1.5 KiB
1.5 KiB
Signed SBOM Archive Format (SignedSbomArchiveBuilder)
Module
Scanner
Status
IMPLEMENTED
Description
Service for building signed SBOM archive bundles (tar.gz with DSSE envelope, SBOM document, and Rekor receipt) suitable for offline transfer and air-gapped verification.
Implementation Details
- Archive Builder:
src/Scanner/StellaOps.Scanner.WebService/Services/SignedSbomArchiveBuilder.cs-SignedSbomArchiveBuilderbuilding tar.gz archives containing the SBOM document, DSSE envelope with signature, and Rekor transparency log receipt for offline verification
- Export Endpoint:
src/Scanner/StellaOps.Scanner.WebService/Endpoints/ExportEndpoints.cs- Export endpoints providing download of signed SBOM archives
- Tests:
src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/SignedSbomArchiveBuilderTests.cs- Unit tests for archive building and content verification
E2E Test Plan
- Build a signed SBOM archive for a scan result and verify the tar.gz contains the SBOM document, DSSE envelope, and Rekor receipt
- Extract the archive and verify the DSSE envelope signature validates against the signing key
- Verify the Rekor receipt in the archive matches the transparency log entry
- Transfer the archive to an air-gapped environment and verify offline verification succeeds using only the archive contents
- Verify the archive format is deterministic (same inputs produce byte-identical archives excluding timestamps)