stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
docs/features/checked/attestor/content-addressed-ids-for-sbom-components.md Normal file
View File

@@ -0,0 +1,37 @@
# Content-Addressed IDs for SBOM Components (bom-ref)
## Module
Attestor
## Status
VERIFIED
## Description
Content-addressed ID generator with SBOM entry IDs and CycloneDX subject extraction for deterministic component referencing.
## Implementation Details
- **SbomEntryId**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/SbomEntryId.cs` -- content-addressed ID type for SBOM entries, ensuring deterministic bom-ref values.
- **Content-Addressed ID Generator**: `ContentAddressedIdGenerator.cs` -- generates SHA-256 based IDs from canonical SBOM component content.
- **CycloneDX Subject Extractor**: `__Libraries/StellaOps.Attestor.ProofChain/Sbom/CycloneDxSubjectExtractor.cs` -- implements `ISbomSubjectExtractor`. Extracts subjects from CycloneDX SBOM for attestation.
- **Component Ref Extractor**: `__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs` (with `.Resolution`, `.Spdx` partials) -- extracts component references from SBOMs for cross-linking. `SbomExtractionResult.cs` -- extraction result model.
- **SBOM Canonicalization**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs` (with `.Elements`) -- deterministic element ordering for stable ID generation.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdTests.cs`, `ContentAddressedIdGeneratorTests.cs`
## E2E Test Plan
- [ ] Generate `SbomEntryId` for a CycloneDX component with name, version, and PURL and verify deterministic ID
- [ ] Generate IDs for two components with same content but different field ordering and verify IDs match (canonicalization)
- [ ] Extract subjects from a CycloneDX SBOM via `CycloneDxSubjectExtractor` and verify each component has a content-addressed subject ID
- [ ] Extract component references via `ComponentRefExtractor` and verify bom-ref values are content-addressed
- [ ] Extract SPDX component references via `ComponentRefExtractor.Spdx` and verify deterministic SPDX IDs
- [ ] Canonicalize an SBOM via `SbomCanonicalizer`, generate content-addressed IDs, and verify stability across invocations
- [ ] Modify a single component field and verify the `SbomEntryId` changes
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |