stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
7b01c7d6acd233c1fdfac71cad09fd266be6bfc9
git.stella-ops.org/docs/product-advisories/16-Nov-2026 - spdx canonical persistence cyclonedx interchange.md
master 7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add comprehensive product advisories for improved scanner functionality 
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
2025-11-17 00:09:26 +02:00

3.0 KiB
Raw Blame History

Heres a quick, concrete proposal to lock in a stable SBOM model for StellaOps: use SPDX3.0.1 as your canonical persistence schema and CycloneDX1.6 as the interchange “view,” bridged by a deterministic transform.

Why this pairing

  • SPDX3.0.1 gives you a rigorous, profilebased data model (Core/Security/AI/Build, etc.) with explicit Relationship semantics—ideal for longlived storage and graph queries. (SPDX)
  • CycloneDX1.6 excels at exchange: widely adopted, supports services/SaaSBOM, attestations (CDXA), CBOM (crypto inventory), MLBOM, and more—perfect for producing portable BOMs for customers and regulators. (CycloneDX)

Target architecture (minimal)

  • Persistence: Store SBOMs as SPDX3.0.1 (JSONLD/RDF), normalized into your Mongo eventsourced graph; keep Relationship edges firstclass. (SPDX)
  • Interchange: On export, render CycloneDX1.6 (JSON/XML) including components, services, dependencies, vulnerabilities, and optional CBOM/CDXA blocks. (SBOM Observer)
  • Deterministic transform: Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byteforbyte reproducibility across offline sites.

Quick win mapping examples

  • SPDX Element + RelationshipType → CycloneDX dependencies graph. (SPDX)
  • SPDX Security profile findings → CycloneDX vulnerabilities entries. (SPDX)
  • SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). (SPDX)
  • Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX CBOM on export for policy checks (CNSA/NIST). (CycloneDX)

Governance & standards signal

  • SPDX3.0.x is actively aligned with OMG/ISO submissions (good longterm bet for storage). (SPDX Lists)
  • CycloneDX1.6 is the current, actively enhanced interchange standard used across vendors and tooling. (GitHub)

If you want, Ill draft the exact fieldbyfield mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter.