stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/sbomservice/offline-feed-plan.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

1.4 KiB
Raw Blame History

SBOM Service Offline Feed Plan (prep for PREP-SBOM-CONSOLE-23-001)

Problem

SbomService builds/tests were failing restore due to missing NuGet packages (notably Microsoft.IdentityModel.Tokens >= 8.14.0 and Pkcs11Interop >= 4.1.0). Offline/air-gap posture requires a cached feed.

What landed (2025-11-20)

  • Offline cache populated under local-nugets/packages/ via tools/offline/fetch-sbomservice-deps.sh.
  • Key package hashes:
    • Microsoft.IdentityModel.Tokens.8.14.0.nupkg · SHA256 00b78c7b7023132e1d6b31d305e47524732dce6faca92dd16eb8d05a835bba7a
    • Pkcs11Interop.4.1.0.nupkg · SHA256 8d2b323a3abb9de47a06a3c3b662aa526ee5c1637b70db072c66dc28e6f14c1e
  • Script: tools/offline/fetch-sbomservice-deps.sh (idempotent) hydrates required packages into local-nugets/packages using a minimal probe project with --ignore-failed-sources to stay air-gap friendly.

How to use

# refresh cache if versions change
./tools/offline/fetch-sbomservice-deps.sh

# run SbomService tests offline
DOTNET_NOLOGO=1 dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --no-build --ignore-failed-sources

Next actions

  • If additional packages surface during dotnet restore, append them to the probe project in the script and re-run.
  • Keep local-nugets/ under version control for deterministic builds; update hashes when packages change.

Owners

  • SBOM Service Guild · Build/Infra (sprint 0142_0001_0001).