stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/sbom-presence-policy-gate.md

2.1 KiB
Raw Blame History

SBOM Presence Policy Gate (SbomPresenceGate)

Module

Policy

Status

IMPLEMENTED

Description

Policy gate that blocks releases lacking a valid SBOM document, with configurable format requirements (CycloneDX/SPDX), minimum component count thresholds, and freshness checks.

Implementation Details

  • PolicyGateEvaluator Evidence Completeness gate: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • Evidence Completeness gate (first in 5-gate pipeline) checks for SBOM presence
    • Missing SBOM triggers Block or Warn based on gate configuration
    • Evaluates SBOM format, component count, and freshness as part of evidence checks
  • DriftGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs
    • Evaluates SBOM drift between baseline and target
    • SBOM format validation (CycloneDX/SPDX) as part of drift analysis
  • DriftGateOptions: src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs -- configurable SBOM requirements
  • EvidenceTtlEnforcer: src/Policy/__Libraries/StellaOps.Policy/Freshness/EvidenceTtlEnforcer.cs
    • SBOM/Provenance freshness: checks BuildTime against TTL
    • Freshness statuses: Fresh, Warning, Stale
  • WhatIfSimulationService: src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs
    • SBOM diff operations verify SBOM presence before simulation

E2E Test Plan

  • Evaluate artifact without SBOM; verify Evidence Completeness gate blocks
  • Evaluate artifact with valid CycloneDX SBOM; verify gate passes
  • Evaluate artifact with valid SPDX SBOM; verify gate passes
  • Configure minimum component count threshold=10; provide SBOM with 5 components; verify gate warns/blocks
  • Configure minimum component count threshold=10; provide SBOM with 15 components; verify gate passes
  • Evaluate artifact with stale SBOM (BuildTime exceeds TTL); verify freshness check warns
  • Evaluate artifact with fresh SBOM (BuildTime within TTL); verify freshness check passes
  • Verify gate result message indicates SBOM format and component count when present
  • Verify DriftGateEvaluator detects missing SBOM in drift analysis