stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/cyclonedx-1-6-and-spdx-3-0-1-full-sbom-support.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.5 KiB
Raw Blame History

CycloneDX 1.6 and SPDX 3.0.1 Full SBOM Support (Parsers, Writers, Attestation)

Module

Attestor

Status

VERIFIED

Description

Comprehensive CycloneDX 1.6 and SPDX 3.0.1 parsers and writers supporting all major SBOM elements: components, services, vulnerabilities, crypto, attestation maps, declarations, evidence, formulation, and more. Includes predicate parsers with metadata extraction and validation, SPDX 3.0 build attestation mappers, and CycloneDX VEX normalizer. 40+ partial class files for CycloneDX alone.

Implementation Details

  • CycloneDX Writer: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs -- 40+ partial files:
    • Core: .Convert, .Validation, .Metadata, .SerialNumber
    • Components: .Components, .Dependencies, .Pedigree, .Swid
    • Services: .Services
    • Vulnerabilities: .Vulnerabilities
    • Crypto: .Crypto, .CryptoCertificates, .CryptoMaterial
    • Attestation: .AttestationMaps, .Claims, .Declarations, .DeclarationTargets, .Definitions
    • Evidence: .Evidence, .EvidenceOccurrences
    • Formulation: .Formulation, .InputsOutputs, .Tasks
    • Compliance: .Compositions, .Considerations, .Environmental
    • DTOs: .DtoBom, .DtoComponent, .DtoService, .DtoVulnerability, .DtoCrypto, etc.
  • SPDX Writer: SpdxWriter.cs -- 50+ partial files covering all SPDX 3.0.1 profiles: .Packages, .FileElement, .Snippets, .Relationships, .Licensing, .Vulnerabilities, .Builds, .Assessments, .AiPackage, .DatasetPackage, .Agents, .Signatures, etc.
  • CycloneDX Parser: Parsers/CycloneDxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .Validation, .SerialNumber)
  • SPDX Parser: Parsers/SpdxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .Validation)
  • SBOM Models: Models/ -- 106 model files: SbomComponent, SbomService, SbomVulnerability, SbomDocument, etc.
  • SBOM Canonicalizer: Canonicalization/SbomCanonicalizer.cs (with .Elements)
  • License Expression Parser: Licensing/SpdxLicenseExpressionParser.cs (with partials)
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/ -- 25+ test files including CycloneDx/SpdxDeterminismTests, SchemaValidationTests, ParserTests, WriterProfileTests

E2E Test Plan

  • Write a CycloneDX 1.6 SBOM with components, services, and vulnerabilities via CycloneDxWriter.Convert and verify all elements are present in the output
  • Write an SPDX 3.0.1 document with packages, files, snippets, and relationships via SpdxWriter.Convert and verify all profiles are populated
  • Parse a CycloneDX SBOM via CycloneDxPredicateParser and verify metadata extraction (serial number, version, timestamp)
  • Parse an SPDX SBOM via SpdxPredicateParser and verify package extraction with licensing info
  • Write a CycloneDX SBOM with crypto properties and verify crypto algorithm and certificate elements
  • Write an SPDX document with AI/ML profiles (AiPackage, DatasetPackage) and verify profile elements
  • Round-trip test: write CycloneDX -> parse -> write again and verify deterministic output
  • Round-trip test: write SPDX -> parse -> write again and verify deterministic output
  • Verify license expression parsing for complex SPDX expressions (e.g., (MIT OR Apache-2.0) AND BSD-3-Clause)

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001