stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/sbom-oci-deterministic-publisher.md

2.5 KiB
Raw Blame History

SBOM OCI Deterministic Publisher

Module

Attestor

Status

IMPLEMENTED

Description

Deterministic SBOM publication to OCI registries with volatile field stripping (timestamps, tool versions, UUIDs) to ensure content-addressable reproducibility. Attaches SBOMs as OCI referrers with deterministic digests.

Implementation Details

  • SBOM OCI Publisher: src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs -- publishes SBOMs to OCI registries as referrer artifacts. Implements ISbomOciPublisher.cs.
  • OCI Registry Client: Services/IOciRegistryClient.cs -- abstraction for OCI registry operations.
  • SBOM Canonicalizer: __Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.Elements.cs -- strips volatile fields (timestamps, tool versions, UUIDs) and orders elements deterministically for content-addressable digests.
  • RFC 8785 Canonicalizer: __Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs -- deterministic JSON serialization for SBOM payloads.
  • Content-Addressed ID: __Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs -- generates SHA-256 digests from canonicalized SBOM content.
  • ORAS Attestation Attacher: Services/OrasAttestationAttacher.cs -- attaches SBOM artifacts to OCI image digests via ORAS.
  • CycloneDX Timestamp Extension: __Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxTimestampExtension.cs (with .Extract) -- handles timestamp extraction and stripping.
  • SPDX Timestamp Extension: Writers/SpdxTimestampExtension.cs (with .Extract) -- handles SPDX timestamp extraction and stripping.
  • Tests: __Tests/StellaOps.Attestor.Oci.Tests/SbomOciPublisherTests.cs

E2E Test Plan

  • Publish an SBOM via SbomOciPublisher and verify it is attached as an OCI referrer to the image digest
  • Publish the same SBOM twice and verify the OCI artifact digest is identical (deterministic publishing)
  • Verify SbomCanonicalizer strips timestamps, tool versions, and UUIDs from the SBOM before publishing
  • Verify the canonicalized SBOM content-addressed digest matches between two independent canonical computations
  • Publish a CycloneDX SBOM and verify timestamp stripping via CycloneDxTimestampExtension
  • Publish an SPDX SBOM and verify timestamp stripping via SpdxTimestampExtension
  • Fetch the published SBOM from the OCI registry and verify it can be parsed correctly
  • Verify IOciRegistryClient handles authentication and registry connection errors