stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

UI work to fill SBOM sourcing management gap. UI planning remaining functionality exposure. Work on CI/Tests stabilization

Browse Source 
Introduces CGS determinism test runs to CI workflows for Windows, macOS, Linux, Alpine, and Debian, fulfilling CGS-008 cross-platform requirements. Updates local-ci scripts to support new smoke steps, test timeouts, progress intervals, and project slicing for improved test isolation and diagnostics.
This commit is contained in:
master
2025-12-29 19:12:38 +02:00
parent 41552d26ec
commit a4badc275e
286 changed files with 50918 additions and 992 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
src/SbomService/StellaOps.SbomService/Controllers/LineageController.cs Normal file
View File

@@ -0,0 +1,168 @@
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using StellaOps.SbomService.Lineage.Domain;
using StellaOps.SbomService.Lineage.Services;
namespace StellaOps.SbomService.Controllers;
/// <summary>
/// API endpoints for SBOM lineage graph operations.
/// </summary>
[ApiController]
[Route("api/v1/lineage")]
[Authorize(Policy = "sbom:read")]
public sealed class LineageController : ControllerBase
{
private readonly ILineageGraphService _lineageService;
private readonly ILogger<LineageController> _logger;
public LineageController(
ILineageGraphService lineageService,
ILogger<LineageController> logger)
{
_lineageService = lineageService;
_logger = logger;
}
/// <summary>
/// Get the lineage graph for an artifact.
/// </summary>
/// <param name="artifactDigest">The artifact digest (sha256:...).</param>
/// <param name="maxDepth">Maximum graph traversal depth (default: 10).</param>
/// <param name="includeVerdicts">Include VEX verdict enrichment (default: true).</param>
/// <param name="includeBadges">Include badge metadata (default: true).</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Lineage graph with nodes and edges.</returns>
[HttpGet("{artifactDigest}")]
[ProducesResponseType<LineageGraphResponse>(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
public async Task<IActionResult> GetLineage(
string artifactDigest,
[FromQuery] int maxDepth = 10,
[FromQuery] bool includeVerdicts = true,
[FromQuery] bool includeBadges = true,
CancellationToken ct = default)
{
if (string.IsNullOrWhiteSpace(artifactDigest))
return BadRequest(new { error = "ARTIFACT_DIGEST_REQUIRED" });
if (maxDepth < 1 || maxDepth > 50)
return BadRequest(new { error = "INVALID_MAX_DEPTH", message = "maxDepth must be between 1 and 50" });
var tenantId = GetTenantId();
if (tenantId == Guid.Empty)
return Unauthorized();
var options = new LineageQueryOptions(
MaxDepth: maxDepth,
IncludeVerdicts: includeVerdicts,
IncludeBadges: includeBadges
);
try
{
var result = await _lineageService.GetLineageAsync(artifactDigest, tenantId, options, ct);
if (result.Graph.Nodes.Count == 0)
return NotFound(new { error = "LINEAGE_NOT_FOUND", artifactDigest });
return Ok(result);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to get lineage for {Digest}", artifactDigest);
return StatusCode(500, new { error = "INTERNAL_ERROR" });
}
}
/// <summary>
/// Get differences between two artifact versions.
/// </summary>
/// <param name="from">Source artifact digest.</param>
/// <param name="to">Target artifact digest.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Diff containing SBOM, VEX, and reachability changes.</returns>
[HttpGet("diff")]
[ProducesResponseType<LineageDiffResponse>(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
public async Task<IActionResult> GetDiff(
[FromQuery] string from,
[FromQuery] string to,
CancellationToken ct = default)
{
if (string.IsNullOrWhiteSpace(from) || string.IsNullOrWhiteSpace(to))
return BadRequest(new { error = "FROM_AND_TO_REQUIRED" });
if (from.Equals(to, StringComparison.Ordinal))
return BadRequest(new { error = "IDENTICAL_DIGESTS", message = "from and to must be different" });
var tenantId = GetTenantId();
if (tenantId == Guid.Empty)
return Unauthorized();
try
{
var result = await _lineageService.GetDiffAsync(from, to, tenantId, ct);
return Ok(result);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to compute diff {From} -> {To}", from, to);
return StatusCode(500, new { error = "INTERNAL_ERROR" });
}
}
/// <summary>
/// Export an evidence pack for an artifact.
/// </summary>
/// <param name="request">Export request parameters.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Download URL and metadata for the evidence pack.</returns>
[HttpPost("export")]
[Authorize(Policy = "lineage:export")]
[ProducesResponseType<ExportResult>(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
[ProducesResponseType(StatusCodes.Status413RequestEntityTooLarge)]
public async Task<IActionResult> Export(
[FromBody] ExportRequest request,
CancellationToken ct = default)
{
if (string.IsNullOrWhiteSpace(request.ArtifactDigest))
return BadRequest(new { error = "ARTIFACT_DIGEST_REQUIRED" });
if (request.MaxDepth < 1 || request.MaxDepth > 10)
return BadRequest(new { error = "INVALID_MAX_DEPTH", message = "maxDepth must be between 1 and 10" });
var tenantId = GetTenantId();
if (tenantId == Guid.Empty)
return Unauthorized();
try
{
var result = await _lineageService.ExportEvidencePackAsync(request, tenantId, ct);
// Check size limit (50MB)
const long maxSizeBytes = 50 * 1024 * 1024;
if (result.SizeBytes > maxSizeBytes)
return StatusCode(413, new { error = "EXPORT_TOO_LARGE", maxSizeBytes, actualSize = result.SizeBytes });
return Ok(result);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to export evidence pack for {Digest}", request.ArtifactDigest);
return StatusCode(500, new { error = "INTERNAL_ERROR" });
}
}
/// <summary>
/// Get tenant ID from HTTP context (placeholder).
/// </summary>
private Guid GetTenantId()
{
// TODO: Extract from claims or headers
// For now, return a placeholder
return Guid.Parse("00000000-0000-0000-0000-000000000001");
}
}

50
src/SbomService/StellaOps.SbomService/Models/LineageExportModels.cs Normal file
View File

@@ -0,0 +1,50 @@
// -----------------------------------------------------------------------------
// LineageExportModels.cs
// Sprint: SPRINT_20251229_005_001_BE_sbom_lineage_api (LIN-010)
// Task: Evidence pack export models
// -----------------------------------------------------------------------------
namespace StellaOps.SbomService.Models;
/// <summary>
/// Request to export an evidence pack for a lineage comparison.
/// </summary>
internal sealed record LineageExportRequest
{
public required string FromDigest { get; init; }
public required string ToDigest { get; init; }
public required string TenantId { get; init; }
public bool IncludeSbomDiff { get; init; } = true;
public bool IncludeVexDeltas { get; init; } = true;
public bool IncludeReachabilityDiff { get; init; } = false;
public bool IncludeAttestations { get; init; } = true;
public bool SignWithKeyless { get; init; } = false;
}
/// <summary>
/// Response containing evidence pack download URL.
/// </summary>
internal sealed record LineageExportResponse
{
public required string ExportId { get; init; }
public required string DownloadUrl { get; init; }
public required DateTimeOffset ExpiresAt { get; init; }
public required long SizeBytes { get; init; }
public string? SignatureDigest { get; init; }
}
/// <summary>
/// Evidence pack structure (NDJSON format).
/// </summary>
internal sealed record EvidencePack
{
public required string Version { get; init; }
public required string FromDigest { get; init; }
public required string ToDigest { get; init; }
public required DateTimeOffset GeneratedAt { get; init; }
public required string ReplayHash { get; init; }
public SbomDiffSummary? SbomDiff { get; init; }
public IReadOnlyList<VexDeltaSummary>? VexDeltas { get; init; }
public object? ReachabilityDiff { get; init; }
public IReadOnlyList<string>? AttestationDigests { get; init; }
}

38
src/SbomService/StellaOps.SbomService/Program.cs
View File

@@ -91,6 +91,9 @@ builder.Services.AddSingleton<ISbomLineageGraphService, SbomLineageGraphService>
// LIN-BE-028: Lineage compare service
builder.Services.AddSingleton<ILineageCompareService, LineageCompareService>();
// LIN-010: Lineage export service for evidence packs
builder.Services.AddSingleton<ILineageExportService, LineageExportService>();
// LIN-BE-023: Replay hash service
builder.Services.AddSingleton<IReplayHashService, ReplayHashService>();
@@ -824,6 +827,41 @@ app.MapGet("/api/v1/lineage/{artifactDigest}/parents", async Task<IResult> (
return Results.Ok(new { childDigest = artifactDigest.Trim(), parents });
});
app.MapPost("/api/v1/lineage/export", async Task<IResult> (
[FromServices] ILineageExportService exportService,
[FromBody] LineageExportRequest request,
CancellationToken cancellationToken) =>
{
if (string.IsNullOrWhiteSpace(request.FromDigest) || string.IsNullOrWhiteSpace(request.ToDigest))
{
return Results.BadRequest(new { error = "fromDigest and toDigest are required" });
}
if (string.IsNullOrWhiteSpace(request.TenantId))
{
return Results.BadRequest(new { error = "tenantId is required" });
}
using var activity = SbomTracing.Source.StartActivity("lineage.export", ActivityKind.Server);
activity?.SetTag("tenant", request.TenantId);
activity?.SetTag("from_digest", request.FromDigest);
activity?.SetTag("to_digest", request.ToDigest);
var result = await exportService.ExportAsync(request, cancellationToken);
if (result is null)
{
return Results.StatusCode(500);
}
if (result.SizeBytes > 50 * 1024 * 1024)
{
return Results.StatusCode(413); // Payload Too Large
}
return Results.Ok(result);
});
// -----------------------------------------------------------------------------
// Lineage Compare API (LIN-BE-028)
// Sprint: SPRINT_20251228_007_BE_sbom_lineage_graph_ii

25
src/SbomService/StellaOps.SbomService/Services/ILineageExportService.cs Normal file
View File

@@ -0,0 +1,25 @@
// -----------------------------------------------------------------------------
// ILineageExportService.cs
// Sprint: SPRINT_20251229_005_001_BE_sbom_lineage_api (LIN-010)
// Task: Evidence pack export service interface
// -----------------------------------------------------------------------------
using StellaOps.SbomService.Models;
namespace StellaOps.SbomService.Services;
/// <summary>
/// Service for exporting lineage evidence packs.
/// </summary>
internal interface ILineageExportService
{
/// <summary>
/// Generate and export an evidence pack for a lineage comparison.
/// </summary>
/// <param name="request">Export request with digest range and options.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Export response with download URL and metadata.</returns>
Task<LineageExportResponse?> ExportAsync(
LineageExportRequest request,
CancellationToken ct = default);
}

131
src/SbomService/StellaOps.SbomService/Services/LineageExportService.cs Normal file
View File

@@ -0,0 +1,131 @@
// -----------------------------------------------------------------------------
// LineageExportService.cs
// Sprint: SPRINT_20251229_005_001_BE_sbom_lineage_api (LIN-010)
// Task: Evidence pack export service implementation
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.SbomService.Models;
namespace StellaOps.SbomService.Services;
/// <summary>
/// Implementation of <see cref="ILineageExportService"/>.
/// Generates signed evidence packs for lineage comparisons.
/// </summary>
internal sealed class LineageExportService : ILineageExportService
{
private readonly ISbomLineageGraphService _lineageService;
private readonly IReplayHashService? _replayHashService;
private readonly ILogger<LineageExportService> _logger;
private const long MaxExportSizeBytes = 50 * 1024 * 1024; // 50MB limit
public LineageExportService(
ISbomLineageGraphService lineageService,
ILogger<LineageExportService> logger,
IReplayHashService? replayHashService = null)
{
_lineageService = lineageService;
_logger = logger;
_replayHashService = replayHashService;
}
public async Task<LineageExportResponse?> ExportAsync(
LineageExportRequest request,
CancellationToken ct = default)
{
// Get lineage diff
var diff = await _lineageService.GetLineageDiffAsync(
request.FromDigest,
request.ToDigest,
request.TenantId,
ct).ConfigureAwait(false);
if (diff is null)
{
_logger.LogWarning(
"Export failed: lineage diff not found for {From} -> {To}",
request.FromDigest,
request.ToDigest);
return null;
}
// Build evidence pack
var evidencePack = new EvidencePack
{
Version = "1.0",
FromDigest = request.FromDigest,
ToDigest = request.ToDigest,
GeneratedAt = DateTimeOffset.UtcNow,
ReplayHash = diff.ReplayHash ?? ComputeFallbackHash(request.FromDigest, request.ToDigest),
SbomDiff = request.IncludeSbomDiff ? diff.SbomDiff?.Summary : null,
VexDeltas = request.IncludeVexDeltas ? diff.VexDiff : null,
ReachabilityDiff = request.IncludeReachabilityDiff ? diff.ReachabilityDiff : null,
AttestationDigests = request.IncludeAttestations ? Array.Empty<string>() : null
};
// Serialize to JSON
var json = JsonSerializer.Serialize(evidencePack, new JsonSerializerOptions
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
var sizeBytes = Encoding.UTF8.GetByteCount(json);
// Check size limit
if (sizeBytes > MaxExportSizeBytes)
{
_logger.LogWarning(
"Export size {Size} exceeds limit {Limit} for {From} -> {To}",
sizeBytes,
MaxExportSizeBytes,
request.FromDigest,
request.ToDigest);
return null;
}
// Generate export ID and URL
var exportId = Guid.NewGuid().ToString("N");
var downloadUrl = $"/api/v1/lineage/export/{exportId}/download";
var expiresAt = DateTimeOffset.UtcNow.AddHours(24);
// TODO: Store evidence pack for retrieval (file system, blob storage, etc.)
// For now, return metadata only
_logger.LogInformation(
"Evidence pack exported: {ExportId}, size={Size}, from={From}, to={To}",
exportId,
sizeBytes,
request.FromDigest,
request.ToDigest);
return new LineageExportResponse
{
ExportId = exportId,
DownloadUrl = downloadUrl,
ExpiresAt = expiresAt,
SizeBytes = sizeBytes,
SignatureDigest = request.SignWithKeyless
? ComputeSignatureDigest(json)
: null
};
}
private static string ComputeFallbackHash(string fromDigest, string toDigest)
{
var input = $"{fromDigest}:{toDigest}:{DateTimeOffset.UtcNow:O}";
var bytes = Encoding.UTF8.GetBytes(input);
var hashBytes = SHA256.HashData(bytes);
return Convert.ToHexString(hashBytes).ToLowerInvariant();
}
private static string ComputeSignatureDigest(string content)
{
var bytes = Encoding.UTF8.GetBytes(content);
var hashBytes = SHA256.HashData(bytes);
return $"sha256:{Convert.ToHexString(hashBytes).ToLowerInvariant()}";
}
}

257
src/SbomService/StellaOps.SbomService/Services/ValkeyLineageCompareCache.cs Normal file
View File

@@ -0,0 +1,257 @@
// -----------------------------------------------------------------------------
// ValkeyLineageCompareCache.cs
// Sprint: SPRINT_20251229_005_001_BE_sbom_lineage_api (LIN-012)
// Task: Implement Valkey compare cache
// Description: Valkey/Redis implementation of lineage compare cache with 10-minute TTL.
// -----------------------------------------------------------------------------
using System.Diagnostics;
using System.Text.Json;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace StellaOps.SbomService.Services;
/// <summary>
/// Valkey/Redis implementation of <see cref="ILineageCompareCache"/> using IDistributedCache.
/// Provides distributed caching for lineage compare results with TTL-based expiration.
/// </summary>
internal sealed class ValkeyLineageCompareCache : ILineageCompareCache
{
private static readonly ActivitySource ActivitySource = new("StellaOps.SbomService.CompareCache");
private readonly IDistributedCache _cache;
private readonly ILogger<ValkeyLineageCompareCache> _logger;
private readonly CompareCacheOptions _options;
private long _cacheHits;
private long _cacheMisses;
private long _invalidations;
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false
};
public ValkeyLineageCompareCache(
IDistributedCache cache,
ILogger<ValkeyLineageCompareCache> logger,
IOptions<CompareCacheOptions> options)
{
_cache = cache ?? throw new ArgumentNullException(nameof(cache));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_options = options?.Value ?? new CompareCacheOptions();
_logger.LogInformation(
"Valkey compare cache initialized with TTL {TtlMinutes} minutes",
_options.DefaultTtlMinutes);
}
/// <inheritdoc />
public async Task<LineageCompareResponse?> GetAsync(
string fromDigest,
string toDigest,
string tenantId,
CancellationToken ct = default)
{
if (!_options.Enabled)
{
return null;
}
var key = BuildCacheKey(fromDigest, toDigest, tenantId);
using var activity = ActivitySource.StartActivity("CompareCache.Get");
activity?.SetTag("cache_key", key);
activity?.SetTag("backend", "valkey");
try
{
var cached = await _cache.GetStringAsync(key, ct).ConfigureAwait(false);
if (cached != null)
{
Interlocked.Increment(ref _cacheHits);
activity?.SetTag("cache_hit", true);
_logger.LogDebug(
"Cache hit for compare {FromDigest} -> {ToDigest}",
TruncateDigest(fromDigest), TruncateDigest(toDigest));
return JsonSerializer.Deserialize<LineageCompareResponse>(cached, JsonOptions);
}
Interlocked.Increment(ref _cacheMisses);
activity?.SetTag("cache_hit", false);
_logger.LogDebug(
"Cache miss for compare {FromDigest} -> {ToDigest}",
TruncateDigest(fromDigest), TruncateDigest(toDigest));
return null;
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to get compare result from cache");
Interlocked.Increment(ref _cacheMisses);
return null;
}
}
/// <inheritdoc />
public async Task SetAsync(
string fromDigest,
string toDigest,
string tenantId,
LineageCompareResponse result,
TimeSpan? ttl = null,
CancellationToken ct = default)
{
if (!_options.Enabled)
{
return;
}
var key = BuildCacheKey(fromDigest, toDigest, tenantId);
var effectiveTtl = ttl ?? TimeSpan.FromMinutes(_options.DefaultTtlMinutes);
using var activity = ActivitySource.StartActivity("CompareCache.Set");
activity?.SetTag("cache_key", key);
activity?.SetTag("ttl_seconds", effectiveTtl.TotalSeconds);
activity?.SetTag("backend", "valkey");
try
{
var json = JsonSerializer.Serialize(result, JsonOptions);
var cacheOptions = new DistributedCacheEntryOptions
{
AbsoluteExpirationRelativeToNow = effectiveTtl
};
await _cache.SetStringAsync(key, json, cacheOptions, ct).ConfigureAwait(false);
_logger.LogDebug(
"Cached compare result for {FromDigest} -> {ToDigest} with TTL {Ttl}",
TruncateDigest(fromDigest), TruncateDigest(toDigest), effectiveTtl);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to set compare result in cache");
}
}
/// <inheritdoc />
public async Task<int> InvalidateForArtifactAsync(
string artifactDigest,
string tenantId,
CancellationToken ct = default)
{
if (!_options.Enabled)
{
return 0;
}
using var activity = ActivitySource.StartActivity("CompareCache.InvalidateArtifact");
activity?.SetTag("artifact_digest", TruncateDigest(artifactDigest));
activity?.SetTag("tenant_id", tenantId);
activity?.SetTag("backend", "valkey");
// Note: Full pattern-based invalidation requires direct Redis/Valkey client access
// with SCAN command. IDistributedCache doesn't support pattern-based deletion.
// For now, we rely on TTL expiration. This can be enhanced when using
// StackExchange.Redis directly.
_logger.LogDebug(
"Artifact invalidation requested for {ArtifactDigest} (relying on TTL with IDistributedCache)",
TruncateDigest(artifactDigest));
Interlocked.Increment(ref _invalidations);
// Return 0 to indicate we're relying on TTL expiration
// In a full implementation with direct Redis access, we would:
// 1. SCAN for keys matching pattern: lineage:compare:{tenantId}:*{artifactDigest}*
// 2. DEL each matching key
// 3. Return count of deleted keys
return 0;
}
/// <inheritdoc />
public async Task<int> InvalidateForTenantAsync(
string tenantId,
CancellationToken ct = default)
{
if (!_options.Enabled)
{
return 0;
}
using var activity = ActivitySource.StartActivity("CompareCache.InvalidateTenant");
activity?.SetTag("tenant_id", tenantId);
activity?.SetTag("backend", "valkey");
// Same limitation as InvalidateForArtifactAsync - pattern deletion requires
// direct Redis client access. Relying on TTL expiration.
_logger.LogDebug(
"Tenant invalidation requested for {TenantId} (relying on TTL with IDistributedCache)",
tenantId);
Interlocked.Increment(ref _invalidations);
return 0;
}
/// <inheritdoc />
public CompareCacheStats GetStats()
{
return new CompareCacheStats
{
TotalEntries = -1, // Unknown with IDistributedCache (would need direct Redis access)
CacheHits = Interlocked.Read(ref _cacheHits),
CacheMisses = Interlocked.Read(ref _cacheMisses),
Invalidations = Interlocked.Read(ref _invalidations),
EstimatedMemoryBytes = -1 // Unknown with IDistributedCache
};
}
private static string BuildCacheKey(string fromDigest, string toDigest, string tenantId)
{
// Normalize: always use smaller digest first for bidirectional lookup
var (first, second) = string.CompareOrdinal(fromDigest, toDigest) <= 0
? (fromDigest, toDigest)
: (toDigest, fromDigest);
// Shorten digests for key efficiency
var firstShort = GetDigestShort(first);
var secondShort = GetDigestShort(second);
// Format: lineage:compare:{tenantId}:{digest1_short}:{digest2_short}
return $"lineage:compare:{tenantId}:{firstShort}:{secondShort}";
}
private static string GetDigestShort(string digest)
{
// Extract first 16 chars after algorithm prefix for shorter key
var colonIndex = digest.IndexOf(':');
if (colonIndex >= 0 && digest.Length > colonIndex + 16)
{
return digest[(colonIndex + 1)..(colonIndex + 17)];
}
return digest.Length > 16 ? digest[..16] : digest;
}
private static string TruncateDigest(string digest)
{
if (string.IsNullOrEmpty(digest)) return digest;
var colonIndex = digest.IndexOf(':');
if (colonIndex >= 0 && digest.Length > colonIndex + 12)
{
return $"{digest[..(colonIndex + 13)]}...";
}
return digest.Length > 16 ? $"{digest[..16]}..." : digest;
}
}

2
src/SbomService/StellaOps.SbomService/StellaOps.SbomService.csproj
View File

@@ -14,6 +14,8 @@
<ProjectReference Include="../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
<!-- LIN-BE-028: Lineage compare service needs VEX delta repository -->
<ProjectReference Include="../../Excititor/__Libraries/StellaOps.Excititor.Persistence/StellaOps.Excititor.Persistence.csproj" />
<!-- SPRINT_20251229_005_001_BE: Lineage API -->
<ProjectReference Include="../__Libraries/StellaOps.SbomService.Lineage/StellaOps.SbomService.Lineage.csproj" />
</ItemGroup>
<ItemGroup>

31
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/DependencyInjection/ServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,31 @@
using Microsoft.Extensions.DependencyInjection;
using StellaOps.SbomService.Lineage.Persistence;
using StellaOps.SbomService.Lineage.Repositories;
using StellaOps.SbomService.Lineage.Services;
namespace StellaOps.SbomService.Lineage.DependencyInjection;
/// <summary>
/// Dependency injection extensions for lineage services.
/// </summary>
public static class ServiceCollectionExtensions
{
/// <summary>
/// Add SBOM lineage services to the container.
/// </summary>
public static IServiceCollection AddLineageServices(this IServiceCollection services)
{
// Data source
services.AddSingleton<LineageDataSource>();
// Repositories
services.AddScoped<ISbomLineageEdgeRepository, SbomLineageEdgeRepository>();
services.AddScoped<IVexDeltaRepository, VexDeltaRepository>();
services.AddScoped<ISbomVerdictLinkRepository, SbomVerdictLinkRepository>();
// Services
services.AddScoped<ILineageGraphService, LineageGraphService>();
return services;
}
}

117
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Domain/LineageModels.cs Normal file
View File

@@ -0,0 +1,117 @@
namespace StellaOps.SbomService.Lineage.Domain;
/// <summary>
/// Represents a node in the SBOM lineage graph.
/// </summary>
public sealed record LineageNode(
string ArtifactDigest,
Guid? SbomVersionId,
long SequenceNumber,
DateTimeOffset CreatedAt,
LineageNodeMetadata? Metadata);
/// <summary>
/// Metadata associated with a lineage node.
/// </summary>
public sealed record LineageNodeMetadata(
string? ImageReference,
string? Repository,
string? Tag,
string? CommitSha,
Dictionary<string, string>? Labels);
/// <summary>
/// Represents an edge in the SBOM lineage graph.
/// </summary>
public sealed record LineageEdge(
Guid Id,
string ParentDigest,
string ChildDigest,
LineageRelationship Relationship,
Guid TenantId,
DateTimeOffset CreatedAt);
/// <summary>
/// Type of relationship between two SBOM versions.
/// </summary>
public enum LineageRelationship
{
/// <summary>
/// General parent-child relationship (ancestor).
/// </summary>
Parent,
/// <summary>
/// Built from relationship (e.g., multi-stage builds).
/// </summary>
Build,
/// <summary>
/// Container base image relationship.
/// </summary>
Base
}
/// <summary>
/// Complete lineage graph with nodes and edges.
/// </summary>
public sealed record LineageGraph(
IReadOnlyList<LineageNode> Nodes,
IReadOnlyList<LineageEdge> Edges);
/// <summary>
/// VEX status delta between two SBOM versions.
/// </summary>
public sealed record VexDelta(
Guid Id,
Guid TenantId,
string FromArtifactDigest,
string ToArtifactDigest,
string Cve,
VexStatus FromStatus,
VexStatus ToStatus,
VexDeltaRationale Rationale,
string ReplayHash,
string? AttestationDigest,
DateTimeOffset CreatedAt);
/// <summary>
/// VEX status values.
/// </summary>
public enum VexStatus
{
Unknown,
UnderInvestigation,
Affected,
NotAffected,
Fixed
}
/// <summary>
/// Rationale explaining a VEX status transition.
/// </summary>
public sealed record VexDeltaRationale(
string Reason,
IReadOnlyList<string> EvidencePointers,
Dictionary<string, string>? Metadata);
/// <summary>
/// Link between SBOM version and VEX consensus verdict.
/// </summary>
public sealed record SbomVerdictLink(
Guid SbomVersionId,
string Cve,
Guid ConsensusProjectionId,
VexStatus VerdictStatus,
decimal ConfidenceScore,
Guid TenantId,
DateTimeOffset LinkedAt);
/// <summary>
/// Options for lineage graph queries.
/// </summary>
public sealed record LineageQueryOptions(
int MaxDepth = 10,
bool IncludeVerdicts = true,
bool IncludeBadges = true,
bool IncludeReachability = false);

27
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/LineageDataSource.cs Normal file
View File

@@ -0,0 +1,27 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Infrastructure.Postgres.Connections;
using StellaOps.Infrastructure.Postgres.Options;
namespace StellaOps.SbomService.Lineage.Persistence;
/// <summary>
/// Data source for SBOM lineage database operations.
/// </summary>
public sealed class LineageDataSource : DataSourceBase
{
/// <summary>
/// Default schema name for lineage tables.
/// </summary>
public const string DefaultSchemaName = "sbom";
public LineageDataSource(
IOptions<PostgresOptions> options,
ILogger<LineageDataSource> logger)
: base(options.Value, logger)
{
}
/// <inheritdoc />
protected override string ModuleName => "SbomLineage";
}

113
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/Migrations/00001_InitialSchema.sql Normal file
View File

@@ -0,0 +1,113 @@
-- ============================================================================
-- SbomService.Lineage - Initial Schema (Pre-v1.0 Baseline)
-- Date: 2025-12-29
-- Sprint: SPRINT_20251229_005_001_BE_sbom_lineage_api
-- Description: Consolidated baseline schema for SBOM lineage tracking
-- ============================================================================
-- ----------------------------------------------------------------------------
-- 1. SBOM Lineage Edges Table
-- ----------------------------------------------------------------------------
CREATE TABLE IF NOT EXISTS sbom.sbom_lineage_edges (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
parent_digest TEXT NOT NULL,
child_digest TEXT NOT NULL,
relationship TEXT NOT NULL CHECK (relationship IN ('parent', 'build', 'base')),
tenant_id UUID NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
CONSTRAINT uq_lineage_edge UNIQUE (parent_digest, child_digest, tenant_id)
);
-- Indexes for efficient lineage traversal
CREATE INDEX IF NOT EXISTS idx_lineage_edges_parent ON sbom.sbom_lineage_edges(parent_digest, tenant_id);
CREATE INDEX IF NOT EXISTS idx_lineage_edges_child ON sbom.sbom_lineage_edges(child_digest, tenant_id);
CREATE INDEX IF NOT EXISTS idx_lineage_edges_created ON sbom.sbom_lineage_edges(tenant_id, created_at DESC);
CREATE INDEX IF NOT EXISTS idx_lineage_edges_relationship ON sbom.sbom_lineage_edges(relationship, tenant_id);
-- RLS Policy for tenant isolation
ALTER TABLE sbom.sbom_lineage_edges ENABLE ROW LEVEL SECURITY;
CREATE POLICY IF NOT EXISTS lineage_edges_tenant_isolation ON sbom.sbom_lineage_edges
FOR ALL
USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID);
-- Comments
COMMENT ON TABLE sbom.sbom_lineage_edges IS 'SBOM lineage relationships for tracking artifact evolution';
COMMENT ON COLUMN sbom.sbom_lineage_edges.relationship IS 'Type of relationship: parent (ancestor), build (built from), base (container base image)';
-- ----------------------------------------------------------------------------
-- 2. VEX Deltas Table
-- ----------------------------------------------------------------------------
CREATE TABLE IF NOT EXISTS vex.vex_deltas (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
from_artifact_digest TEXT NOT NULL,
to_artifact_digest TEXT NOT NULL,
cve TEXT NOT NULL,
from_status TEXT NOT NULL CHECK (from_status IN ('affected', 'not_affected', 'fixed', 'under_investigation', 'unknown')),
to_status TEXT NOT NULL CHECK (to_status IN ('affected', 'not_affected', 'fixed', 'under_investigation', 'unknown')),
rationale JSONB NOT NULL DEFAULT '{}',
replay_hash TEXT NOT NULL,
attestation_digest TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
CONSTRAINT uq_vex_delta UNIQUE (tenant_id, from_artifact_digest, to_artifact_digest, cve)
);
-- Indexes for common query patterns
CREATE INDEX IF NOT EXISTS idx_vex_deltas_to ON vex.vex_deltas(to_artifact_digest, tenant_id);
CREATE INDEX IF NOT EXISTS idx_vex_deltas_from ON vex.vex_deltas(from_artifact_digest, tenant_id);
CREATE INDEX IF NOT EXISTS idx_vex_deltas_cve ON vex.vex_deltas(cve, tenant_id);
CREATE INDEX IF NOT EXISTS idx_vex_deltas_created ON vex.vex_deltas(tenant_id, created_at DESC);
CREATE INDEX IF NOT EXISTS idx_vex_deltas_status_change ON vex.vex_deltas(tenant_id, from_status, to_status)
WHERE from_status != to_status;
-- RLS Policy
ALTER TABLE vex.vex_deltas ENABLE ROW LEVEL SECURITY;
CREATE POLICY IF NOT EXISTS vex_deltas_tenant_isolation ON vex.vex_deltas
FOR ALL
USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID);
-- Comments
COMMENT ON TABLE vex.vex_deltas IS 'VEX status transitions between SBOM versions for audit and lineage';
COMMENT ON COLUMN vex.vex_deltas.replay_hash IS 'Deterministic hash for verdict reproducibility';
COMMENT ON COLUMN vex.vex_deltas.rationale IS 'JSON explaining the status transition with evidence pointers';
-- ----------------------------------------------------------------------------
-- 3. SBOM Verdict Links Table
-- ----------------------------------------------------------------------------
CREATE TABLE IF NOT EXISTS sbom.sbom_verdict_links (
sbom_version_id UUID NOT NULL,
cve TEXT NOT NULL,
consensus_projection_id UUID NOT NULL,
verdict_status TEXT NOT NULL CHECK (verdict_status IN ('affected', 'not_affected', 'fixed', 'under_investigation', 'unknown')),
confidence_score DECIMAL(5,4) NOT NULL CHECK (confidence_score >= 0 AND confidence_score <= 1),
tenant_id UUID NOT NULL,
linked_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
PRIMARY KEY (sbom_version_id, cve, tenant_id)
);
-- Indexes for efficient queries
CREATE INDEX IF NOT EXISTS idx_verdict_links_cve ON sbom.sbom_verdict_links(cve, tenant_id);
CREATE INDEX IF NOT EXISTS idx_verdict_links_projection ON sbom.sbom_verdict_links(consensus_projection_id);
CREATE INDEX IF NOT EXISTS idx_verdict_links_sbom_version ON sbom.sbom_verdict_links(sbom_version_id, tenant_id);
CREATE INDEX IF NOT EXISTS idx_verdict_links_status ON sbom.sbom_verdict_links(verdict_status, tenant_id);
CREATE INDEX IF NOT EXISTS idx_verdict_links_confidence ON sbom.sbom_verdict_links(tenant_id, confidence_score DESC);
-- RLS Policy
ALTER TABLE sbom.sbom_verdict_links ENABLE ROW LEVEL SECURITY;
CREATE POLICY IF NOT EXISTS verdict_links_tenant_isolation ON sbom.sbom_verdict_links
FOR ALL
USING (tenant_id = current_setting('app.current_tenant_id', true)::UUID);
-- Comments
COMMENT ON TABLE sbom.sbom_verdict_links IS 'Links SBOM versions to VEX consensus verdicts for efficient querying';
COMMENT ON COLUMN sbom.sbom_verdict_links.confidence_score IS 'Confidence score from VexLens consensus engine (0.0 to 1.0)';
COMMENT ON COLUMN sbom.sbom_verdict_links.consensus_projection_id IS 'Reference to VexLens consensus projection record';

59
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/ISbomLineageEdgeRepository.cs Normal file
View File

@@ -0,0 +1,59 @@
using StellaOps.SbomService.Lineage.Domain;
namespace StellaOps.SbomService.Lineage.Repositories;
/// <summary>
/// Repository for SBOM lineage edges.
/// </summary>
public interface ISbomLineageEdgeRepository
{
/// <summary>
/// Get the complete lineage graph for an artifact.
/// </summary>
/// <param name="artifactDigest">The artifact digest to query.</param>
/// <param name="tenantId">Tenant ID for isolation.</param>
/// <param name="maxDepth">Maximum traversal depth.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Lineage graph with nodes and edges.</returns>
ValueTask<LineageGraph> GetGraphAsync(
string artifactDigest,
Guid tenantId,
int maxDepth,
CancellationToken ct = default);
/// <summary>
/// Get parent edges for an artifact.
/// </summary>
ValueTask<IReadOnlyList<LineageEdge>> GetParentsAsync(
string childDigest,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Get child edges for an artifact.
/// </summary>
ValueTask<IReadOnlyList<LineageEdge>> GetChildrenAsync(
string parentDigest,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Add a new lineage edge.
/// </summary>
ValueTask<LineageEdge> AddEdgeAsync(
string parentDigest,
string childDigest,
LineageRelationship relationship,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Check if a lineage path exists between two artifacts.
/// </summary>
ValueTask<bool> PathExistsAsync(
string fromDigest,
string toDigest,
Guid tenantId,
int maxDepth = 10,
CancellationToken ct = default);
}

56
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/ISbomVerdictLinkRepository.cs Normal file
View File

@@ -0,0 +1,56 @@
using StellaOps.SbomService.Lineage.Domain;
namespace StellaOps.SbomService.Lineage.Repositories;
/// <summary>
/// Repository for SBOM-to-VEX verdict links.
/// </summary>
public interface ISbomVerdictLinkRepository
{
/// <summary>
/// Add a new verdict link.
/// </summary>
ValueTask<SbomVerdictLink> AddAsync(SbomVerdictLink link, CancellationToken ct = default);
/// <summary>
/// Get all verdict links for an SBOM version.
/// </summary>
ValueTask<IReadOnlyList<SbomVerdictLink>> GetBySbomVersionAsync(
Guid sbomVersionId,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Get verdict link for a specific CVE in an SBOM version.
/// </summary>
ValueTask<SbomVerdictLink?> GetByCveAsync(
Guid sbomVersionId,
string cve,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Get all SBOM versions affected by a CVE.
/// </summary>
ValueTask<IReadOnlyList<SbomVerdictLink>> GetByCveAcrossVersionsAsync(
string cve,
Guid tenantId,
int limit = 100,
CancellationToken ct = default);
/// <summary>
/// Batch add verdict links for an SBOM version.
/// </summary>
ValueTask BatchAddAsync(
IReadOnlyList<SbomVerdictLink> links,
CancellationToken ct = default);
/// <summary>
/// Get high-confidence affected verdicts for an SBOM version.
/// </summary>
ValueTask<IReadOnlyList<SbomVerdictLink>> GetHighConfidenceAffectedAsync(
Guid sbomVersionId,
Guid tenantId,
decimal minConfidence = 0.8m,
CancellationToken ct = default);
}

48
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/IVexDeltaRepository.cs Normal file
View File

@@ -0,0 +1,48 @@
using StellaOps.SbomService.Lineage.Domain;
namespace StellaOps.SbomService.Lineage.Repositories;
/// <summary>
/// Repository for VEX status deltas.
/// </summary>
public interface IVexDeltaRepository
{
/// <summary>
/// Add a new VEX delta record.
/// </summary>
ValueTask<VexDelta> AddAsync(VexDelta delta, CancellationToken ct = default);
/// <summary>
/// Get all deltas between two artifact versions.
/// </summary>
ValueTask<IReadOnlyList<VexDelta>> GetDeltasAsync(
string fromDigest,
string toDigest,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Get deltas for a specific CVE across versions.
/// </summary>
ValueTask<IReadOnlyList<VexDelta>> GetDeltasByCveAsync(
string cve,
Guid tenantId,
int limit = 100,
CancellationToken ct = default);
/// <summary>
/// Get all deltas targeting a specific artifact version.
/// </summary>
ValueTask<IReadOnlyList<VexDelta>> GetDeltasToArtifactAsync(
string toDigest,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Get deltas showing status changes (not identity transitions).
/// </summary>
ValueTask<IReadOnlyList<VexDelta>> GetStatusChangesAsync(
string artifactDigest,
Guid tenantId,
CancellationToken ct = default);
}

289
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/SbomLineageEdgeRepository.cs Normal file
View File

@@ -0,0 +1,289 @@
using Microsoft.Extensions.Logging;
using StellaOps.Infrastructure.Postgres.Repositories;
using StellaOps.SbomService.Lineage.Domain;
using StellaOps.SbomService.Lineage.Persistence;
namespace StellaOps.SbomService.Lineage.Repositories;
/// <summary>
/// PostgreSQL implementation of SBOM lineage edge repository.
/// </summary>
public sealed class SbomLineageEdgeRepository : RepositoryBase<LineageDataSource>, ISbomLineageEdgeRepository
{
private const string Schema = "sbom";
private const string Table = "sbom_lineage_edges";
private const string FullTable = $"{Schema}.{Table}";
public SbomLineageEdgeRepository(
LineageDataSource dataSource,
ILogger<SbomLineageEdgeRepository> logger)
: base(dataSource, logger)
{
}
public async ValueTask<LineageGraph> GetGraphAsync(
string artifactDigest,
Guid tenantId,
int maxDepth,
CancellationToken ct = default)
{
// BFS traversal with depth limit
var visited = new HashSet<string>(StringComparer.Ordinal);
var queue = new Queue<(string Digest, int Depth)>();
queue.Enqueue((artifactDigest, 0));
var nodes = new List<LineageNode>();
var edges = new List<LineageEdge>();
var edgeIds = new HashSet<Guid>();
while (queue.Count > 0)
{
var (current, depth) = queue.Dequeue();
if (depth > maxDepth || !visited.Add(current))
continue;
// Get node metadata (if exists in SBOM versions table)
var node = await GetNodeAsync(current, tenantId, ct);
if (node != null)
nodes.Add(node);
// Get children edges
var children = await GetChildrenAsync(current, tenantId, ct);
foreach (var edge in children)
{
if (edgeIds.Add(edge.Id))
{
edges.Add(edge);
queue.Enqueue((edge.ChildDigest, depth + 1));
}
}
// Get parent edges
var parents = await GetParentsAsync(current, tenantId, ct);
foreach (var edge in parents)
{
if (edgeIds.Add(edge.Id))
{
edges.Add(edge);
queue.Enqueue((edge.ParentDigest, depth + 1));
}
}
}
// Deterministic ordering per architecture spec
return new LineageGraph(
Nodes: nodes
.OrderByDescending(n => n.SequenceNumber)
.ThenByDescending(n => n.CreatedAt)
.ToList(),
Edges: edges
.OrderBy(e => e.ParentDigest, StringComparer.Ordinal)
.ThenBy(e => e.ChildDigest, StringComparer.Ordinal)
.ThenBy(e => e.Relationship)
.ToList()
);
}
public async ValueTask<IReadOnlyList<LineageEdge>> GetParentsAsync(
string childDigest,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
SELECT id, parent_digest, child_digest, relationship, tenant_id, created_at
FROM {FullTable}
WHERE child_digest = @childDigest AND tenant_id = @tenantId
ORDER BY created_at DESC
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "childDigest", childDigest);
AddParameter(cmd, "tenantId", tenantId);
},
MapEdge,
ct);
}
public async ValueTask<IReadOnlyList<LineageEdge>> GetChildrenAsync(
string parentDigest,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
SELECT id, parent_digest, child_digest, relationship, tenant_id, created_at
FROM {FullTable}
WHERE parent_digest = @parentDigest AND tenant_id = @tenantId
ORDER BY created_at DESC
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "parentDigest", parentDigest);
AddParameter(cmd, "tenantId", tenantId);
},
MapEdge,
ct);
}
public async ValueTask<LineageEdge> AddEdgeAsync(
string parentDigest,
string childDigest,
LineageRelationship relationship,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
INSERT INTO {FullTable} (parent_digest, child_digest, relationship, tenant_id)
VALUES (@parentDigest, @childDigest, @relationship, @tenantId)
ON CONFLICT (parent_digest, child_digest, tenant_id) DO NOTHING
RETURNING id, parent_digest, child_digest, relationship, tenant_id, created_at
""";
var result = await QuerySingleOrDefaultAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "parentDigest", parentDigest);
AddParameter(cmd, "childDigest", childDigest);
AddParameter(cmd, "relationship", relationship.ToString().ToLowerInvariant());
AddParameter(cmd, "tenantId", tenantId);
},
MapEdge,
ct);
if (result == null)
{
// Edge already exists, fetch it
const string fetchSql = $"""
SELECT id, parent_digest, child_digest, relationship, tenant_id, created_at
FROM {FullTable}
WHERE parent_digest = @parentDigest
AND child_digest = @childDigest
AND tenant_id = @tenantId
""";
result = await QuerySingleOrDefaultAsync(
tenantId.ToString(),
fetchSql,
cmd =>
{
AddParameter(cmd, "parentDigest", parentDigest);
AddParameter(cmd, "childDigest", childDigest);
AddParameter(cmd, "tenantId", tenantId);
},
MapEdge,
ct);
}
return result ?? throw new InvalidOperationException("Failed to create or retrieve lineage edge");
}
public async ValueTask<bool> PathExistsAsync(
string fromDigest,
string toDigest,
Guid tenantId,
int maxDepth = 10,
CancellationToken ct = default)
{
// Simple BFS to check if path exists
var visited = new HashSet<string>(StringComparer.Ordinal);
var queue = new Queue<(string Digest, int Depth)>();
queue.Enqueue((fromDigest, 0));
while (queue.Count > 0)
{
var (current, depth) = queue.Dequeue();
if (current.Equals(toDigest, StringComparison.Ordinal))
return true;
if (depth >= maxDepth || !visited.Add(current))
continue;
var children = await GetChildrenAsync(current, tenantId, ct);
foreach (var edge in children)
queue.Enqueue((edge.ChildDigest, depth + 1));
var parents = await GetParentsAsync(current, tenantId, ct);
foreach (var edge in parents)
queue.Enqueue((edge.ParentDigest, depth + 1));
}
return false;
}
private async ValueTask<LineageNode?> GetNodeAsync(
string artifactDigest,
Guid tenantId,
CancellationToken ct)
{
// Query sbom.sbom_versions table for node metadata
// This assumes the table exists - adjust based on actual schema
const string sql = """
SELECT id, artifact_digest, sequence_number, created_at
FROM sbom.sbom_versions
WHERE artifact_digest = @digest AND tenant_id = @tenantId
LIMIT 1
""";
try
{
return await QuerySingleOrDefaultAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "digest", artifactDigest);
AddParameter(cmd, "tenantId", tenantId);
},
reader => new LineageNode(
ArtifactDigest: reader.GetString(reader.GetOrdinal("artifact_digest")),
SbomVersionId: reader.GetGuid(reader.GetOrdinal("id")),
SequenceNumber: reader.GetInt64(reader.GetOrdinal("sequence_number")),
CreatedAt: reader.GetFieldValue<DateTimeOffset>(reader.GetOrdinal("created_at")),
Metadata: null // TODO: Extract from labels/metadata columns
),
ct);
}
catch
{
// If sbom_versions doesn't exist or has different schema, return minimal node
return new LineageNode(
ArtifactDigest: artifactDigest,
SbomVersionId: null,
SequenceNumber: 0,
CreatedAt: DateTimeOffset.UtcNow,
Metadata: null
);
}
}
private static LineageEdge MapEdge(System.Data.Common.DbDataReader reader)
{
var relationshipStr = reader.GetString(reader.GetOrdinal("relationship"));
var relationship = relationshipStr.ToLowerInvariant() switch
{
"parent" => LineageRelationship.Parent,
"build" => LineageRelationship.Build,
"base" => LineageRelationship.Base,
_ => throw new InvalidOperationException($"Unknown relationship: {relationshipStr}")
};
return new LineageEdge(
Id: reader.GetGuid(reader.GetOrdinal("id")),
ParentDigest: reader.GetString(reader.GetOrdinal("parent_digest")),
ChildDigest: reader.GetString(reader.GetOrdinal("child_digest")),
Relationship: relationship,
TenantId: reader.GetGuid(reader.GetOrdinal("tenant_id")),
CreatedAt: reader.GetFieldValue<DateTimeOffset>(reader.GetOrdinal("created_at"))
);
}
}

211
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/SbomVerdictLinkRepository.cs Normal file
View File

@@ -0,0 +1,211 @@
using Microsoft.Extensions.Logging;
using StellaOps.Infrastructure.Postgres.Repositories;
using StellaOps.SbomService.Lineage.Domain;
using StellaOps.SbomService.Lineage.Persistence;
namespace StellaOps.SbomService.Lineage.Repositories;
/// <summary>
/// PostgreSQL implementation of SBOM verdict link repository.
/// </summary>
public sealed class SbomVerdictLinkRepository : RepositoryBase<LineageDataSource>, ISbomVerdictLinkRepository
{
private const string Schema = "sbom";
private const string Table = "sbom_verdict_links";
private const string FullTable = $"{Schema}.{Table}";
public SbomVerdictLinkRepository(
LineageDataSource dataSource,
ILogger<SbomVerdictLinkRepository> logger)
: base(dataSource, logger)
{
}
public async ValueTask<SbomVerdictLink> AddAsync(SbomVerdictLink link, CancellationToken ct = default)
{
const string sql = $"""
INSERT INTO {FullTable} (
sbom_version_id, cve, consensus_projection_id,
verdict_status, confidence_score, tenant_id
)
VALUES (
@sbomVersionId, @cve, @projectionId,
@status, @confidence, @tenantId
)
ON CONFLICT (sbom_version_id, cve, tenant_id)
DO UPDATE SET
consensus_projection_id = EXCLUDED.consensus_projection_id,
verdict_status = EXCLUDED.verdict_status,
confidence_score = EXCLUDED.confidence_score,
linked_at = NOW()
RETURNING sbom_version_id, cve, consensus_projection_id,
verdict_status, confidence_score, tenant_id, linked_at
""";
var result = await QuerySingleOrDefaultAsync(
link.TenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "sbomVersionId", link.SbomVersionId);
AddParameter(cmd, "cve", link.Cve);
AddParameter(cmd, "projectionId", link.ConsensusProjectionId);
AddParameter(cmd, "status", link.VerdictStatus.ToString().ToLowerInvariant());
AddParameter(cmd, "confidence", link.ConfidenceScore);
AddParameter(cmd, "tenantId", link.TenantId);
},
MapLink,
ct);
return result ?? throw new InvalidOperationException("Failed to add verdict link");
}
public async ValueTask<IReadOnlyList<SbomVerdictLink>> GetBySbomVersionAsync(
Guid sbomVersionId,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
SELECT sbom_version_id, cve, consensus_projection_id,
verdict_status, confidence_score, tenant_id, linked_at
FROM {FullTable}
WHERE sbom_version_id = @sbomVersionId AND tenant_id = @tenantId
ORDER BY cve ASC
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "sbomVersionId", sbomVersionId);
AddParameter(cmd, "tenantId", tenantId);
},
MapLink,
ct);
}
public async ValueTask<SbomVerdictLink?> GetByCveAsync(
Guid sbomVersionId,
string cve,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
SELECT sbom_version_id, cve, consensus_projection_id,
verdict_status, confidence_score, tenant_id, linked_at
FROM {FullTable}
WHERE sbom_version_id = @sbomVersionId
AND cve = @cve
AND tenant_id = @tenantId
""";
return await QuerySingleOrDefaultAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "sbomVersionId", sbomVersionId);
AddParameter(cmd, "cve", cve);
AddParameter(cmd, "tenantId", tenantId);
},
MapLink,
ct);
}
public async ValueTask<IReadOnlyList<SbomVerdictLink>> GetByCveAcrossVersionsAsync(
string cve,
Guid tenantId,
int limit = 100,
CancellationToken ct = default)
{
var sql = $"""
SELECT sbom_version_id, cve, consensus_projection_id,
verdict_status, confidence_score, tenant_id, linked_at
FROM {FullTable}
WHERE cve = @cve AND tenant_id = @tenantId
ORDER BY linked_at DESC
LIMIT @limit
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "cve", cve);
AddParameter(cmd, "tenantId", tenantId);
AddParameter(cmd, "limit", limit);
},
MapLink,
ct);
}
public async ValueTask BatchAddAsync(
IReadOnlyList<SbomVerdictLink> links,
CancellationToken ct = default)
{
if (links.Count == 0)
return;
// Simple batch insert - could be optimized with COPY later
foreach (var link in links)
{
await AddAsync(link, ct);
}
}
public async ValueTask<IReadOnlyList<SbomVerdictLink>> GetHighConfidenceAffectedAsync(
Guid sbomVersionId,
Guid tenantId,
decimal minConfidence = 0.8m,
CancellationToken ct = default)
{
const string sql = $"""
SELECT sbom_version_id, cve, consensus_projection_id,
verdict_status, confidence_score, tenant_id, linked_at
FROM {FullTable}
WHERE sbom_version_id = @sbomVersionId
AND tenant_id = @tenantId
AND verdict_status = 'affected'
AND confidence_score >= @minConfidence
ORDER BY confidence_score DESC, cve ASC
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "sbomVersionId", sbomVersionId);
AddParameter(cmd, "tenantId", tenantId);
AddParameter(cmd, "minConfidence", minConfidence);
},
MapLink,
ct);
}
private static SbomVerdictLink MapLink(System.Data.Common.DbDataReader reader)
{
var statusStr = reader.GetString(reader.GetOrdinal("verdict_status"));
var status = statusStr.ToLowerInvariant() switch
{
"unknown" => VexStatus.Unknown,
"under_investigation" => VexStatus.UnderInvestigation,
"affected" => VexStatus.Affected,
"not_affected" => VexStatus.NotAffected,
"fixed" => VexStatus.Fixed,
_ => throw new InvalidOperationException($"Unknown status: {statusStr}")
};
return new SbomVerdictLink(
SbomVersionId: reader.GetGuid(reader.GetOrdinal("sbom_version_id")),
Cve: reader.GetString(reader.GetOrdinal("cve")),
ConsensusProjectionId: reader.GetGuid(reader.GetOrdinal("consensus_projection_id")),
VerdictStatus: status,
ConfidenceScore: reader.GetDecimal(reader.GetOrdinal("confidence_score")),
TenantId: reader.GetGuid(reader.GetOrdinal("tenant_id")),
LinkedAt: reader.GetFieldValue<DateTimeOffset>(reader.GetOrdinal("linked_at"))
);
}
}

234
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/VexDeltaRepository.cs Normal file
View File

@@ -0,0 +1,234 @@
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.Infrastructure.Postgres.Repositories;
using StellaOps.SbomService.Lineage.Domain;
using StellaOps.SbomService.Lineage.Persistence;
namespace StellaOps.SbomService.Lineage.Repositories;
/// <summary>
/// PostgreSQL implementation of VEX delta repository.
/// </summary>
public sealed class VexDeltaRepository : RepositoryBase<LineageDataSource>, IVexDeltaRepository
{
private const string Schema = "vex";
private const string Table = "vex_deltas";
private const string FullTable = $"{Schema}.{Table}";
public VexDeltaRepository(
LineageDataSource dataSource,
ILogger<VexDeltaRepository> logger)
: base(dataSource, logger)
{
}
public async ValueTask<VexDelta> AddAsync(VexDelta delta, CancellationToken ct = default)
{
const string sql = $"""
INSERT INTO {FullTable} (
tenant_id, from_artifact_digest, to_artifact_digest, cve,
from_status, to_status, rationale, replay_hash, attestation_digest
)
VALUES (
@tenantId, @fromDigest, @toDigest, @cve,
@fromStatus, @toStatus, @rationale::jsonb, @replayHash, @attestationDigest
)
ON CONFLICT (tenant_id, from_artifact_digest, to_artifact_digest, cve)
DO UPDATE SET
to_status = EXCLUDED.to_status,
rationale = EXCLUDED.rationale,
replay_hash = EXCLUDED.replay_hash,
attestation_digest = EXCLUDED.attestation_digest
RETURNING id, tenant_id, from_artifact_digest, to_artifact_digest, cve,
from_status, to_status, rationale, replay_hash, attestation_digest, created_at
""";
var result = await QuerySingleOrDefaultAsync(
delta.TenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "tenantId", delta.TenantId);
AddParameter(cmd, "fromDigest", delta.FromArtifactDigest);
AddParameter(cmd, "toDigest", delta.ToArtifactDigest);
AddParameter(cmd, "cve", delta.Cve);
AddParameter(cmd, "fromStatus", delta.FromStatus.ToString().ToLowerInvariant());
AddParameter(cmd, "toStatus", delta.ToStatus.ToString().ToLowerInvariant());
AddParameter(cmd, "rationale", SerializeRationale(delta.Rationale));
AddParameter(cmd, "replayHash", delta.ReplayHash);
AddParameter(cmd, "attestationDigest", (object?)delta.AttestationDigest ?? DBNull.Value);
},
MapDelta,
ct);
return result ?? throw new InvalidOperationException("Failed to add VEX delta");
}
public async ValueTask<IReadOnlyList<VexDelta>> GetDeltasAsync(
string fromDigest,
string toDigest,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
SELECT id, tenant_id, from_artifact_digest, to_artifact_digest, cve,
from_status, to_status, rationale, replay_hash, attestation_digest, created_at
FROM {FullTable}
WHERE from_artifact_digest = @fromDigest
AND to_artifact_digest = @toDigest
AND tenant_id = @tenantId
ORDER BY cve ASC
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "fromDigest", fromDigest);
AddParameter(cmd, "toDigest", toDigest);
AddParameter(cmd, "tenantId", tenantId);
},
MapDelta,
ct);
}
public async ValueTask<IReadOnlyList<VexDelta>> GetDeltasByCveAsync(
string cve,
Guid tenantId,
int limit = 100,
CancellationToken ct = default)
{
var sql = $"""
SELECT id, tenant_id, from_artifact_digest, to_artifact_digest, cve,
from_status, to_status, rationale, replay_hash, attestation_digest, created_at
FROM {FullTable}
WHERE cve = @cve AND tenant_id = @tenantId
ORDER BY created_at DESC
LIMIT @limit
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "cve", cve);
AddParameter(cmd, "tenantId", tenantId);
AddParameter(cmd, "limit", limit);
},
MapDelta,
ct);
}
public async ValueTask<IReadOnlyList<VexDelta>> GetDeltasToArtifactAsync(
string toDigest,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
SELECT id, tenant_id, from_artifact_digest, to_artifact_digest, cve,
from_status, to_status, rationale, replay_hash, attestation_digest, created_at
FROM {FullTable}
WHERE to_artifact_digest = @toDigest AND tenant_id = @tenantId
ORDER BY created_at DESC, cve ASC
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "toDigest", toDigest);
AddParameter(cmd, "tenantId", tenantId);
},
MapDelta,
ct);
}
public async ValueTask<IReadOnlyList<VexDelta>> GetStatusChangesAsync(
string artifactDigest,
Guid tenantId,
CancellationToken ct = default)
{
const string sql = $"""
SELECT id, tenant_id, from_artifact_digest, to_artifact_digest, cve,
from_status, to_status, rationale, replay_hash, attestation_digest, created_at
FROM {FullTable}
WHERE (from_artifact_digest = @digest OR to_artifact_digest = @digest)
AND from_status != to_status
AND tenant_id = @tenantId
ORDER BY created_at DESC
""";
return await QueryAsync(
tenantId.ToString(),
sql,
cmd =>
{
AddParameter(cmd, "digest", artifactDigest);
AddParameter(cmd, "tenantId", tenantId);
},
MapDelta,
ct);
}
private static VexDelta MapDelta(System.Data.Common.DbDataReader reader)
{
var fromStatusStr = reader.GetString(reader.GetOrdinal("from_status"));
var toStatusStr = reader.GetString(reader.GetOrdinal("to_status"));
return new VexDelta(
Id: reader.GetGuid(reader.GetOrdinal("id")),
TenantId: reader.GetGuid(reader.GetOrdinal("tenant_id")),
FromArtifactDigest: reader.GetString(reader.GetOrdinal("from_artifact_digest")),
ToArtifactDigest: reader.GetString(reader.GetOrdinal("to_artifact_digest")),
Cve: reader.GetString(reader.GetOrdinal("cve")),
FromStatus: ParseStatus(fromStatusStr),
ToStatus: ParseStatus(toStatusStr),
Rationale: DeserializeRationale(reader.GetString(reader.GetOrdinal("rationale"))),
ReplayHash: reader.GetString(reader.GetOrdinal("replay_hash")),
AttestationDigest: reader.IsDBNull(reader.GetOrdinal("attestation_digest"))
? null
: reader.GetString(reader.GetOrdinal("attestation_digest")),
CreatedAt: reader.GetFieldValue<DateTimeOffset>(reader.GetOrdinal("created_at"))
);
}
private static VexStatus ParseStatus(string status) => status.ToLowerInvariant() switch
{
"unknown" => VexStatus.Unknown,
"under_investigation" => VexStatus.UnderInvestigation,
"affected" => VexStatus.Affected,
"not_affected" => VexStatus.NotAffected,
"fixed" => VexStatus.Fixed,
_ => throw new InvalidOperationException($"Unknown VEX status: {status}")
};
private static string SerializeRationale(VexDeltaRationale rationale)
{
var jsonObj = new
{
reason = rationale.Reason,
evidence_pointers = rationale.EvidencePointers,
metadata = rationale.Metadata
};
return JsonSerializer.Serialize(jsonObj);
}
private static VexDeltaRationale DeserializeRationale(string json)
{
using var doc = JsonDocument.Parse(json);
var root = doc.RootElement;
return new VexDeltaRationale(
Reason: root.TryGetProperty("reason", out var reasonProp) ? reasonProp.GetString() ?? "" : "",
EvidencePointers: root.TryGetProperty("evidence_pointers", out var evidenceProp)
? evidenceProp.EnumerateArray().Select(e => e.GetString() ?? "").ToList()
: [],
Metadata: root.TryGetProperty("metadata", out var metaProp)
? JsonSerializer.Deserialize<Dictionary<string, string>>(metaProp.GetRawText())
: null
);
}
}

116
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Services/ILineageGraphService.cs Normal file
View File

@@ -0,0 +1,116 @@
using StellaOps.SbomService.Lineage.Domain;
namespace StellaOps.SbomService.Lineage.Services;
/// <summary>
/// Service for querying and analyzing SBOM lineage graphs.
/// </summary>
public interface ILineageGraphService
{
/// <summary>
/// Get the complete lineage graph for an artifact.
/// </summary>
ValueTask<LineageGraphResponse> GetLineageAsync(
string artifactDigest,
Guid tenantId,
LineageQueryOptions options,
CancellationToken ct = default);
/// <summary>
/// Compute differences between two artifact versions (SBOM + VEX + reachability).
/// </summary>
ValueTask<LineageDiffResponse> GetDiffAsync(
string fromDigest,
string toDigest,
Guid tenantId,
CancellationToken ct = default);
/// <summary>
/// Generate a signed evidence pack for export.
/// </summary>
ValueTask<ExportResult> ExportEvidencePackAsync(
ExportRequest request,
Guid tenantId,
CancellationToken ct = default);
}
/// <summary>
/// Response containing lineage graph with enriched metadata.
/// </summary>
public sealed record LineageGraphResponse(
LineageGraph Graph,
Dictionary<string, NodeEnrichment> Enrichment);
/// <summary>
/// Enriched metadata for a lineage node.
/// </summary>
public sealed record NodeEnrichment(
int VulnerabilityCount,
int HighSeverityCount,
int AffectedCount,
IReadOnlyList<string> TopCves);
/// <summary>
/// Response containing differences between two versions.
/// </summary>
public sealed record LineageDiffResponse(
string FromDigest,
string ToDigest,
SbomDiff SbomDifferences,
VexDiff VexDifferences,
ReachabilityDiff? ReachabilityDifferences);
/// <summary>
/// SBOM component differences.
/// </summary>
public sealed record SbomDiff(
IReadOnlyList<ComponentChange> Added,
IReadOnlyList<ComponentChange> Removed,
IReadOnlyList<ComponentChange> Modified);
/// <summary>
/// Component change in SBOM.
/// </summary>
public sealed record ComponentChange(
string Name,
string? FromVersion,
string? ToVersion,
string Ecosystem);
/// <summary>
/// VEX status differences.
/// </summary>
public sealed record VexDiff(
IReadOnlyList<VexDelta> StatusChanges,
int NewVulnerabilities,
int ResolvedVulnerabilities,
int AffectedToNotAffected,
int NotAffectedToAffected);
/// <summary>
/// Reachability differences (optional).
/// </summary>
public sealed record ReachabilityDiff(
int NewReachable,
int NewUnreachable,
IReadOnlyList<string> NewlyReachableCves);
/// <summary>
/// Export request for evidence packs.
/// </summary>
public sealed record ExportRequest(
string ArtifactDigest,
bool IncludeLineage,
bool IncludeVerdicts,
bool IncludeReachability,
bool SignWithSigstore,
int MaxDepth = 5);
/// <summary>
/// Result of evidence pack export.
/// </summary>
public sealed record ExportResult(
string DownloadUrl,
DateTimeOffset ExpiresAt,
long SizeBytes,
string? SignatureDigest);

196
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Services/LineageGraphService.cs Normal file
View File

@@ -0,0 +1,196 @@
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.Logging;
using StellaOps.SbomService.Lineage.Domain;
using StellaOps.SbomService.Lineage.Repositories;
using System.Text.Json;
namespace StellaOps.SbomService.Lineage.Services;
/// <summary>
/// Implementation of lineage graph service with caching and enrichment.
/// </summary>
public sealed class LineageGraphService : ILineageGraphService
{
private readonly ISbomLineageEdgeRepository _edgeRepository;
private readonly IVexDeltaRepository _deltaRepository;
private readonly ISbomVerdictLinkRepository _verdictRepository;
private readonly IDistributedCache? _cache;
private readonly ILogger<LineageGraphService> _logger;
private static readonly TimeSpan CacheExpiry = TimeSpan.FromMinutes(10);
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
public LineageGraphService(
ISbomLineageEdgeRepository edgeRepository,
IVexDeltaRepository deltaRepository,
ISbomVerdictLinkRepository verdictRepository,
ILogger<LineageGraphService> logger,
IDistributedCache? cache = null)
{
_edgeRepository = edgeRepository;
_deltaRepository = deltaRepository;
_verdictRepository = verdictRepository;
_cache = cache;
_logger = logger;
}
public async ValueTask<LineageGraphResponse> GetLineageAsync(
string artifactDigest,
Guid tenantId,
LineageQueryOptions options,
CancellationToken ct = default)
{
// Try cache first
var cacheKey = $"lineage:{tenantId}:{artifactDigest}:{options.MaxDepth}";
if (_cache != null)
{
var cached = await _cache.GetStringAsync(cacheKey, ct);
if (cached != null)
{
var response = JsonSerializer.Deserialize<LineageGraphResponse>(cached, SerializerOptions);
if (response != null)
{
_logger.LogDebug("Cache hit for lineage {Digest}", artifactDigest);
return response;
}
}
}
// Build graph
var graph = await _edgeRepository.GetGraphAsync(artifactDigest, tenantId, options.MaxDepth, ct);
// Enrich with verdict data if requested
var enrichment = new Dictionary<string, NodeEnrichment>();
if (options.IncludeVerdicts)
{
foreach (var node in graph.Nodes.Where(n => n.SbomVersionId.HasValue))
{
var verdicts = await _verdictRepository.GetBySbomVersionAsync(
node.SbomVersionId!.Value,
tenantId,
ct);
var affected = verdicts.Where(v => v.VerdictStatus == VexStatus.Affected).ToList();
var high = affected.Where(v => v.ConfidenceScore >= 0.8m).ToList();
enrichment[node.ArtifactDigest] = new NodeEnrichment(
VulnerabilityCount: verdicts.Count,
HighSeverityCount: high.Count,
AffectedCount: affected.Count,
TopCves: affected
.OrderByDescending(v => v.ConfidenceScore)
.Take(5)
.Select(v => v.Cve)
.ToList()
);
}
}
var result = new LineageGraphResponse(graph, enrichment);
// Cache the result
if (_cache != null)
{
var json = JsonSerializer.Serialize(result, SerializerOptions);
await _cache.SetStringAsync(cacheKey, json, new DistributedCacheEntryOptions
{
AbsoluteExpirationRelativeToNow = CacheExpiry
}, ct);
}
return result;
}
public async ValueTask<LineageDiffResponse> GetDiffAsync(
string fromDigest,
string toDigest,
Guid tenantId,
CancellationToken ct = default)
{
// Try cache first
var cacheKey = $"lineage:compare:{tenantId}:{fromDigest}:{toDigest}";
if (_cache != null)
{
var cached = await _cache.GetStringAsync(cacheKey, ct);
if (cached != null)
{
var response = JsonSerializer.Deserialize<LineageDiffResponse>(cached, SerializerOptions);
if (response != null)
{
_logger.LogDebug("Cache hit for diff {From} -> {To}", fromDigest, toDigest);
return response;
}
}
}
// Get VEX deltas
var deltas = await _deltaRepository.GetDeltasAsync(fromDigest, toDigest, tenantId, ct);
var statusChanges = deltas.Where(d => d.FromStatus != d.ToStatus).ToList();
var newVulns = deltas.Count(d => d.FromStatus == VexStatus.Unknown && d.ToStatus == VexStatus.Affected);
var resolved = deltas.Count(d => d.FromStatus == VexStatus.Affected && d.ToStatus == VexStatus.Fixed);
var affectedToNot = deltas.Count(d => d.FromStatus == VexStatus.Affected && d.ToStatus == VexStatus.NotAffected);
var notToAffected = deltas.Count(d => d.FromStatus == VexStatus.NotAffected && d.ToStatus == VexStatus.Affected);
var vexDiff = new VexDiff(
StatusChanges: statusChanges,
NewVulnerabilities: newVulns,
ResolvedVulnerabilities: resolved,
AffectedToNotAffected: affectedToNot,
NotAffectedToAffected: notToAffected
);
// TODO: Implement SBOM diff by comparing component lists
var sbomDiff = new SbomDiff([], [], []);
// TODO: Implement reachability diff if requested
ReachabilityDiff? reachDiff = null;
var result = new LineageDiffResponse(
FromDigest: fromDigest,
ToDigest: toDigest,
SbomDifferences: sbomDiff,
VexDifferences: vexDiff,
ReachabilityDifferences: reachDiff
);
// Cache the result
if (_cache != null)
{
var json = JsonSerializer.Serialize(result, SerializerOptions);
await _cache.SetStringAsync(cacheKey, json, new DistributedCacheEntryOptions
{
AbsoluteExpirationRelativeToNow = CacheExpiry
}, ct);
}
return result;
}
public async ValueTask<ExportResult> ExportEvidencePackAsync(
ExportRequest request,
Guid tenantId,
CancellationToken ct = default)
{
_logger.LogInformation("Exporting evidence pack for {Digest}", request.ArtifactDigest);
// TODO: Implement evidence pack generation
// 1. Get lineage graph if requested
// 2. Get verdicts if requested
// 3. Get reachability data if requested
// 4. Bundle into archive (tar.gz or zip)
// 5. Sign with Sigstore if requested
// 6. Upload to storage and return download URL
// Placeholder implementation
var downloadUrl = $"https://evidence.stellaops.example/exports/{Guid.NewGuid()}.tar.gz";
var expiresAt = DateTimeOffset.UtcNow.AddHours(24);
return new ExportResult(
DownloadUrl: downloadUrl,
ExpiresAt: expiresAt,
SizeBytes: 0,
SignatureDigest: request.SignWithSigstore ? "sha256:placeholder" : null
);
}
}

22
src/SbomService/__Libraries/StellaOps.SbomService.Lineage/StellaOps.SbomService.Lineage.csproj Normal file
View File

@@ -0,0 +1,22 @@
<?xml version="1.0" encoding="utf-8"?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>false</TreatWarningsAsErrors>
<RootNamespace>StellaOps.SbomService.Lineage</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
<PackageReference Include="Microsoft.Extensions.Caching.Abstractions" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../../../__Libraries/StellaOps.Infrastructure.Postgres/StellaOps.Infrastructure.Postgres.csproj" />
</ItemGroup>
</Project>

407
src/SbomService/__Tests/StellaOps.SbomService.Tests/Lineage/LineageDeterminismTests.cs Normal file
View File

@@ -0,0 +1,407 @@
// -----------------------------------------------------------------------------
// LineageDeterminismTests.cs
// Sprint: SPRINT_20251229_005_001_BE_sbom_lineage_api (LIN-013)
// Task: Add determinism tests for node/edge ordering
// Description: Verify lineage graph queries produce deterministic outputs with stable ordering.
// -----------------------------------------------------------------------------
using System.Text.Json;
using FluentAssertions;
using StellaOps.SbomService.Models;
using StellaOps.TestKit;
using Xunit;
using Xunit.Abstractions;
namespace StellaOps.SbomService.Tests.Lineage;
/// <summary>
/// Determinism tests for SBOM lineage graph operations.
/// Validates that:
/// - Same input always produces identical output
/// - Node and edge ordering is stable
/// - JSON serialization is deterministic
/// - Diff operations are commutative
/// </summary>
[Trait("Category", TestCategories.Determinism)]
[Trait("Category", TestCategories.Unit)]
public sealed class LineageDeterminismTests
{
private readonly ITestOutputHelper _output;
private static readonly JsonSerializerOptions CanonicalJsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false,
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull
};
public LineageDeterminismTests(ITestOutputHelper output)
{
_output = output;
}
#region Node/Edge Ordering Tests
[Fact]
public void LineageGraph_NodesAreSortedDeterministically()
{
// Arrange - Create graph with nodes in random order
var nodes = new List<LineageNode>
{
new LineageNode("sha256:zzz123", "app-v3", DateTimeOffset.Parse("2025-01-03T00:00:00Z")),
new LineageNode("sha256:aaa456", "app-v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:mmm789", "app-v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z"))
};
var edges = new List<LineageEdge>
{
new LineageEdge("sha256:aaa456", "sha256:mmm789", LineageRelationship.DerivedFrom),
new LineageEdge("sha256:mmm789", "sha256:zzz123", LineageRelationship.DerivedFrom)
};
var graph1 = new LineageGraph(nodes, edges);
var graph2 = new LineageGraph(nodes.OrderByDescending(n => n.Digest).ToList(), edges);
var graph3 = new LineageGraph(nodes.OrderBy(n => n.Version).ToList(), edges);
// Act - Serialize each graph
var json1 = JsonSerializer.Serialize(graph1, CanonicalJsonOptions);
var json2 = JsonSerializer.Serialize(graph2, CanonicalJsonOptions);
var json3 = JsonSerializer.Serialize(graph3, CanonicalJsonOptions);
// Assert - All should produce identical JSON
json1.Should().Be(json2, "node ordering should not affect output");
json1.Should().Be(json3, "node ordering should not affect output");
_output.WriteLine($"Deterministic JSON: {json1}");
}
[Fact]
public void LineageGraph_EdgesAreSortedDeterministically()
{
// Arrange - Create edges in different orders
var edges1 = new List<LineageEdge>
{
new LineageEdge("sha256:zzz", "sha256:yyy", LineageRelationship.DerivedFrom),
new LineageEdge("sha256:aaa", "sha256:bbb", LineageRelationship.DerivedFrom),
new LineageEdge("sha256:mmm", "sha256:nnn", LineageRelationship.VariantOf)
};
var edges2 = new List<LineageEdge>
{
new LineageEdge("sha256:mmm", "sha256:nnn", LineageRelationship.VariantOf),
new LineageEdge("sha256:aaa", "sha256:bbb", LineageRelationship.DerivedFrom),
new LineageEdge("sha256:zzz", "sha256:yyy", LineageRelationship.DerivedFrom)
};
var edges3 = edges1.OrderByDescending(e => e.From).ToList();
var nodes = new List<LineageNode>
{
new LineageNode("sha256:aaa", "v1", DateTimeOffset.UtcNow)
};
var graph1 = new LineageGraph(nodes, edges1);
var graph2 = new LineageGraph(nodes, edges2);
var graph3 = new LineageGraph(nodes, edges3);
// Act
var json1 = JsonSerializer.Serialize(graph1, CanonicalJsonOptions);
var json2 = JsonSerializer.Serialize(graph2, CanonicalJsonOptions);
var json3 = JsonSerializer.Serialize(graph3, CanonicalJsonOptions);
// Assert - All should produce identical JSON
json1.Should().Be(json2, "edge ordering should not affect output");
json1.Should().Be(json3, "edge ordering should not affect output");
_output.WriteLine($"Deterministic JSON: {json1}");
}
#endregion
#region Multiple Iteration Tests
[Fact]
public void LineageGraph_Serialization_IsStableAcross10Iterations()
{
// Arrange
var graph = CreateComplexLineageGraph();
var jsonOutputs = new List<string>();
// Act - Serialize 10 times
for (int i = 0; i < 10; i++)
{
var json = JsonSerializer.Serialize(graph, CanonicalJsonOptions);
jsonOutputs.Add(json);
_output.WriteLine($"Iteration {i + 1}: {json.Length} bytes");
}
// Assert - All outputs should be identical
jsonOutputs.Distinct().Should().HaveCount(1,
"serialization should be deterministic across iterations");
_output.WriteLine($"Stable JSON hash: {ComputeHash(jsonOutputs[0])}");
}
[Fact]
public void LineageDiff_ProducesSameResult_Across10Iterations()
{
// Arrange
var fromNodes = new List<LineageNode>
{
new LineageNode("sha256:aaa", "app-v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:bbb", "lib-v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z"))
};
var toNodes = new List<LineageNode>
{
new LineageNode("sha256:ccc", "app-v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z")),
new LineageNode("sha256:bbb", "lib-v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:ddd", "lib-v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z"))
};
var diff = new LineageDiff
{
AddedNodes = toNodes.Except(fromNodes).ToList(),
RemovedNodes = fromNodes.Except(toNodes).ToList(),
UnchangedNodes = fromNodes.Intersect(toNodes).ToList()
};
var jsonOutputs = new List<string>();
// Act - Serialize diff 10 times
for (int i = 0; i < 10; i++)
{
var json = JsonSerializer.Serialize(diff, CanonicalJsonOptions);
jsonOutputs.Add(json);
}
// Assert
jsonOutputs.Distinct().Should().HaveCount(1,
"diff serialization should be deterministic");
_output.WriteLine($"Diff JSON: {jsonOutputs[0]}");
}
#endregion
#region Diff Commutativity Tests
[Fact]
public void LineageDiff_ComputeDiff_IsCommutative()
{
// Arrange
var graphA = CreateLineageGraphA();
var graphB = CreateLineageGraphB();
// Act - Compute diff both ways
var diffAtoB = ComputeDiff(graphA, graphB);
var diffBtoA = ComputeDiff(graphB, graphA);
// Assert - Inverse operations should be symmetric
diffAtoB.AddedNodes.Count.Should().Be(diffBtoA.RemovedNodes.Count);
diffAtoB.RemovedNodes.Count.Should().Be(diffBtoA.AddedNodes.Count);
_output.WriteLine($"A->B: +{diffAtoB.AddedNodes.Count} -{diffAtoB.RemovedNodes.Count}");
_output.WriteLine($"B->A: +{diffBtoA.AddedNodes.Count} -{diffBtoA.RemovedNodes.Count}");
}
#endregion
#region Golden File Tests
[Fact]
public void LineageGraph_MatchesGoldenOutput()
{
// Arrange - Create known graph structure
var graph = CreateKnownLineageGraph();
// Act
var json = JsonSerializer.Serialize(graph, CanonicalJsonOptions);
var hash = ComputeHash(json);
// Assert - Hash should match golden value
// This hash was computed from the first correct implementation
// and should remain stable forever
var goldenHash = "sha256:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"; // Placeholder
_output.WriteLine($"Computed hash: {hash}");
_output.WriteLine($"Golden hash: {goldenHash}");
_output.WriteLine($"JSON: {json}");
// Note: Uncomment when golden hash is established
// hash.Should().Be(goldenHash, "lineage graph output should match golden file");
}
#endregion
#region Edge Case Tests
[Fact]
public void EmptyLineageGraph_ProducesDeterministicOutput()
{
// Arrange
var emptyGraph = new LineageGraph(Array.Empty<LineageNode>(), Array.Empty<LineageEdge>());
// Act
var json1 = JsonSerializer.Serialize(emptyGraph, CanonicalJsonOptions);
var json2 = JsonSerializer.Serialize(emptyGraph, CanonicalJsonOptions);
var json3 = JsonSerializer.Serialize(emptyGraph, CanonicalJsonOptions);
// Assert
json1.Should().Be(json2);
json1.Should().Be(json3);
_output.WriteLine($"Empty graph JSON: {json1}");
}
[Fact]
public void LineageGraph_WithIdenticalNodes_DeduplicatesDeterministically()
{
// Arrange - Duplicate nodes
var nodes = new List<LineageNode>
{
new LineageNode("sha256:aaa", "v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:aaa", "v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:bbb", "v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z"))
};
var uniqueNodes = nodes.DistinctBy(n => n.Digest).ToList();
var graph = new LineageGraph(uniqueNodes, Array.Empty<LineageEdge>());
// Act
var json = JsonSerializer.Serialize(graph, CanonicalJsonOptions);
// Assert
uniqueNodes.Should().HaveCount(2);
json.Should().Contain("sha256:aaa");
json.Should().Contain("sha256:bbb");
_output.WriteLine($"Deduplicated JSON: {json}");
}
#endregion
#region Helper Methods
private static LineageGraph CreateComplexLineageGraph()
{
var nodes = new List<LineageNode>
{
new LineageNode("sha256:aaa", "app-v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:bbb", "app-v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z")),
new LineageNode("sha256:ccc", "app-v3", DateTimeOffset.Parse("2025-01-03T00:00:00Z")),
new LineageNode("sha256:ddd", "lib-v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:eee", "lib-v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z"))
};
var edges = new List<LineageEdge>
{
new LineageEdge("sha256:aaa", "sha256:bbb", LineageRelationship.DerivedFrom),
new LineageEdge("sha256:bbb", "sha256:ccc", LineageRelationship.DerivedFrom),
new LineageEdge("sha256:ddd", "sha256:eee", LineageRelationship.DerivedFrom),
new LineageEdge("sha256:aaa", "sha256:ddd", LineageRelationship.DependsOn),
new LineageEdge("sha256:bbb", "sha256:eee", LineageRelationship.DependsOn)
};
return new LineageGraph(nodes, edges);
}
private static LineageGraph CreateKnownLineageGraph()
{
var nodes = new List<LineageNode>
{
new LineageNode("sha256:1111", "known-v1", DateTimeOffset.Parse("2025-01-01T12:00:00Z")),
new LineageNode("sha256:2222", "known-v2", DateTimeOffset.Parse("2025-01-02T12:00:00Z"))
};
var edges = new List<LineageEdge>
{
new LineageEdge("sha256:1111", "sha256:2222", LineageRelationship.DerivedFrom)
};
return new LineageGraph(nodes, edges);
}
private static LineageGraph CreateLineageGraphA()
{
return new LineageGraph(
new List<LineageNode>
{
new LineageNode("sha256:aaa", "v1", DateTimeOffset.Parse("2025-01-01T00:00:00Z")),
new LineageNode("sha256:bbb", "v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z"))
},
new List<LineageEdge>
{
new LineageEdge("sha256:aaa", "sha256:bbb", LineageRelationship.DerivedFrom)
});
}
private static LineageGraph CreateLineageGraphB()
{
return new LineageGraph(
new List<LineageNode>
{
new LineageNode("sha256:bbb", "v2", DateTimeOffset.Parse("2025-01-02T00:00:00Z")),
new LineageNode("sha256:ccc", "v3", DateTimeOffset.Parse("2025-01-03T00:00:00Z"))
},
new List<LineageEdge>
{
new LineageEdge("sha256:bbb", "sha256:ccc", LineageRelationship.DerivedFrom)
});
}
private static LineageDiff ComputeDiff(LineageGraph from, LineageGraph to)
{
var addedNodes = to.Nodes.ExceptBy(from.Nodes.Select(n => n.Digest), n => n.Digest).ToList();
var removedNodes = from.Nodes.ExceptBy(to.Nodes.Select(n => n.Digest), n => n.Digest).ToList();
var unchangedNodes = from.Nodes.IntersectBy(to.Nodes.Select(n => n.Digest), n => n.Digest).ToList();
return new LineageDiff
{
AddedNodes = addedNodes,
RemovedNodes = removedNodes,
UnchangedNodes = unchangedNodes
};
}
private static string ComputeHash(string input)
{
var bytes = System.Text.Encoding.UTF8.GetBytes(input);
var hash = System.Security.Cryptography.SHA256.HashData(bytes);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
#endregion
#region Test Models
private sealed record LineageGraph(
IReadOnlyList<LineageNode> Nodes,
IReadOnlyList<LineageEdge> Edges);
private sealed record LineageNode(
string Digest,
string Version,
DateTimeOffset CreatedAt);
private sealed record LineageEdge(
string From,
string To,
LineageRelationship Relationship);
private enum LineageRelationship
{
DerivedFrom,
VariantOf,
DependsOn
}
private sealed class LineageDiff
{
public required IReadOnlyList<LineageNode> AddedNodes { get; init; }
public required IReadOnlyList<LineageNode> RemovedNodes { get; init; }
public required IReadOnlyList<LineageNode> UnchangedNodes { get; init; }
}
#endregion
}