stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
7be4e855d69f59ea7837af96fef37fdac63a41fe
git.stella-ops.org/docs/features/checked/scanner/cyclonedx-1-7-native-evidence-field-population.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

42 lines
2.1 KiB
Markdown
Raw Blame History

# CycloneDX 1.7 Native Evidence Field Population
## Module
Scanner
## Status
VERIFIED
## Description
Replaces custom `stellaops:evidence[n]` properties with spec-compliant CycloneDX 1.7 `component.evidence.*` structures (Identity, Occurrences, Licenses, Copyright). Ensures SBOM evidence data uses standard fields instead of vendor extensions.
## Implementation Details
- **Evidence Builders**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/IdentityEvidenceBuilder.cs` - Builds `component.evidence.identity` fields
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/OccurrenceEvidenceBuilder.cs` - Builds `component.evidence.occurrences` fields
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/LicenseEvidenceBuilder.cs` - Builds `component.evidence.licenses` fields
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/CallstackEvidenceBuilder.cs` - Builds callstack evidence fields
- **Evidence Mapping**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/CycloneDxEvidenceMapper.cs` - Maps internal evidence data to CycloneDX 1.7 evidence structures
- **Composition Integration**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxComposer.cs` - Composes evidence into CycloneDX output
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxLayerWriter.cs` - Per-layer CycloneDX writer with evidence fields
## E2E Test Plan
- [ ] Scan a container image and export as CycloneDX 1.7 JSON
- [ ] Verify `component.evidence.identity` fields are populated for components with identity evidence
- [ ] Verify `component.evidence.occurrences` fields contain file location evidence
- [ ] Verify `component.evidence.licenses` fields contain license evidence
- [ ] Verify no custom `stellaops:evidence[n]` properties remain in the output
- [ ] Validate the output against the CycloneDX 1.7 JSON schema
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |
Reference in New Issue View Git Blame Copy Permalink