stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/features/checked/attestor/deterministic-sbom-canonicalization.md Normal file
View File

@@ -0,0 +1,42 @@
# Deterministic SBOM Canonicalization (RFC 8785 JCS)
## Module
Attestor
## Status
VERIFIED
## Description
Deterministic SBOM canonicalization using full RFC 8785 JSON Canonicalization Scheme with decimal point handling, number serialization, string normalization, and reproducible transforms between SPDX and CycloneDX. Verified by property-based determinism tests.
## Implementation Details
- **SBOM Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs` (with `.Elements` partial) -- implements `ISbomCanonicalizer`. Orders SBOM elements deterministically for stable hashing.
- **RFC 8785 Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` -- implements `IJsonCanonicalizer` with partials:
- `.DecimalPoint` -- handles decimal point normalization
- `.NumberSerialization` -- IEEE 754 number serialization per RFC 8785
- `.StringNormalization` -- Unicode and string escape normalization
- `.WriteMethods` -- low-level write methods
- **JSON Canonicalizer (StandardPredicates)**: `__Libraries/StellaOps.Attestor.StandardPredicates/JsonCanonicalizer.cs` -- additional canonicalizer for standard predicates.
- **JSON Canonicalizer (TrustVerdict)**: `__Libraries/StellaOps.Attestor.TrustVerdict/JsonCanonicalizer.cs` -- canonicalizer for trust verdict payloads.
- **CycloneDX Determinism Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/CycloneDxDeterminismTests.cs`
- **SPDX Determinism Tests**: `SpdxDeterminismTests.cs`
- **JSON Canonicalizer Tests**: `JsonCanonicalizerTests.cs` (in both ProofChain and StandardPredicates test projects)
## E2E Test Plan
- [ ] Canonicalize a CycloneDX SBOM via `SbomCanonicalizer`, hash the output, canonicalize again, and verify identical hashes
- [ ] Canonicalize an SPDX SBOM, hash, re-canonicalize, and verify identical hashes
- [ ] Apply `Rfc8785JsonCanonicalizer` to JSON with unordered keys and verify key order matches RFC 8785 (lexicographic)
- [ ] Canonicalize JSON with floating-point edge cases (e.g., 1.0, -0.0, 1e10) and verify IEEE 754 normalization
- [ ] Canonicalize JSON with Unicode escapes and verify normalization to shortest UTF-8 representation
- [ ] Create two SBOMs with identical content but different component ordering, canonicalize both, and verify identical output
- [ ] Verify CycloneDX and SPDX round-trip: parse -> write -> canonicalize produces stable output
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |