stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/sbom-spine.md

2.4 KiB
Raw Blame History

SBOM Spine (Image to SBOM to DSSE to Transparency Log)

Module

Attestor

Status

IMPLEMENTED

Description

The full SBOM spine (SBOM generation in CycloneDX/SPDX, DSSE signing, Rekor transparency log integration) is implemented.

Implementation Details

  • SBOM Linkage Statement: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs -- in-toto statement linking image digest to SBOM. SbomLinkagePayload.cs -- linkage payload.
  • SBOM Descriptor: Statements/SbomDescriptor.cs -- SBOM format, spec version, and content digest.
  • CycloneDX Writer: __Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs (with partials) -- generates CycloneDX SBOMs.
  • SPDX Writer: Writers/SpdxWriter.cs (with partials) -- generates SPDX SBOMs.
  • DSSE Signing: __Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs -- signs SBOM linkage statements into DSSE envelopes.
  • Rekor Submission: StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs -- submits signed SBOM attestations to Rekor.
  • Proof Spine: Assembly/ProofSpineRequest.cs, ProofSpineResult.cs -- assembles SBOM attestation into proof spine with Merkle root.
  • OCI Attachment: __Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs -- publishes SBOM as OCI referrer.
  • Persistence: __Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs -- persists SBOM entries. RekorEntryEntity.cs -- persists Rekor entries.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/SbomSpineTests.cs

E2E Test Plan

  • Generate a CycloneDX SBOM from an image scan, create an SbomLinkageStatement with the image digest as subject, and verify the linkage
  • Sign the SBOM linkage statement into a DSSE envelope via ProofChainSigner and verify the envelope
  • Submit the signed SBOM attestation to Rekor and verify a log entry is created with log index
  • Assemble the SBOM attestation into a proof spine via ProofSpineRequest and verify the Merkle root
  • Publish the SBOM to OCI via SbomOciPublisher and verify it is discoverable as a referrer
  • Persist the SBOM entry and Rekor entry and verify retrieval
  • Verify the full spine: Image -> SBOM -> DSSE Envelope -> Rekor Entry, each step linked and verifiable
  • Generate an SPDX SBOM and repeat the spine verification to confirm format-agnostic support