stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/slsa-v1-provenance-predicate-with-validation-and-build-material-tracking.md

2.5 KiB
Raw Blame History

SLSA v1 Provenance Predicate with Validation and Build Material Tracking

Module

Attestor

Status

IMPLEMENTED

Description

Full SLSA v1 provenance predicates with parsing, schema validation (build definition, run details, level checks), and build material/metadata/invocation models.

Implementation Details

  • SLSA Provenance Parser: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs -- parses SLSA v1 provenance predicates.
    • .ExtractMetadata -- extracts builder, build type, and invocation metadata.
    • .Validation -- validates provenance structure and required fields.
  • SLSA Schema Validator: Validation/SlsaSchemaValidator.cs -- comprehensive SLSA schema validation:
    • .BuildDefinition -- validates build definition (build type, external parameters, internal parameters, resolved dependencies).
    • .RunDetails -- validates run details (builder, metadata, byproducts).
    • .Level -- validates SLSA level requirements (L1-L4 compliance checks).
    • .Helpers -- validation helper utilities.
  • SLSA Validation Result: Validation/SlsaValidationResult.cs -- result model with pass/fail and detailed errors.
  • SPDX3 Build Attestation: __Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs (with .MapFromSpdx3, .MapToSpdx3) -- maps SLSA provenance to/from SPDX3 build profiles.
  • Build Models: __Libraries/StellaOps.Attestor.Spdx3/BuildAttestationPayload.cs, BuildInvocation.cs, BuildMaterial.cs, BuildMetadata.cs -- build attestation models.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/SlsaSchemaValidatorTests.cs

E2E Test Plan

  • Parse a SLSA v1 provenance JSON via SlsaProvenancePredicateParser and verify builder, build type, and materials are extracted
  • Validate provenance via SlsaSchemaValidator and verify it passes for a valid SLSA L2 provenance
  • Validate build definition via .BuildDefinition and verify build type, external parameters, and resolved dependencies
  • Validate run details via .RunDetails and verify builder identity and metadata
  • Check SLSA level via .Level and verify L1-L4 compliance (e.g., L3 requires hermetic build)
  • Validate invalid provenance (missing buildDefinition) and verify SlsaValidationResult contains specific errors
  • Map SLSA provenance to SPDX3 via BuildAttestationMapper.MapToSpdx3 and verify build material tracking
  • Verify BuildMaterial captures name, URI, and digest for each build input