stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/sbom-to-vex-proof-pipeline.md

2.5 KiB
Raw Blame History

SBOM-to-VEX Proof Pipeline

Module

Attestor

Status

IMPLEMENTED

Description

Full SBOM-to-VEX proof pipeline with pipeline request/result models, SBOM component extraction, VEX proof integration, and Rekor transparency log entries.

Implementation Details

  • Pipeline Request/Result: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/ProofChainRequest.cs, ProofChainResult.cs -- pipeline orchestration models.
  • Pipeline Subject: Pipeline/PipelineSubject.cs -- subject being processed through the pipeline.
  • Rekor Entry: Pipeline/RekorEntry.cs -- Rekor transparency log entry from pipeline output.
  • Component Ref Extractor: Linking/ComponentRefExtractor.cs (with .Resolution, .Spdx) -- extracts SBOM component references for VEX linkage.
  • SBOM Extraction Result: Linking/SbomExtractionResult.cs -- extracted components for VEX matching.
  • VEX Proof Integrator: Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- integrates extracted SBOM components with VEX decisions.
  • VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- combined SBOM-component-linked VEX proof.
  • VEX Verdict Statement: Statements/VexVerdictStatement.cs -- in-toto VEX verdict statement.
  • Proof Spine Assembly: Assembly/ProofSpineRequest.cs, ProofSpineResult.cs -- assembles pipeline outputs into a verifiable spine.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs all pipeline outputs.
  • Rekor Submission: StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs -- publishes to transparency log.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/SbomToVexPipelineTests.cs

E2E Test Plan

  • Run the SBOM-to-VEX pipeline via ProofChainRequest with an SBOM input and VEX data; verify ProofChainResult contains linked attestations
  • Verify ComponentRefExtractor extracts component references from the input SBOM
  • Verify VexProofIntegrator matches SBOM components to VEX statements and produces VexVerdictProofPayload
  • Verify the VEX verdict statement is signed into a DSSE envelope
  • Verify the pipeline output includes a Rekor entry with the signed VEX verdict
  • Assemble pipeline outputs into a proof spine and verify the Merkle root covers both SBOM and VEX attestations
  • Verify the pipeline handles components with no VEX coverage and reports them as unassessed
  • Verify bidirectional traceability: from VEX verdict to SBOM component and from SBOM component to VEX verdict