stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/cas-for-sbom-vex-attestation-artifacts.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.6 KiB
Raw Blame History

CAS for SBOM/VEX/Attestation Artifacts

Module

Attestor

Status

VERIFIED

Description

Content-addressed identifiers are implemented for proof chain artifacts. EvidenceLocker provides bundle building. Full OCI/MinIO CAS for SBOM/VEX blobs is not fully visible.

What's Implemented

  • Content-Addressed ID Generator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ -- ArtifactId, EvidenceId, ProofBundleId, VexVerdictId, GenericContentAddressedId, ContentAddressedIdGenerator (with .Graph), Sha256IdParser.
  • SBOM OCI Publisher: __Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs -- publishes SBOMs to OCI registries.
  • ORAS Attestation Attacher: Oci/Services/OrasAttestationAttacher.cs -- attaches attestations to OCI images.
  • Content-Addressed Tile Store: StellaOps.Attestor.TileProxy/Services/ContentAddressedTileStore.cs -- content-addressed storage for tiles.
  • Evidence Pack Builder: __Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs -- builds evidence packs.
  • Sigstore Bundle: __Libraries/StellaOps.Attestor.Bundle/Models/SigstoreBundle.cs -- Sigstore bundle model.

What's Missing

  • Unified CAS for all artifact types: No single content-addressed storage service that handles SBOM, VEX, and attestation blobs uniformly. Current CAS is per-domain (tiles, OCI, proof chain IDs).
  • MinIO/S3 backend: No MinIO or S3-compatible object storage backend for CAS. Current storage is either OCI registry or filesystem.
  • Deduplication service: No cross-artifact deduplication by content hash (e.g., same SBOM ingested twice should resolve to one stored blob).
  • CAS garbage collection: No garbage collection or retention policy for unreferenced CAS blobs.
  • CAS REST API: No unified REST API for CAS operations (store, retrieve, exists, list by prefix).

Implementation Plan

  • Create a unified IContentAddressedStore interface with store/retrieve/exists operations
  • Implement MinIO/S3 backend and filesystem backend behind the interface
  • Add deduplication logic (check-before-store by content hash)
  • Implement garbage collection with configurable retention policies
  • Add REST endpoints for CAS operations
  • Migrate existing per-domain storage to use the unified CAS
  • Add tests for store/retrieve, deduplication, and GC

Related Documentation

  • Source: See feature catalog

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001