8355e2ff75
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created project for StellaOps.Scanner.Analyzers.Native.Tests with necessary dependencies. - Documented roles and guidelines in AGENTS.md for Scheduler module. - Implemented IResolverJobService interface and InMemoryResolverJobService for handling resolver jobs. - Added ResolverBacklogNotifier and ResolverBacklogService for monitoring job metrics. - Developed API endpoints for managing resolver jobs and retrieving metrics. - Defined models for resolver job requests and responses. - Integrated dependency injection for resolver job services. - Implemented ImpactIndexSnapshot for persisting impact index data. - Introduced SignalsScoringOptions for configurable scoring weights in reachability scoring. - Added unit tests for ReachabilityScoringService and RuntimeFactsIngestionService. - Created dotnet-filter.sh script to handle command-line arguments for dotnet. - Established nuget-prime project for managing package downloads.
3.0 KiB
3.0 KiB
Here’s a quick, concrete proposal to lock in a stable SBOM model for Stella Ops: use SPDX 3.0.1 as your canonical persistence schema and CycloneDX 1.6 as the interchange “view,” bridged by a deterministic transform.
Why this pairing
- SPDX 3.0.1 gives you a rigorous, profile‑based data model (Core/Security/AI/Build, etc.) with explicit Relationship semantics—ideal for long‑lived storage and graph queries. (SPDX)
- CycloneDX 1.6 excels at exchange: widely adopted, supports services/SaaSBOM, attestations (CDXA), CBOM (crypto inventory), MLBOM, and more—perfect for producing portable BOMs for customers and regulators. (CycloneDX)
Target architecture (minimal)
- Persistence: Store SBOMs as SPDX 3.0.1 (JSON‑LD/RDF), normalized into your Mongo event‑sourced graph; keep Relationship edges first‑class. (SPDX)
- Interchange: On export, render CycloneDX 1.6 (JSON/XML) including
components,services,dependencies,vulnerabilities, and optional CBOM/CDXA blocks. (SBOM Observer) - Deterministic transform: Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byte‑for‑byte reproducibility across offline sites.
Quick win mapping examples
- SPDX
Element+RelationshipType→ CycloneDXdependenciesgraph. (SPDX) - SPDX Security profile findings → CycloneDX
vulnerabilitiesentries. (SPDX) - SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). (SPDX)
- Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX CBOM on export for policy checks (CNSA/NIST). (CycloneDX)
Governance & standards signal
- SPDX 3.0.x is actively aligned with OMG/ISO submissions (good long‑term bet for storage). (SPDX Lists)
- CycloneDX 1.6 is the current, actively enhanced interchange standard used across vendors and tooling. (GitHub)
If you want, I’ll draft the exact field‑by‑field mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter.