stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/concelier/full-sbom-extraction-with-enriched-parsedsbom-model.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

2.7 KiB
Raw Blame History

Full SBOM Extraction with Enriched ParsedSbom Model

Module

Concelier

Status

VERIFIED

Description

Upgraded SBOM parser that extracts ALL fields from CycloneDX 1.7 and SPDX 3.0.1 (not just PURL/CPE). The enriched ParsedSbom model carries full SBOM data including services, crypto properties, ML model metadata, build/formulation info, compositions, vulnerabilities, and dependencies for downstream consumers (Scanner, Policy, etc.).

Implementation Details

  • Modules: src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/
  • Key Classes:
    • ParsedSbomParser (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs) - full SBOM extraction from CycloneDX 1.7 and SPDX 3.0.1 with enriched model
    • SbomAdvisoryMatcher (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs) - matches SBOM components against advisories
  • Interfaces: IParsedSbomParser, ISbomAdvisoryMatcher
  • Source: SPRINT_20260119_015_Concelier_sbom_full_extraction.md

E2E Test Plan

  • Parse a CycloneDX 1.7 SBOM and verify all fields are extracted (components, services, compositions, vulnerabilities, dependencies)
  • Parse an SPDX 3.0.1 SBOM and verify enriched model includes packages, relationships, and annotations
  • Verify crypto properties extraction: SBOM with crypto components has crypto metadata in the ParsedSbom model
  • Verify ML model metadata: SBOM with ML model components has model metadata extracted
  • Verify downstream consumption: pass ParsedSbom to SbomAdvisoryMatcher and verify advisory matching works with enriched fields

Verification

  • Run ID: run-002
  • Date: 2026-02-13
  • Tests: 130 passed, 0 failed (StellaOps.Concelier.SbomIntegration.Tests) - 120 existing + 10 new ParsedSbomParserEdgeCaseTests
  • New Tests Written: 10 ParsedSbomParserEdgeCaseTests covering constructor null guard, null content, unsupported format, invalid JSON, seekable stream reset, CycloneDX/SPDX minimal documents, component without name skipping, bom-ref deduplication, cancellation token
  • Verdict: PASS - CycloneDX 1.7 full extraction (metadata, components, services, compositions, vulnerabilities, dependencies, formulation, declarations, definitions, annotations, signature), SPDX 3.0.1 parsing (packages, relationships, annotations, namespace maps, @graph structure), component evidence extraction (identity confidence, occurrences, callstack), crypto properties (algorithm families, key sizes, primitives), model card extraction (ML metadata), advisory matching (PURL/CPE with 16+ ecosystems), VEX integration (consume, merge, conflict resolution), SPDX license expression validation, and error handling edge cases all verified with behavioral assertions.