18d87c64c5
- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
26 lines
919 B
Markdown
26 lines
919 B
Markdown
# SBOM→VEX Chain Hash Recipe (Stub)
|
|
|
|
Use with sprint task 6 (SBOM-VEX-GAPS-300-013).
|
|
|
|
- Inputs: sorted SBOM documents, VEX statements, DSSE envelopes, Rekor bundle snapshot.
|
|
- Hashing: deterministic ordering (UTF-8, LF), SHA-256 over concatenated canonical JSON.
|
|
- Chain: derive cumulative hash for (SBOM → DSSE → Rekor → VEX) and store in proof manifest.
|
|
- Offline: no network; bundle Rekor root + snapshot; include `inputs.lock` with tool versions.
|
|
|
|
Example (stub):
|
|
|
|
```bash
|
|
sbom_files=(sbom.json)
|
|
vex_files=(vex.json)
|
|
dsse=envelope.dsse
|
|
rekor=rekor-bundle.json
|
|
|
|
cat "${sbom_files[@]}" | jq -S . > /tmp/sbom.canon
|
|
cat "${vex_files[@]}" | jq -S . > /tmp/vex.canon
|
|
cat "$dsse" | jq -S . > /tmp/dsse.canon
|
|
cat "$rekor" | jq -S . > /tmp/rekor.canon
|
|
|
|
cat /tmp/sbom.canon /tmp/dsse.canon /tmp/rekor.canon /tmp/vex.canon | sha256sum | awk '{print $1}' > proof.chainhash
|
|
echo "chain-hash: $(cat proof.chainhash)"
|
|
```
|