stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6be4a25d178319a8f79ecea48434cff0174482d3
git.stella-ops.org/docs/features/checked/scanner/byos-ingestion-workflow.md
master 9911b7d73c save checkpoint
2026-02-12 21:02:43 +02:00

2.7 KiB
Raw Blame History

BYOS (Bring Your Own SBOM) Ingestion Workflow

Module

Scanner

Status

VERIFIED

Description

Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3.0) via REST API. Includes automatic format detection, schema validation, component normalization, quality scoring (PURL/version/license coverage weighted 40/30/30), SHA-256 digest computation, and automatic scan/analysis triggering. Supports both inline JSON and base64-encoded payloads with CI context metadata.

Implementation Details

  • Upload Endpoints:
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomUploadEndpoints.cs - SbomUploadEndpoints for REST upload API
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomEndpoints.cs - Additional SBOM query endpoints
  • Contracts:
    • src/Scanner/StellaOps.Scanner.WebService/Contracts/SbomContracts.cs - SbomUploadRequestDto, SbomUploadResponseDto, SbomValidationSummaryDto, SbomFormats, SbomAncestryDto, SbomUploadSourceDto, SbomUploadCiContextDto
  • Ingestion Service:
    • src/Scanner/StellaOps.Scanner.WebService/Services/ISbomIngestionService.cs - ISbomIngestionService, SbomIngestionResult, SbomValidationResult
    • src/Scanner/StellaOps.Scanner.WebService/Services/SbomIngestionService.cs - Format detection, schema validation, component normalization, quality scoring, digest computation
  • BYOS Upload Service:
    • src/Scanner/StellaOps.Scanner.WebService/Services/SbomByosUploadService.cs - ISbomByosUploadService / SbomByosUploadService for external SBOM ingestion
  • Upload Store:
    • src/Scanner/StellaOps.Scanner.WebService/Services/SbomUploadStore.cs - ISbomUploadStore, InMemorySbomUploadStore, SbomUploadRecord

E2E Test Plan

  • Upload a CycloneDX 1.6 JSON SBOM via POST /api/v1/sbom/upload with inline JSON payload and verify acceptance
  • Upload an SPDX 2.3 SBOM via base64-encoded payload with CI context metadata and verify ingestion
  • Verify automatic format detection correctly identifies CycloneDX vs SPDX format
  • Verify schema validation rejects an invalid SBOM with appropriate error details
  • Verify quality scoring returns PURL/version/license coverage percentages (40/30/30 weighted)
  • Verify SHA-256 digest is computed and returned in the response
  • Verify automatic scan/analysis is triggered after successful ingestion
  • Query the uploaded SBOM status via GET /api/v1/sbom/uploads/{id} and verify metadata

Verification

  • Verified in run-001 on 2026-02-12 with Tier 0/1/2 evidence in docs/qa/feature-checks/runs/scanner/byos-ingestion-workflow/run-001/.
  • Tier 2 API checks validated CycloneDX inline upload, SPDX base64 upload, upload record retrieval, and unknown-format rejection paths.