stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/sbom-vex-bom-ref-cross-linking.md

2.2 KiB
Raw Blame History

SBOM-VEX bom-ref Cross-Linking (ComponentRefExtractor)

Module

Attestor

Status

IMPLEMENTED

Description

Bidirectional linking between VEX statements and SBOM components via CycloneDX bom-ref and SPDX SPDXID extraction, with PURL-to-bom-ref resolution service.

Implementation Details

  • Component Ref Extractor: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs -- core extractor for SBOM component references.
    • .Resolution -- resolves PURL-to-bom-ref mappings for CycloneDX components, enabling VEX statements to reference components by PURL and resolve to bom-ref.
    • .Spdx -- extracts SPDXID references from SPDX documents for cross-linking.
  • SBOM Extraction Result: Linking/SbomExtractionResult.cs -- result containing all extracted component references with PURLs, bom-refs, and SPDXIDs.
  • SBOM Reference: __Libraries/StellaOps.Attestor.ProofChain/Predicates/SbomReference.cs -- reference model linking to a specific SBOM for cross-referencing.
  • Micro-Witness SBOM Ref: Predicates/MicroWitnessSbomRef.cs -- links function-level witness evidence to specific SBOM components by bom-ref.
  • VEX Override Evidence Reference: __Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/EvidenceReference.cs -- links VEX override decisions to SBOM component evidence.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ComponentRefExtractorTests.cs

E2E Test Plan

  • Extract bom-refs from a CycloneDX SBOM via ComponentRefExtractor and verify each component has a unique bom-ref
  • Resolve PURLs to bom-refs via .Resolution and verify bidirectional mapping (PURL -> bom-ref and bom-ref -> PURL)
  • Extract SPDXIDs from an SPDX document via .Spdx and verify each package has a unique SPDXID
  • Verify SbomExtractionResult contains all components with PURLs, bom-refs, and/or SPDXIDs
  • Link a VEX statement to an SBOM component by bom-ref and verify the cross-reference
  • Link a MicroWitnessSbomRef to a specific bom-ref and verify the function evidence is linked to the correct component
  • Verify cross-linking works for components with multiple identifiers (PURL + bom-ref + CPE)