stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/cli/offline-sbom-verification-cli.md

1.4 KiB
Raw Blame History

Offline SBOM Verification CLI

Module

Cli

Status

IMPLEMENTED

Description

CLI command stella sbom verify for offline SBOM verification including signature validation, canonical hash recomputation, and format compliance checks for CycloneDX/SPDX documents without network connectivity.

Implementation Details

  • Command Group: src/Cli/StellaOps.Cli/Commands/SbomCommandGroup.cs -- SbomCommandGroup for stella sbom commands
  • SBOM Client: src/Cli/StellaOps.Cli/Services/SbomClient.cs / ISbomClient.cs -- SBOM operations
  • SBOMer Client: src/Cli/StellaOps.Cli/Services/SbomerClient.cs / ISbomerClient.cs -- SBOM generation client
  • Tests: src/Cli/__Tests/StellaOps.Cli.Tests/SbomCommandTests.cs, src/Cli/__Tests/StellaOps.Cli.Tests/Integration/SbomCanonicalVerifyIntegrationTests.cs, SbomVerifyIntegrationTests.cs
  • Commands:
    • stella sbom verify <file> -- verify SBOM offline. Options: --format cdx|spdx, --check-signature, --recompute-hash

E2E Test Plan

  • Run stella sbom verify ./sbom.cdx.json and verify CycloneDX compliance check
  • Run stella sbom verify ./sbom.spdx.json and verify SPDX compliance check
  • Run with --check-signature and verify SBOM signature validation
  • Run with --recompute-hash and verify canonical hash matches
  • Verify offline operation (no network required)
  • Verify invalid SBOM produces clear error with specific violations