stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7be4e855d69f59ea7837af96fef37fdac63a41fe
git.stella-ops.org/docs/features/checked/concelier/full-sbom-extraction-with-enriched-parsedsbom-model.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

33 lines
2.7 KiB
Markdown
Raw Blame History

# Full SBOM Extraction with Enriched ParsedSbom Model
## Module
Concelier
## Status
VERIFIED
## Description
Upgraded SBOM parser that extracts ALL fields from CycloneDX 1.7 and SPDX 3.0.1 (not just PURL/CPE). The enriched ParsedSbom model carries full SBOM data including services, crypto properties, ML model metadata, build/formulation info, compositions, vulnerabilities, and dependencies for downstream consumers (Scanner, Policy, etc.).
## Implementation Details
- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/`
- **Key Classes**:
- `ParsedSbomParser` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs`) - full SBOM extraction from CycloneDX 1.7 and SPDX 3.0.1 with enriched model
- `SbomAdvisoryMatcher` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs`) - matches SBOM components against advisories
- **Interfaces**: `IParsedSbomParser`, `ISbomAdvisoryMatcher`
- **Source**: SPRINT_20260119_015_Concelier_sbom_full_extraction.md
## E2E Test Plan
- [x] Parse a CycloneDX 1.7 SBOM and verify all fields are extracted (components, services, compositions, vulnerabilities, dependencies)
- [x] Parse an SPDX 3.0.1 SBOM and verify enriched model includes packages, relationships, and annotations
- [x] Verify crypto properties extraction: SBOM with crypto components has crypto metadata in the ParsedSbom model
- [x] Verify ML model metadata: SBOM with ML model components has model metadata extracted
- [x] Verify downstream consumption: pass ParsedSbom to `SbomAdvisoryMatcher` and verify advisory matching works with enriched fields
## Verification
- **Run ID**: run-002
- **Date**: 2026-02-13
- **Tests**: 130 passed, 0 failed (StellaOps.Concelier.SbomIntegration.Tests) - 120 existing + 10 new ParsedSbomParserEdgeCaseTests
- **New Tests Written**: 10 ParsedSbomParserEdgeCaseTests covering constructor null guard, null content, unsupported format, invalid JSON, seekable stream reset, CycloneDX/SPDX minimal documents, component without name skipping, bom-ref deduplication, cancellation token
- **Verdict**: PASS - CycloneDX 1.7 full extraction (metadata, components, services, compositions, vulnerabilities, dependencies, formulation, declarations, definitions, annotations, signature), SPDX 3.0.1 parsing (packages, relationships, annotations, namespace maps, @graph structure), component evidence extraction (identity confidence, occurrences, callstack), crypto properties (algorithm families, key sizes, primitives), model card extraction (ML metadata), advisory matching (PURL/CPE with 16+ ecosystems), VEX integration (consume, merge, conflict resolution), SPDX license expression validation, and error handling edge cases all verified with behavioral assertions.
Reference in New Issue View Git Blame Copy Permalink