stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/attestor/sbom-first-pipeline.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.9 KiB
Raw Permalink Blame History

SBOM-First Pipeline (Scanner -> Sbomer -> Authority -> Graphs)

Module

Attestor

Status

VERIFIED

Description

End-to-end SBOM-first pipeline with scanner producing SBOMs, Attestor parsing CycloneDX/SPDX predicates, and Graph module ingesting SBOMs for indexing.

Implementation Details

  • CycloneDX Parser: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .SerialNumber, .Validation) -- parses CycloneDX SBOMs from scanner output.
  • SPDX Parser: Parsers/SpdxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .Validation) -- parses SPDX documents from scanner output.
  • SBOM Models: Models/SbomDocument.cs (with .Collections) -- internal SBOM document model. SbomService.cs (with .Collections) -- service layer models.
  • SBOM Linkage: __Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkagePayload.cs -- payload linking SBOM to evidence. SbomLinkageStatement.cs -- in-toto statement.
  • SBOM Descriptor: Statements/SbomDescriptor.cs -- descriptor with format, spec version, and digest.
  • Component Ref Extractor: __Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs (with .Resolution, .Spdx) -- extracts component references for cross-linking.
  • SBOM Extraction Result: Linking/SbomExtractionResult.cs -- result of SBOM extraction with components and relationships.
  • Pipeline Models: Pipeline/ProofChainRequest.cs, ProofChainResult.cs, PipelineSubject.cs -- pipeline orchestration.
  • Persistence: __Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs -- persists SBOM entries.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/CycloneDxParserTests.cs, SpdxParserTests.cs

E2E Test Plan

  • Parse a CycloneDX 1.6 BOM via CycloneDxPredicateParser and verify all components are extracted into internal model
  • Parse an SPDX 3.0.1 document via SpdxPredicateParser and verify packages and relationships are extracted
  • Build an SbomLinkageStatement linking the parsed SBOM to its pipeline subject and verify the linkage
  • Extract component references via ComponentRefExtractor from CycloneDX (bom-ref) and SPDX (SPDXID) and verify cross-linking
  • Run the pipeline from SBOM input through linkage to proof chain output via ProofChainRequest/ProofChainResult
  • Persist the SBOM entry via SbomEntryEntity and verify retrieval by digest
  • Verify SbomDescriptor captures format (CycloneDX/SPDX), spec version, and document digest
  • Verify SbomExtractionResult captures all components with PURLs for downstream indexing

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001