stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-12 21:02:43 +02:00
parent 5bca406787
commit 9911b7d73c
593 changed files with 174390 additions and 1376 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
docs/features/checked/scanner/byos-ingestion-workflow.md Normal file
View File

@@ -0,0 +1,38 @@
# BYOS (Bring Your Own SBOM) Ingestion Workflow
## Module
Scanner
## Status
VERIFIED
## Description
Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3.0) via REST API. Includes automatic format detection, schema validation, component normalization, quality scoring (PURL/version/license coverage weighted 40/30/30), SHA-256 digest computation, and automatic scan/analysis triggering. Supports both inline JSON and base64-encoded payloads with CI context metadata.
## Implementation Details
- **Upload Endpoints**:
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomUploadEndpoints.cs` - `SbomUploadEndpoints` for REST upload API
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomEndpoints.cs` - Additional SBOM query endpoints
- **Contracts**:
- `src/Scanner/StellaOps.Scanner.WebService/Contracts/SbomContracts.cs` - `SbomUploadRequestDto`, `SbomUploadResponseDto`, `SbomValidationSummaryDto`, `SbomFormats`, `SbomAncestryDto`, `SbomUploadSourceDto`, `SbomUploadCiContextDto`
- **Ingestion Service**:
- `src/Scanner/StellaOps.Scanner.WebService/Services/ISbomIngestionService.cs` - `ISbomIngestionService`, `SbomIngestionResult`, `SbomValidationResult`
- `src/Scanner/StellaOps.Scanner.WebService/Services/SbomIngestionService.cs` - Format detection, schema validation, component normalization, quality scoring, digest computation
- **BYOS Upload Service**:
- `src/Scanner/StellaOps.Scanner.WebService/Services/SbomByosUploadService.cs` - `ISbomByosUploadService` / `SbomByosUploadService` for external SBOM ingestion
- **Upload Store**:
- `src/Scanner/StellaOps.Scanner.WebService/Services/SbomUploadStore.cs` - `ISbomUploadStore`, `InMemorySbomUploadStore`, `SbomUploadRecord`
## E2E Test Plan
- [ ] Upload a CycloneDX 1.6 JSON SBOM via `POST /api/v1/sbom/upload` with inline JSON payload and verify acceptance
- [ ] Upload an SPDX 2.3 SBOM via base64-encoded payload with CI context metadata and verify ingestion
- [ ] Verify automatic format detection correctly identifies CycloneDX vs SPDX format
- [ ] Verify schema validation rejects an invalid SBOM with appropriate error details
- [ ] Verify quality scoring returns PURL/version/license coverage percentages (40/30/30 weighted)
- [ ] Verify SHA-256 digest is computed and returned in the response
- [ ] Verify automatic scan/analysis is triggered after successful ingestion
- [ ] Query the uploaded SBOM status via `GET /api/v1/sbom/uploads/{id}` and verify metadata
## Verification
- Verified in `run-001` on 2026-02-12 with Tier 0/1/2 evidence in `docs/qa/feature-checks/runs/scanner/byos-ingestion-workflow/run-001/`.
- Tier 2 API checks validated CycloneDX inline upload, SPDX base64 upload, upload record retrieval, and unknown-format rejection paths.