save checkpoint
This commit is contained in:
master
42
docs/features/checked/attestor/sbom-spine.md
Normal file
42
docs/features/checked/attestor/sbom-spine.md
Normal file
@@ -0,0 +1,42 @@
|
||||
# SBOM Spine (Image to SBOM to DSSE to Transparency Log)
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
The full SBOM spine (SBOM generation in CycloneDX/SPDX, DSSE signing, Rekor transparency log integration) is implemented.
|
||||
|
||||
## Implementation Details
|
||||
- **SBOM Linkage Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs` -- in-toto statement linking image digest to SBOM. `SbomLinkagePayload.cs` -- linkage payload.
|
||||
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- SBOM format, spec version, and content digest.
|
||||
- **CycloneDX Writer**: `__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs` (with partials) -- generates CycloneDX SBOMs.
|
||||
- **SPDX Writer**: `Writers/SpdxWriter.cs` (with partials) -- generates SPDX SBOMs.
|
||||
- **DSSE Signing**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` -- signs SBOM linkage statements into DSSE envelopes.
|
||||
- **Rekor Submission**: `StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs` -- submits signed SBOM attestations to Rekor.
|
||||
- **Proof Spine**: `Assembly/ProofSpineRequest.cs`, `ProofSpineResult.cs` -- assembles SBOM attestation into proof spine with Merkle root.
|
||||
- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs` -- publishes SBOM as OCI referrer.
|
||||
- **Persistence**: `__Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs` -- persists SBOM entries. `RekorEntryEntity.cs` -- persists Rekor entries.
|
||||
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomSpineTests.cs`
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Generate a CycloneDX SBOM from an image scan, create an `SbomLinkageStatement` with the image digest as subject, and verify the linkage
|
||||
- [ ] Sign the SBOM linkage statement into a DSSE envelope via `ProofChainSigner` and verify the envelope
|
||||
- [ ] Submit the signed SBOM attestation to Rekor and verify a log entry is created with log index
|
||||
- [ ] Assemble the SBOM attestation into a proof spine via `ProofSpineRequest` and verify the Merkle root
|
||||
- [ ] Publish the SBOM to OCI via `SbomOciPublisher` and verify it is discoverable as a referrer
|
||||
- [ ] Persist the SBOM entry and Rekor entry and verify retrieval
|
||||
- [ ] Verify the full spine: Image -> SBOM -> DSSE Envelope -> Rekor Entry, each step linked and verifiable
|
||||
- [ ] Generate an SPDX SBOM and repeat the spine verification to confirm format-agnostic support
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source Verification | PASS |
|
||||
| Tier 1 - Build + Code Review | PASS |
|
||||
| Tier 2 - Behavioral Verification | PASS |
|
||||
| Verified Date | 2026-02-13 |
|
||||
| Run ID | run-001 |
|
||||
Reference in New Issue
Block a user