stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
docs/features/checked/attestor/sbom-interop-round-trip-testing.md Normal file
View File

@@ -0,0 +1,41 @@
# SBOM Interop Round-Trip Testing
## Module
Attestor
## Status
VERIFIED
## Description
SBOM round-trip testing with canonical verification ensuring CycloneDX and SPDX outputs can be parsed, re-serialized, and verified for format compliance.
## Implementation Details
- **CycloneDX Parser**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.SerialNumber`, `.Validation`) -- parses CycloneDX BOMs.
- **CycloneDX Writer**: `Writers/CycloneDxWriter.cs` (with 50+ partials) -- writes CycloneDX BOMs from internal model.
- **SPDX Parser**: `Parsers/SpdxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`) -- parses SPDX documents.
- **SPDX Writer**: `Writers/SpdxWriter.cs` (with 40+ partials) -- writes SPDX 3.0.1 documents from internal model.
- **SBOM Canonicalizer**: `Canonicalization/SbomCanonicalizer.Elements.cs` -- deterministic element ordering for canonical comparison.
- **SBOM Models**: `Models/SbomDocument.cs` (with `.Collections`) -- internal SBOM document model bridging parse/write.
- **CycloneDX Validation**: `Writers/CycloneDxWriter.Validation.cs` -- validates written CycloneDX against schema.
- **SPDX Validation**: `Parsers/SpdxPredicateParser.Validation.cs` -- validates SPDX compliance.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/RoundTripTests.cs`
## E2E Test Plan
- [ ] Round-trip CycloneDX: parse a CycloneDX 1.6 BOM, write it back via `CycloneDxWriter`, re-parse, and verify semantic equivalence
- [ ] Round-trip SPDX: parse an SPDX 3.0.1 document, write it back via `SpdxWriter`, re-parse, and verify semantic equivalence
- [ ] Canonicalize both round-trip outputs via `SbomCanonicalizer` and verify canonical forms match
- [ ] Round-trip complex CycloneDX features: crypto, formulation, declarations, attestation maps
- [ ] Round-trip complex SPDX features: AI packages, dataset packages, build profiles, assessments
- [ ] Validate the written CycloneDX output via `CycloneDxWriter.Validation` and verify schema compliance
- [ ] Validate the written SPDX output via `SpdxPredicateParser.Validation` and verify format compliance
- [ ] Cross-format interop: parse CycloneDX, convert to internal model, write as SPDX, and verify key data (components, licenses) is preserved
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |