stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/sbom-interop-round-trip-testing.md

2.3 KiB
Raw Blame History

SBOM Interop Round-Trip Testing

Module

Attestor

Status

IMPLEMENTED

Description

SBOM round-trip testing with canonical verification ensuring CycloneDX and SPDX outputs can be parsed, re-serialized, and verified for format compliance.

Implementation Details

  • CycloneDX Parser: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .SerialNumber, .Validation) -- parses CycloneDX BOMs.
  • CycloneDX Writer: Writers/CycloneDxWriter.cs (with 50+ partials) -- writes CycloneDX BOMs from internal model.
  • SPDX Parser: Parsers/SpdxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .Validation) -- parses SPDX documents.
  • SPDX Writer: Writers/SpdxWriter.cs (with 40+ partials) -- writes SPDX 3.0.1 documents from internal model.
  • SBOM Canonicalizer: Canonicalization/SbomCanonicalizer.Elements.cs -- deterministic element ordering for canonical comparison.
  • SBOM Models: Models/SbomDocument.cs (with .Collections) -- internal SBOM document model bridging parse/write.
  • CycloneDX Validation: Writers/CycloneDxWriter.Validation.cs -- validates written CycloneDX against schema.
  • SPDX Validation: Parsers/SpdxPredicateParser.Validation.cs -- validates SPDX compliance.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/RoundTripTests.cs

E2E Test Plan

  • Round-trip CycloneDX: parse a CycloneDX 1.6 BOM, write it back via CycloneDxWriter, re-parse, and verify semantic equivalence
  • Round-trip SPDX: parse an SPDX 3.0.1 document, write it back via SpdxWriter, re-parse, and verify semantic equivalence
  • Canonicalize both round-trip outputs via SbomCanonicalizer and verify canonical forms match
  • Round-trip complex CycloneDX features: crypto, formulation, declarations, attestation maps
  • Round-trip complex SPDX features: AI packages, dataset packages, build profiles, assessments
  • Validate the written CycloneDX output via CycloneDxWriter.Validation and verify schema compliance
  • Validate the written SPDX output via SpdxPredicateParser.Validation and verify format compliance
  • Cross-format interop: parse CycloneDX, convert to internal model, write as SPDX, and verify key data (components, licenses) is preserved