CycloneDX 1.7 Native Evidence Field Population

Module

Scanner

Status

IMPLEMENTED

Description

Replaces custom stellaops:evidence[n] properties with spec-compliant CycloneDX 1.7 component.evidence.* structures (Identity, Occurrences, Licenses, Copyright). Ensures SBOM evidence data uses standard fields instead of vendor extensions.

Implementation Details

Evidence Builders:
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/IdentityEvidenceBuilder.cs - Builds component.evidence.identity fields
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/OccurrenceEvidenceBuilder.cs - Builds component.evidence.occurrences fields
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/LicenseEvidenceBuilder.cs - Builds component.evidence.licenses fields
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/CallstackEvidenceBuilder.cs - Builds callstack evidence fields
Evidence Mapping:
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/CycloneDxEvidenceMapper.cs - Maps internal evidence data to CycloneDX 1.7 evidence structures
Composition Integration:
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxComposer.cs - Composes evidence into CycloneDX output
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxLayerWriter.cs - Per-layer CycloneDX writer with evidence fields

E2E Test Plan

Scan a container image and export as CycloneDX 1.7 JSON
Verify component.evidence.identity fields are populated for components with identity evidence
Verify component.evidence.occurrences fields contain file location evidence
Verify component.evidence.licenses fields contain license evidence
Verify no custom stellaops:evidence[n] properties remain in the output
Validate the output against the CycloneDX 1.7 JSON schema

1.9 KiB Raw Blame History