX" > "$tmpdir/vex.canon"
+jq -S . "$DSSE" > "$tmpdir/dsse.canon"
+jq -S . "$REKOR" > "$tmpdir/rekor.canon"
+
+cat "$tmpdir/sbom.canon" "$tmpdir/dsse.canon" "$tmpdir/rekor.canon" "$tmpdir/vex.canon" | sha256sum | awk '{print $1}' > "$tmpdir/proof.hash"
+echo "chain-hash (sbom+dsse+rekor+vex): $(cat "$tmpdir/proof.hash")"
+echo "[stub] verify DSSE signatures and Rekor inclusion separately; add manifests to DSSE envelope for full proof"