stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/deterministic-sbom-canonicalization.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.6 KiB
Raw Blame History

Deterministic SBOM Canonicalization (RFC 8785 JCS)

Module

Attestor

Status

VERIFIED

Description

Deterministic SBOM canonicalization using full RFC 8785 JSON Canonicalization Scheme with decimal point handling, number serialization, string normalization, and reproducible transforms between SPDX and CycloneDX. Verified by property-based determinism tests.

Implementation Details

  • SBOM Canonicalizer: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs (with .Elements partial) -- implements ISbomCanonicalizer. Orders SBOM elements deterministically for stable hashing.
  • RFC 8785 Canonicalizer: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs -- implements IJsonCanonicalizer with partials:
    • .DecimalPoint -- handles decimal point normalization
    • .NumberSerialization -- IEEE 754 number serialization per RFC 8785
    • .StringNormalization -- Unicode and string escape normalization
    • .WriteMethods -- low-level write methods
  • JSON Canonicalizer (StandardPredicates): __Libraries/StellaOps.Attestor.StandardPredicates/JsonCanonicalizer.cs -- additional canonicalizer for standard predicates.
  • JSON Canonicalizer (TrustVerdict): __Libraries/StellaOps.Attestor.TrustVerdict/JsonCanonicalizer.cs -- canonicalizer for trust verdict payloads.
  • CycloneDX Determinism Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/CycloneDxDeterminismTests.cs
  • SPDX Determinism Tests: SpdxDeterminismTests.cs
  • JSON Canonicalizer Tests: JsonCanonicalizerTests.cs (in both ProofChain and StandardPredicates test projects)

E2E Test Plan

  • Canonicalize a CycloneDX SBOM via SbomCanonicalizer, hash the output, canonicalize again, and verify identical hashes
  • Canonicalize an SPDX SBOM, hash, re-canonicalize, and verify identical hashes
  • Apply Rfc8785JsonCanonicalizer to JSON with unordered keys and verify key order matches RFC 8785 (lexicographic)
  • Canonicalize JSON with floating-point edge cases (e.g., 1.0, -0.0, 1e10) and verify IEEE 754 normalization
  • Canonicalize JSON with Unicode escapes and verify normalization to shortest UTF-8 representation
  • Create two SBOMs with identical content but different component ordering, canonicalize both, and verify identical output
  • Verify CycloneDX and SPDX round-trip: parse -> write -> canonicalize produces stable output

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001