git.stella-ops.org/docs/features/checked/cli/sbom-deterministic-generation-cli.md

SBOM Deterministic Generation CLI

Module

Cli

Status

VERIFIED

Description

Deterministic SBOM generation from container images or directories in CycloneDX, SPDX, or both formats. Includes hash computation and verification for SBOM determinism validation.

Implementation Details

• Command Group: src/Cli/StellaOps.Cli/Commands/SbomCommandGroup.cs -- SBOM generation commands
• SBOM Client: src/Cli/StellaOps.Cli/Services/SbomClient.cs / ISbomClient.cs
• SBOMer Client: src/Cli/StellaOps.Cli/Services/SbomerClient.cs / ISbomerClient.cs
• Commands:
  • stella sbom generate <image|dir> -- generate deterministic SBOM. Options: --format cdx|spdx|both, --output <path>, --verify-determinism
• Determinism: Same input produces byte-identical SBOM output

E2E Test Plan

• Run stella sbom generate myregistry/app:v1.0 --format cdx and verify CycloneDX SBOM
• Run with --format spdx and verify SPDX SBOM
• Run with --format both and verify both formats generated
• Run with --verify-determinism and verify hash matches across runs
• Verify deterministic output (same image produces identical SBOM)
• Verify directory-based SBOM generation

Verification

• Verified: 2026-02-13T15:30:00Z
• Tier 0 (Source): pass -- all referenced source files exist on disk
• Tier 1 (Build): pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
• Tier 2d (Integration): pass -- targeted integration tests confirm behavioral correctness
• Test Project: src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj
• Evidence: docs/qa/feature-checks/runs/cli/sbom-deterministic-generation-cli/run-001/tier2-integration-check.json