stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/third-party-scanner-output-ingestion.md

2.9 KiB
Raw Blame History

Third-Party Scanner Output Ingestion (Syft/Grype/Trivy/Clair/Xray Compatibility)

Module

Scanner

Status

IMPLEMENTED

Description

CycloneDX, SPDX, and SLSA provenance parsers enable ingesting outputs from third-party scanners. VEX normalization and SBOM comparison/round-trip tests ensure compatibility with standard formats used by Syft, Grype, Trivy, and other tools.

Implementation Details

  • CycloneDX Parser:
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs - CycloneDxPredicateParser parsing CycloneDX SBOM documents
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.ExtractSbom.cs - SBOM extraction logic
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.ExtractMetadata.cs - Metadata extraction
  • SPDX Parser:
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.cs - SpdxPredicateParser parsing SPDX SBOM documents
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.ExtractSbom.cs - SBOM extraction logic
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.ExtractMetadata.cs - Metadata extraction
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SpdxPredicateParser.Validation.cs - Validation logic
  • SLSA Provenance Parser:
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs - SlsaProvenancePredicateParser parsing SLSA provenance attestations
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.ExtractMetadata.cs - Metadata extraction
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.Validation.cs - Validation logic
  • CycloneDX/SPDX Writers (for round-trip compatibility):
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.Convert.cs - CycloneDX output writer
    • src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/SpdxWriter.Convert.cs - SPDX output writer

E2E Test Plan

  • Ingest a Syft-generated CycloneDX SBOM and verify all components are parsed with correct names, versions, and PURLs
  • Ingest a Trivy-generated SPDX SBOM and verify packages are extracted with correct metadata
  • Ingest a SLSA provenance attestation and verify build metadata (builder, source, materials) is correctly extracted
  • Verify round-trip compatibility: parse a CycloneDX SBOM, write it back, and verify the output validates against the CycloneDX schema
  • Verify VEX statements from third-party scanners are correctly normalized into the internal representation
  • Verify the parsers handle format variations across tool versions (e.g., CycloneDX 1.4 vs 1.5 vs 1.6)