stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/features/checked/policy/sbom-presence-policy-gate.md Normal file
View File

@@ -0,0 +1,36 @@
# SBOM Presence Policy Gate (SbomPresenceGate)
## Module
Policy
## Status
IMPLEMENTED
## Description
Policy gate that blocks releases lacking a valid SBOM document, with configurable format requirements (CycloneDX/SPDX), minimum component count thresholds, and freshness checks.
## Implementation Details
- **PolicyGateEvaluator Evidence Completeness gate**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- Evidence Completeness gate (first in 5-gate pipeline) checks for SBOM presence
- Missing SBOM triggers Block or Warn based on gate configuration
- Evaluates SBOM format, component count, and freshness as part of evidence checks
- **DriftGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs`
- Evaluates SBOM drift between baseline and target
- SBOM format validation (CycloneDX/SPDX) as part of drift analysis
- **DriftGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs` -- configurable SBOM requirements
- **EvidenceTtlEnforcer**: `src/Policy/__Libraries/StellaOps.Policy/Freshness/EvidenceTtlEnforcer.cs`
- SBOM/Provenance freshness: checks BuildTime against TTL
- Freshness statuses: Fresh, Warning, Stale
- **WhatIfSimulationService**: `src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs`
- SBOM diff operations verify SBOM presence before simulation
## E2E Test Plan
- [ ] Evaluate artifact without SBOM; verify Evidence Completeness gate blocks
- [ ] Evaluate artifact with valid CycloneDX SBOM; verify gate passes
- [ ] Evaluate artifact with valid SPDX SBOM; verify gate passes
- [ ] Configure minimum component count threshold=10; provide SBOM with 5 components; verify gate warns/blocks
- [ ] Configure minimum component count threshold=10; provide SBOM with 15 components; verify gate passes
- [ ] Evaluate artifact with stale SBOM (BuildTime exceeds TTL); verify freshness check warns
- [ ] Evaluate artifact with fresh SBOM (BuildTime within TTL); verify freshness check passes
- [ ] Verify gate result message indicates SBOM format and component count when present
- [ ] Verify DriftGateEvaluator detects missing SBOM in drift analysis