33 lines
2.4 KiB
Markdown
33 lines
2.4 KiB
Markdown
# Layer-Aware SBOM Diff Engine
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Extension of the SBOM diff engine with layer attribution, tracking which container layer (by diffID) introduced each component change. Enables "blame" queries to identify which layer introduced a specific vulnerability. While "SBOM Delta / Component Diffing" exists in known features, layer-attributed diffing with per-layer blame is a distinct capability.
|
|
|
|
## Implementation Details
|
|
- **SBOM Diff Engine**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/SbomDiffEngine.cs` - `SbomDiffEngine` performs SBOM-level diffing with layer attribution, tracking which container layer (by diffID) introduced each component change
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/SbomDiff.cs` - `SbomDiff` model representing component changes with layer attribution
|
|
- **Lineage Infrastructure**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/SbomLineage.cs` - `SbomLineage` tracks the history of SBOMs across image versions for lineage-based diff
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/ISbomStore.cs` - `ISbomStore` interface for SBOM storage used by lineage tracking
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/RebuildProof.cs` - `RebuildProof` for reproducible rebuild verification
|
|
- **Component Diffing**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Diff/ComponentDiffer.cs` - `ComponentDiffer` performs component-level diff analysis
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Diff/ComponentDiffModels.cs` - Models for component diff results
|
|
- **Delta Layer Integration**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Delta/DeltaLayerScanner.cs` - `DeltaLayerScanner` scans individual layers for delta analysis
|
|
|
|
## E2E Test Plan
|
|
- [ ] Scan two versions of a container image and verify the SBOM diff engine produces a layer-attributed diff showing which layer introduced each change
|
|
- [ ] Verify added components are attributed to the specific layer (by diffID) that introduced them
|
|
- [ ] Verify removed components are attributed to the layer where they were present in the previous image
|
|
- [ ] Run a "blame" query for a specific vulnerable component and verify it returns the layer that introduced it
|
|
- [ ] Verify lineage tracking correctly associates multiple image versions for historical diff analysis
|
|
- [ ] Verify the diff engine handles base image layer changes separately from application layer changes
|