Add tests for SBOM generation determinism across multiple formats
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
This commit is contained in:
master
30
docs2/security/evidence-locker-publishing.md
Normal file
30
docs2/security/evidence-locker-publishing.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Evidence locker publishing
|
||||
|
||||
Purpose
|
||||
- Publish deterministic evidence bundles to the Evidence Locker.
|
||||
|
||||
Required inputs
|
||||
- Evidence locker base URL (no trailing slash).
|
||||
- Bearer token with write scopes for required prefixes.
|
||||
- Signing key for final bundle signing (Cosign key or key file).
|
||||
|
||||
Publishing flow
|
||||
- Build deterministic tar bundles for each producer (signals, runtime, evidence packs).
|
||||
- Verify bundle hashes and inner SHA256 lists before upload.
|
||||
- Upload bundles to the Evidence Locker using the configured token.
|
||||
- Re-sign bundles with production keys when required.
|
||||
|
||||
Deterministic packaging rules
|
||||
- tar --sort=name
|
||||
- fixed mtime (UTC 1970-01-01)
|
||||
- owner and group set to 0
|
||||
- numeric-owner enabled
|
||||
|
||||
Offline posture
|
||||
- Transparency log upload may be disabled in sealed mode.
|
||||
- Trust derives from local keys and recorded hashes.
|
||||
- Upload scripts must fail on hash mismatch.
|
||||
|
||||
Related references
|
||||
- security/forensics-and-evidence-locker.md
|
||||
- provenance/attestation-workflow.md
|
||||
Reference in New Issue
Block a user