stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/cvss-v4-0-cyclonedx-1-7-slsa-v1-2-scanner-convergence.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.9 KiB
Raw Blame History

CVSS v4.0 + CycloneDX 1.7 + SLSA v1.2 Scanner Convergence

Module

Attestor

Status

VERIFIED

Description

Scanner stack supports CVSS v4.0 scoring, CycloneDX output (with crypto metadata), and SLSA provenance predicate types. The Signer module includes statement builder for SLSA provenance and integration tests.

Implementation Details

  • CycloneDX Writer: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs -- comprehensive CycloneDX writer with 40+ partial files covering all elements:
    • .Components, .Services, .Vulnerabilities -- core SBOM elements
    • .Crypto, .CryptoCertificates, .CryptoMaterial -- crypto metadata support
    • .Attestation Maps, .Claims, .Declarations -- attestation elements
    • .Formulation, .Evidence -- build provenance and evidence
    • .Validation -- output validation
  • CycloneDX Parser: Parsers/CycloneDxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .Validation, .SerialNumber) -- parses CycloneDX predicates.
  • SLSA Provenance Parser: Parsers/SlsaProvenancePredicateParser.cs (with .ExtractMetadata, .Validation) -- parses SLSA v1.x provenance predicates.
  • SLSA Schema Validator: Validation/SlsaSchemaValidator.cs (with .BuildDefinition, .Helpers, .Level, .RunDetails) -- validates SLSA provenance against schema.
  • SPDX 3.0.1 Build Attestation: src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs -- maps build attestation to SPDX 3.0.1.
  • Standard Predicate Registry: StandardPredicateRegistry.cs -- registers all supported predicate types including SLSA.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/ -- CycloneDX, SPDX, and SLSA tests. Parsers/SlsaProvenancePredicateParserTests.cs, Validation/SlsaSchemaValidatorTests.cs

E2E Test Plan

  • Write a CycloneDX SBOM with crypto metadata (algorithm properties, key material) and verify crypto elements are correctly serialized
  • Parse a CycloneDX SBOM with vulnerabilities containing CVSS v4.0 scores and verify score extraction
  • Parse an SLSA provenance predicate and verify build definition, run details, and materials are extracted
  • Validate an SLSA provenance predicate against SlsaSchemaValidator and verify it passes for a well-formed predicate
  • Validate an SLSA predicate missing required fields and verify schema validation reports specific errors
  • Map an SLSA provenance to SPDX 3.0.1 build attestation via BuildAttestationMapper and verify the mapping preserves build materials
  • Verify StandardPredicateRegistry returns correct parsers for CycloneDX, SPDX, and SLSA predicate types

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001