stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/byos-ingestion-workflow.md

2.4 KiB
Raw Blame History

BYOS (Bring Your Own SBOM) Ingestion Workflow

Module

Scanner

Status

IMPLEMENTED

Description

Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3.0) via REST API. Includes automatic format detection, schema validation, component normalization, quality scoring (PURL/version/license coverage weighted 40/30/30), SHA-256 digest computation, and automatic scan/analysis triggering. Supports both inline JSON and base64-encoded payloads with CI context metadata.

Implementation Details

  • Upload Endpoints:
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomUploadEndpoints.cs - SbomUploadEndpoints for REST upload API
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomEndpoints.cs - Additional SBOM query endpoints
  • Contracts:
    • src/Scanner/StellaOps.Scanner.WebService/Contracts/SbomContracts.cs - SbomUploadRequestDto, SbomUploadResponseDto, SbomValidationSummaryDto, SbomFormats, SbomAncestryDto, SbomUploadSourceDto, SbomUploadCiContextDto
  • Ingestion Service:
    • src/Scanner/StellaOps.Scanner.WebService/Services/ISbomIngestionService.cs - ISbomIngestionService, SbomIngestionResult, SbomValidationResult
    • src/Scanner/StellaOps.Scanner.WebService/Services/SbomIngestionService.cs - Format detection, schema validation, component normalization, quality scoring, digest computation
  • BYOS Upload Service:
    • src/Scanner/StellaOps.Scanner.WebService/Services/SbomByosUploadService.cs - ISbomByosUploadService / SbomByosUploadService for external SBOM ingestion
  • Upload Store:
    • src/Scanner/StellaOps.Scanner.WebService/Services/SbomUploadStore.cs - ISbomUploadStore, InMemorySbomUploadStore, SbomUploadRecord

E2E Test Plan

  • Upload a CycloneDX 1.6 JSON SBOM via POST /api/v1/sbom/upload with inline JSON payload and verify acceptance
  • Upload an SPDX 2.3 SBOM via base64-encoded payload with CI context metadata and verify ingestion
  • Verify automatic format detection correctly identifies CycloneDX vs SPDX format
  • Verify schema validation rejects an invalid SBOM with appropriate error details
  • Verify quality scoring returns PURL/version/license coverage percentages (40/30/30 weighted)
  • Verify SHA-256 digest is computed and returned in the response
  • Verify automatic scan/analysis is triggered after successful ingestion
  • Query the uploaded SBOM status via GET /api/v1/sbom/uploads/{id} and verify metadata