stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/content-addressed-ids-for-sbom-components.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.4 KiB
Raw Blame History

Content-Addressed IDs for SBOM Components (bom-ref)

Module

Attestor

Status

VERIFIED

Description

Content-addressed ID generator with SBOM entry IDs and CycloneDX subject extraction for deterministic component referencing.

Implementation Details

  • SbomEntryId: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/SbomEntryId.cs -- content-addressed ID type for SBOM entries, ensuring deterministic bom-ref values.
  • Content-Addressed ID Generator: ContentAddressedIdGenerator.cs -- generates SHA-256 based IDs from canonical SBOM component content.
  • CycloneDX Subject Extractor: __Libraries/StellaOps.Attestor.ProofChain/Sbom/CycloneDxSubjectExtractor.cs -- implements ISbomSubjectExtractor. Extracts subjects from CycloneDX SBOM for attestation.
  • Component Ref Extractor: __Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs (with .Resolution, .Spdx partials) -- extracts component references from SBOMs for cross-linking. SbomExtractionResult.cs -- extraction result model.
  • SBOM Canonicalization: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs (with .Elements) -- deterministic element ordering for stable ID generation.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdTests.cs, ContentAddressedIdGeneratorTests.cs

E2E Test Plan

  • Generate SbomEntryId for a CycloneDX component with name, version, and PURL and verify deterministic ID
  • Generate IDs for two components with same content but different field ordering and verify IDs match (canonicalization)
  • Extract subjects from a CycloneDX SBOM via CycloneDxSubjectExtractor and verify each component has a content-addressed subject ID
  • Extract component references via ComponentRefExtractor and verify bom-ref values are content-addressed
  • Extract SPDX component references via ComponentRefExtractor.Spdx and verify deterministic SPDX IDs
  • Canonicalize an SBOM via SbomCanonicalizer, generate content-addressed IDs, and verify stability across invocations
  • Modify a single component field and verify the SbomEntryId changes

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001