stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/sbom-ledger-lineage.md

2.4 KiB
Raw Blame History

SBOM Ledger + Lineage (Moat Score 3)

Module

Attestor

Status

IMPLEMENTED

Description

Versioned SBOM storage with advisory and feed snapshot repositories, plus comprehensive SBOM parsing and writing for multiple formats.

Implementation Details

  • SBOM Persistence: src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs -- persisted SBOM entry with version, format, digest, and tenant_id for versioned storage.
  • SBOM Linkage Statement: __Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs -- in-toto statement linking SBOM versions to evidence chains.
  • SBOM Linkage Payload: Statements/SbomLinkagePayload.cs -- payload containing SBOM descriptor, generator info, and linkage data.
  • SBOM Descriptor: Statements/SbomDescriptor.cs -- descriptor with format (CycloneDX/SPDX), spec version, and content digest.
  • Generator Descriptor: Statements/GeneratorDescriptor.cs -- metadata about the tool that generated the SBOM.
  • CycloneDX Parser/Writer: __Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs, Writers/CycloneDxWriter.cs -- full CycloneDX support.
  • SPDX Parser/Writer: Parsers/SpdxPredicateParser.cs, Writers/SpdxWriter.cs -- full SPDX support.
  • Verdict Ledger: __Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs -- append-only ledger tracking SBOM-based verdicts over time.
  • Repository: __Libraries/StellaOps.Attestor.Persistence/Repositories/IProofChainRepository.cs -- repository for SBOM entries.
  • Tests: __Tests/StellaOps.Attestor.Persistence.Tests/SbomEntryTests.cs

E2E Test Plan

  • Persist an SBOM version via SbomEntryEntity and verify retrieval by digest and version
  • Store multiple SBOM versions for the same image and verify version lineage (v1 -> v2 -> v3)
  • Create an SbomLinkageStatement linking an SBOM version to its evidence chain and verify the linkage
  • Verify SbomDescriptor correctly identifies format and spec version for both CycloneDX and SPDX
  • Verify GeneratorDescriptor captures the tool name, version, and generation timestamp
  • Record SBOM-based verdict via VerdictLedgerService and verify the ledger entry links to the SBOM version
  • Query SBOM entries by tenant_id and verify tenant isolation
  • Verify SBOM lineage: given an image digest, retrieve all SBOM versions in chronological order