save checkpoint
This commit is contained in:
master
@@ -0,0 +1,47 @@
|
||||
# Third-Party Scanner Output Ingestion (Syft/Grype/Trivy/Clair/Xray Compatibility)
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
CycloneDX, SPDX, and SLSA provenance parsers enable ingesting outputs from third-party scanners. VEX normalization and SBOM comparison/round-trip tests ensure compatibility with standard formats used by Syft, Grype, Trivy, and other tools.
|
||||
|
||||
## Implementation Details
|
||||
- **CycloneDX Parser**:
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs` - `CycloneDxPredicateParser` parsing CycloneDX SBOM documents
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.ExtractSbom.cs` - SBOM extraction logic
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.ExtractMetadata.cs` - Metadata extraction
|
||||
- **SPDX Parser**:
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.cs` - `SpdxPredicateParser` parsing SPDX SBOM documents
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.ExtractSbom.cs` - SBOM extraction logic
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.ExtractMetadata.cs` - Metadata extraction
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.Validation.cs` - Validation logic
|
||||
- **SLSA Provenance Parser**:
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs` - `SlsaProvenancePredicateParser` parsing SLSA provenance attestations
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.ExtractMetadata.cs` - Metadata extraction
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.Validation.cs` - Validation logic
|
||||
- **CycloneDX/SPDX Writers** (for round-trip compatibility):
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.Convert.cs` - CycloneDX output writer
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/SpdxWriter.Convert.cs` - SPDX output writer
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest a Syft-generated CycloneDX SBOM and verify all components are parsed with correct names, versions, and PURLs
|
||||
- [ ] Ingest a Trivy-generated SPDX SBOM and verify packages are extracted with correct metadata
|
||||
- [ ] Ingest a SLSA provenance attestation and verify build metadata (builder, source, materials) is correctly extracted
|
||||
- [ ] Verify round-trip compatibility: parse a CycloneDX SBOM, write it back, and verify the output validates against the CycloneDX schema
|
||||
- [ ] Verify VEX statements from third-party scanners are correctly normalized into the internal representation
|
||||
- [ ] Verify the parsers handle format variations across tool versions (e.g., CycloneDX 1.4 vs 1.5 vs 1.6)
|
||||
|
||||
---
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source files exist | PASS |
|
||||
| Tier 1 - Build + code review | PASS |
|
||||
| Tier 2 - Integration tests | PASS |
|
||||
| Verified | 2026-02-13T18:10:00Z |
|
||||
Reference in New Issue
Block a user