stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
310e9f84fe09fa2fc71e2f91b6153cc904cd2df4
git.stella-ops.org/docs/features/checked/policy/sbom-presence-policy-gate.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

37 lines
2.1 KiB
Markdown
Raw Blame History

# SBOM Presence Policy Gate (SbomPresenceGate)
## Module
Policy
## Status
IMPLEMENTED
## Description
Policy gate that blocks releases lacking a valid SBOM document, with configurable format requirements (CycloneDX/SPDX), minimum component count thresholds, and freshness checks.
## Implementation Details
- **PolicyGateEvaluator Evidence Completeness gate**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- Evidence Completeness gate (first in 5-gate pipeline) checks for SBOM presence
- Missing SBOM triggers Block or Warn based on gate configuration
- Evaluates SBOM format, component count, and freshness as part of evidence checks
- **DriftGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs`
- Evaluates SBOM drift between baseline and target
- SBOM format validation (CycloneDX/SPDX) as part of drift analysis
- **DriftGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs` -- configurable SBOM requirements
- **EvidenceTtlEnforcer**: `src/Policy/__Libraries/StellaOps.Policy/Freshness/EvidenceTtlEnforcer.cs`
- SBOM/Provenance freshness: checks BuildTime against TTL
- Freshness statuses: Fresh, Warning, Stale
- **WhatIfSimulationService**: `src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs`
- SBOM diff operations verify SBOM presence before simulation
## E2E Test Plan
- [ ] Evaluate artifact without SBOM; verify Evidence Completeness gate blocks
- [ ] Evaluate artifact with valid CycloneDX SBOM; verify gate passes
- [ ] Evaluate artifact with valid SPDX SBOM; verify gate passes
- [ ] Configure minimum component count threshold=10; provide SBOM with 5 components; verify gate warns/blocks
- [ ] Configure minimum component count threshold=10; provide SBOM with 15 components; verify gate passes
- [ ] Evaluate artifact with stale SBOM (BuildTime exceeds TTL); verify freshness check warns
- [ ] Evaluate artifact with fresh SBOM (BuildTime within TTL); verify freshness check passes
- [ ] Verify gate result message indicates SBOM format and component count when present
- [ ] Verify DriftGateEvaluator detects missing SBOM in drift analysis
Reference in New Issue View Git Blame Copy Permalink