stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
docs/features/checked/attestor/sbom-oci-deterministic-publisher.md Normal file
View File

@@ -0,0 +1,41 @@
# SBOM OCI Deterministic Publisher
## Module
Attestor
## Status
VERIFIED
## Description
Deterministic SBOM publication to OCI registries with volatile field stripping (timestamps, tool versions, UUIDs) to ensure content-addressable reproducibility. Attaches SBOMs as OCI referrers with deterministic digests.
## Implementation Details
- **SBOM OCI Publisher**: `src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs` -- publishes SBOMs to OCI registries as referrer artifacts. Implements `ISbomOciPublisher.cs`.
- **OCI Registry Client**: `Services/IOciRegistryClient.cs` -- abstraction for OCI registry operations.
- **SBOM Canonicalizer**: `__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.Elements.cs` -- strips volatile fields (timestamps, tool versions, UUIDs) and orders elements deterministically for content-addressable digests.
- **RFC 8785 Canonicalizer**: `__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` -- deterministic JSON serialization for SBOM payloads.
- **Content-Addressed ID**: `__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` -- generates SHA-256 digests from canonicalized SBOM content.
- **ORAS Attestation Attacher**: `Services/OrasAttestationAttacher.cs` -- attaches SBOM artifacts to OCI image digests via ORAS.
- **CycloneDX Timestamp Extension**: `__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxTimestampExtension.cs` (with `.Extract`) -- handles timestamp extraction and stripping.
- **SPDX Timestamp Extension**: `Writers/SpdxTimestampExtension.cs` (with `.Extract`) -- handles SPDX timestamp extraction and stripping.
- **Tests**: `__Tests/StellaOps.Attestor.Oci.Tests/SbomOciPublisherTests.cs`
## E2E Test Plan
- [ ] Publish an SBOM via `SbomOciPublisher` and verify it is attached as an OCI referrer to the image digest
- [ ] Publish the same SBOM twice and verify the OCI artifact digest is identical (deterministic publishing)
- [ ] Verify `SbomCanonicalizer` strips timestamps, tool versions, and UUIDs from the SBOM before publishing
- [ ] Verify the canonicalized SBOM content-addressed digest matches between two independent canonical computations
- [ ] Publish a CycloneDX SBOM and verify timestamp stripping via `CycloneDxTimestampExtension`
- [ ] Publish an SPDX SBOM and verify timestamp stripping via `SpdxTimestampExtension`
- [ ] Fetch the published SBOM from the OCI registry and verify it can be parsed correctly
- [ ] Verify `IOciRegistryClient` handles authentication and registry connection errors
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |