save checkpoint
This commit is contained in:
master
41
docs/features/checked/attestor/sbom-linkage-statement.md
Normal file
41
docs/features/checked/attestor/sbom-linkage-statement.md
Normal file
@@ -0,0 +1,41 @@
|
||||
# SBOM Linkage Statement (in-toto predicate)
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
SBOM linkage statement model with SBOM descriptor (format, spec version, digest), generator info, incomplete subjects tracking, and tags for tenant/project/pipeline.
|
||||
|
||||
## Implementation Details
|
||||
- **SBOM Linkage Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs` -- in-toto statement wrapping the SBOM linkage predicate.
|
||||
- **SBOM Linkage Payload**: `Statements/SbomLinkagePayload.cs` -- payload containing SBOM descriptor, generator info, incomplete subjects, and tags.
|
||||
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- descriptor with format (CycloneDX 1.6, SPDX 3.0.1), spec version, and content digest.
|
||||
- **Generator Descriptor**: `Statements/GeneratorDescriptor.cs` -- metadata about the SBOM generation tool (name, version, timestamp).
|
||||
- **Incomplete Subject**: `Statements/IncompleteSubject.cs` -- tracks subjects that could not be fully resolved during SBOM generation (missing digests, unresolved PURLs).
|
||||
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds SBOM linkage statements with proper subject bindings.
|
||||
- **Proof Subject**: `Builders/ProofSubject.cs` -- subject with name and digest map for the SBOM linkage.
|
||||
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs SBOM linkage statements.
|
||||
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomLinkageTests.cs`
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Create an `SbomLinkageStatement` with a CycloneDX SBOM descriptor and verify the statement structure
|
||||
- [ ] Verify `SbomDescriptor` captures format="CycloneDX", specVersion="1.6", and the SHA-256 digest of the SBOM document
|
||||
- [ ] Verify `GeneratorDescriptor` captures the tool name, version, and generation timestamp
|
||||
- [ ] Add `IncompleteSubject` entries for unresolved components and verify they are tracked in the payload
|
||||
- [ ] Build the statement via `StatementBuilder` with subject bindings and verify the in-toto subject list
|
||||
- [ ] Sign the SBOM linkage statement into a DSSE envelope and verify the signature
|
||||
- [ ] Add tags (tenant, project, pipeline) to the payload and verify they are present in the signed statement
|
||||
- [ ] Create an SPDX linkage statement and verify the format field is "SPDX" with specVersion="3.0.1"
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source Verification | PASS |
|
||||
| Tier 1 - Build + Code Review | PASS |
|
||||
| Tier 2 - Behavioral Verification | PASS |
|
||||
| Verified Date | 2026-02-13 |
|
||||
| Run ID | run-001 |
|
||||
Reference in New Issue
Block a user