stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/concelier/full-sbom-extraction-with-enriched-parsedsbom-model.md

1.6 KiB
Raw Blame History

Full SBOM Extraction with Enriched ParsedSbom Model

Module

Concelier

Status

IMPLEMENTED

Description

Upgraded SBOM parser that extracts ALL fields from CycloneDX 1.7 and SPDX 3.0.1 (not just PURL/CPE). The enriched ParsedSbom model carries full SBOM data including services, crypto properties, ML model metadata, build/formulation info, compositions, vulnerabilities, and dependencies for downstream consumers (Scanner, Policy, etc.).

Implementation Details

  • Modules: src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/
  • Key Classes:
    • ParsedSbomParser (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs) - full SBOM extraction from CycloneDX 1.7 and SPDX 3.0.1 with enriched model
    • SbomAdvisoryMatcher (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs) - matches SBOM components against advisories
  • Interfaces: IParsedSbomParser, ISbomAdvisoryMatcher
  • Source: SPRINT_20260119_015_Concelier_sbom_full_extraction.md

E2E Test Plan

  • Parse a CycloneDX 1.7 SBOM and verify all fields are extracted (components, services, compositions, vulnerabilities, dependencies)
  • Parse an SPDX 3.0.1 SBOM and verify enriched model includes packages, relationships, and annotations
  • Verify crypto properties extraction: SBOM with crypto components has crypto metadata in the ParsedSbom model
  • Verify ML model metadata: SBOM with ML model components has model metadata extracted
  • Verify downstream consumption: pass ParsedSbom to SbomAdvisoryMatcher and verify advisory matching works with enriched fields