save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/attestor/high-fidelity-sbom-support.md
+++ b/docs/features/checked/attestor/high-fidelity-sbom-support.md
@@ -0,0 +1,42 @@
+# High-Fidelity SBOM Support (CycloneDX/SPDX)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Comprehensive SBOM support with dedicated service, full CycloneDX and SPDX 2.x/3.x parsers and writers, plus UI for SBOM browsing. Extensive coverage of components, vulnerabilities, licensing, relationships, and more.
+
+## Implementation Details
+- **CycloneDX Parser**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.SerialNumber`, `.Validation`) -- parses CycloneDX 1.6 BOMs into internal SBOM model.
+- **SPDX Parser**: `Parsers/SpdxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`) -- parses SPDX 2.x/3.x documents into internal SBOM model.
+- **CycloneDX Writer**: `Writers/CycloneDxWriter.cs` (with 50+ partials: `.Components`, `.Vulnerabilities`, `.Dependencies`, `.Licensing`, `.Services`, `.Compositions`, `.Formulation`, `.Crypto`, `.Evidence`, `.Declarations`, `.ModelCard`, `.Pedigree`, `.ReleaseNotes`, `.Signature`, `.Metadata`, `.Validation`, etc.) -- comprehensive CycloneDX output.
+- **SPDX Writer**: `Writers/SpdxWriter.cs` (with 40+ partials: `.Packages`, `.Relationships`, `.Licensing`, `.Document`, `.Agents`, `.Builds`, `.Assessments`, `.Vulnerabilities`, `.Profiles`, `.Signatures`, `.Extensions`, `.Hashing`, etc.) -- comprehensive SPDX 3.0.1 output.
+- **SBOM Models**: `Models/SbomDocument.cs` (with `.Collections`) -- internal SBOM document model. `SbomService.cs` (with `.Collections`) -- service models.
+- **Licensing**: `Licensing/SpdxLicenseExpressionParser.cs` (with `.InnerTypes`, `.Token`, `.Validation`) -- full SPDX license expression parser. `SpdxLicenseExpressionRenderer.cs` -- renders license expressions back to string.
+- **SBOM Canonicalizer**: `Canonicalization/SbomCanonicalizer.Elements.cs` -- deterministic ordering for SBOM elements.
+- **SLSA Provenance Parser**: `Parsers/SlsaProvenancePredicateParser.cs` (with `.ExtractMetadata`, `.Validation`) -- parses SLSA provenance predicates.
+- **SPDX 3 Build Attestation**: `__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` (with `.MapFromSpdx3`, `.MapToSpdx3`) -- maps build attestations between SPDX 3 and internal models.
+- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/`
+
+## E2E Test Plan
+- [ ] Parse a CycloneDX 1.6 BOM via `CycloneDxPredicateParser` and verify all components, vulnerabilities, and dependencies are extracted
+- [ ] Parse an SPDX 3.0.1 document via `SpdxPredicateParser` and verify packages, relationships, and licensing are extracted
+- [ ] Round-trip: parse a CycloneDX BOM, write it back via `CycloneDxWriter`, re-parse, and verify semantic equivalence
+- [ ] Round-trip: parse an SPDX document, write it back via `SpdxWriter`, re-parse, and verify semantic equivalence
+- [ ] Parse a complex SPDX license expression (e.g., `(MIT OR Apache-2.0) AND GPL-3.0-only`) via `SpdxLicenseExpressionParser` and verify the parsed tree structure
+- [ ] Verify `CycloneDxWriter` handles all CycloneDX 1.6 sections: crypto, formulation, declarations, model cards, attestation maps
+- [ ] Parse a SLSA provenance predicate via `SlsaProvenancePredicateParser` and verify build materials and builder info are extracted
+- [ ] Canonicalize an SBOM via `SbomCanonicalizer` and verify deterministic output regardless of input element ordering
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |