stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/cross-attestation-chain-linking.md

2.7 KiB
Raw Blame History

Cross-Attestation Chain Linking (SBOM->VEX->Policy)

Module

Attestor

Status

IMPLEMENTED

Description

Cross-attestation linking via in-toto layout references with link types (DependsOn/Supersedes/Aggregates), DAG validation with cycle detection, chain query API (GET /attestations?chain=true, upstream/downstream traversal with depth limit), and chain visualization endpoint supporting Mermaid/DOT/JSON formats.

Implementation Details

  • Attestation Chain Builder: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Chain/AttestationChainBuilder.cs -- builds attestation chains from link references.
  • Attestation Chain Validator: Chain/AttestationChainValidator.cs -- validates chain integrity including DAG validation and cycle detection.
  • Attestation Link: Chain/AttestationLink.cs -- represents a link between two attestations with link type.
  • Attestation Link Resolver: Chain/AttestationLinkResolver.cs -- implements IAttestationLinkResolver. Resolves upstream/downstream links with depth limits.
  • In-Memory Link Store: Chain/InMemoryAttestationLinkStore.cs -- in-memory storage for attestation links.
  • Chain Model: Chain/AttestationChain.cs -- full chain model for traversal.
  • In-Toto Materials: Chain/InTotoStatementMaterials.cs -- material references in in-toto statements for cross-linking.
  • Chain Query Service: StellaOps.Attestor.WebService/Services/ChainQueryService.cs, IChainQueryService.cs -- API service for chain queries.
  • Chain API: WebService/Controllers/ChainController.cs -- REST endpoints for chain traversal and visualization. WebService/Models/ChainApiModels.cs -- API models.
  • Tests: StellaOps.Attestor.Core.Tests/Chain/AttestationChainBuilderTests.cs, AttestationChainValidatorTests.cs, AttestationLinkResolverTests.cs, ChainResolverDirectionalTests.cs, InMemoryAttestationLinkStoreTests.cs

E2E Test Plan

  • Build an attestation chain SBOM -> VEX -> Policy via AttestationChainBuilder with DependsOn links and verify the chain connects all three
  • Validate the chain via AttestationChainValidator and verify DAG validation passes (no cycles)
  • Create a circular chain (A -> B -> C -> A) and verify AttestationChainValidator detects the cycle
  • Resolve upstream links from a Policy attestation via AttestationLinkResolver with depth limit 2 and verify VEX and SBOM are returned
  • Resolve downstream links from an SBOM attestation and verify VEX and Policy are returned
  • Query chain via ChainController GET endpoint with chain=true and verify the response contains the full chain
  • Request chain visualization in Mermaid format and verify valid Mermaid diagram output