49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
35 lines
1.8 KiB
Markdown
35 lines
1.8 KiB
Markdown
# Scanner Cache Key & DSSE Validation Contract
|
|
|
|
Scope: unblocks SCAN-CACHE-186-013 by defining cache key inputs, validation, and storage layout.
|
|
|
|
## Cache key
|
|
- Key components (concatenate with `|`, then SHA256):
|
|
1. `subject_digest` (image digest)
|
|
2. `manifest_hash` (replay manifest canonical hash)
|
|
3. `tool.id` + `tool.version`
|
|
4. `policy.hash`
|
|
5. feed hashes (sorted, joined with `;`)
|
|
6. determinism toggles (clock seed, rng seed, max_parallel)
|
|
- Resulting cache key encoded as hex SHA256; used as folder name under CAS: `cache/{tenant}/{cache_key}/`.
|
|
|
|
## Stored entries
|
|
- `sbom.cdx.json`, `vex.json`, `findings.ndjson`, `entropy.report.json` (when present).
|
|
- `cache-manifest.json`: summary containing all key components, file hashes, created_at UTC.
|
|
- `checksums.txt`: SHA256 for every file in folder.
|
|
- Optional `cache-manifest.json.dsse`: DSSE envelope signed by replay signer profile; payload type `application/vnd.stellaops.cache-manifest+json`.
|
|
|
|
## Validation on hit
|
|
1. Recompute cache key from incoming request; must match folder name.
|
|
2. Recompute SHA256 over stored files and compare with `checksums.txt`.
|
|
3. If DSSE present, verify signature using replay trust root.
|
|
4. Compare `manifest_hash` in `cache-manifest.json` with current scan manifest.
|
|
5. Reject (miss) on any mismatch; log reason for determinism audit.
|
|
|
|
## Idempotency & TTL
|
|
- Cache entries are immutable; if folder exists, compare manifests and return existing entry.
|
|
- TTL controlled by policy; default 30 days; purge job removes expired entries by created_at.
|
|
|
|
## API notes
|
|
- Worker -> WebService: `POST /api/v1/cache/{subjectDigest}` with bundle metadata; returns cache URI or 404 (miss).
|
|
- WebService -> Worker: `GET /api/v1/cache/{subjectDigest}?cacheKey=...` returns cache-manifest + artifacts stream.
|