stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/sbom-linkage-statement.md

2.3 KiB
Raw Blame History

SBOM Linkage Statement (in-toto predicate)

Module

Attestor

Status

IMPLEMENTED

Description

SBOM linkage statement model with SBOM descriptor (format, spec version, digest), generator info, incomplete subjects tracking, and tags for tenant/project/pipeline.

Implementation Details

  • SBOM Linkage Statement: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs -- in-toto statement wrapping the SBOM linkage predicate.
  • SBOM Linkage Payload: Statements/SbomLinkagePayload.cs -- payload containing SBOM descriptor, generator info, incomplete subjects, and tags.
  • SBOM Descriptor: Statements/SbomDescriptor.cs -- descriptor with format (CycloneDX 1.6, SPDX 3.0.1), spec version, and content digest.
  • Generator Descriptor: Statements/GeneratorDescriptor.cs -- metadata about the SBOM generation tool (name, version, timestamp).
  • Incomplete Subject: Statements/IncompleteSubject.cs -- tracks subjects that could not be fully resolved during SBOM generation (missing digests, unresolved PURLs).
  • Statement Builder: Builders/StatementBuilder.cs (with .Extended) -- builds SBOM linkage statements with proper subject bindings.
  • Proof Subject: Builders/ProofSubject.cs -- subject with name and digest map for the SBOM linkage.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs SBOM linkage statements.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/SbomLinkageTests.cs

E2E Test Plan

  • Create an SbomLinkageStatement with a CycloneDX SBOM descriptor and verify the statement structure
  • Verify SbomDescriptor captures format="CycloneDX", specVersion="1.6", and the SHA-256 digest of the SBOM document
  • Verify GeneratorDescriptor captures the tool name, version, and generation timestamp
  • Add IncompleteSubject entries for unresolved components and verify they are tracked in the payload
  • Build the statement via StatementBuilder with subject bindings and verify the in-toto subject list
  • Sign the SBOM linkage statement into a DSSE envelope and verify the signature
  • Add tags (tenant, project, pipeline) to the payload and verify they are present in the signed statement
  • Create an SPDX linkage statement and verify the format field is "SPDX" with specVersion="3.0.1"