3.5 KiB
3.5 KiB
High-Fidelity SBOM Support (CycloneDX/SPDX)
Module
Attestor
Status
VERIFIED
Description
Comprehensive SBOM support with dedicated service, full CycloneDX and SPDX 2.x/3.x parsers and writers, plus UI for SBOM browsing. Extensive coverage of components, vulnerabilities, licensing, relationships, and more.
Implementation Details
- CycloneDX Parser:
src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs(with.ExtractMetadata,.ExtractSbom,.SerialNumber,.Validation) -- parses CycloneDX 1.6 BOMs into internal SBOM model. - SPDX Parser:
Parsers/SpdxPredicateParser.cs(with.ExtractMetadata,.ExtractSbom,.Validation) -- parses SPDX 2.x/3.x documents into internal SBOM model. - CycloneDX Writer:
Writers/CycloneDxWriter.cs(with 50+ partials:.Components,.Vulnerabilities,.Dependencies,.Licensing,.Services,.Compositions,.Formulation,.Crypto,.Evidence,.Declarations,.ModelCard,.Pedigree,.ReleaseNotes,.Signature,.Metadata,.Validation, etc.) -- comprehensive CycloneDX output. - SPDX Writer:
Writers/SpdxWriter.cs(with 40+ partials:.Packages,.Relationships,.Licensing,.Document,.Agents,.Builds,.Assessments,.Vulnerabilities,.Profiles,.Signatures,.Extensions,.Hashing, etc.) -- comprehensive SPDX 3.0.1 output. - SBOM Models:
Models/SbomDocument.cs(with.Collections) -- internal SBOM document model.SbomService.cs(with.Collections) -- service models. - Licensing:
Licensing/SpdxLicenseExpressionParser.cs(with.InnerTypes,.Token,.Validation) -- full SPDX license expression parser.SpdxLicenseExpressionRenderer.cs-- renders license expressions back to string. - SBOM Canonicalizer:
Canonicalization/SbomCanonicalizer.Elements.cs-- deterministic ordering for SBOM elements. - SLSA Provenance Parser:
Parsers/SlsaProvenancePredicateParser.cs(with.ExtractMetadata,.Validation) -- parses SLSA provenance predicates. - SPDX 3 Build Attestation:
__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs(with.MapFromSpdx3,.MapToSpdx3) -- maps build attestations between SPDX 3 and internal models. - Tests:
__Tests/StellaOps.Attestor.StandardPredicates.Tests/
E2E Test Plan
- Parse a CycloneDX 1.6 BOM via
CycloneDxPredicateParserand verify all components, vulnerabilities, and dependencies are extracted - Parse an SPDX 3.0.1 document via
SpdxPredicateParserand verify packages, relationships, and licensing are extracted - Round-trip: parse a CycloneDX BOM, write it back via
CycloneDxWriter, re-parse, and verify semantic equivalence - Round-trip: parse an SPDX document, write it back via
SpdxWriter, re-parse, and verify semantic equivalence - Parse a complex SPDX license expression (e.g.,
(MIT OR Apache-2.0) AND GPL-3.0-only) viaSpdxLicenseExpressionParserand verify the parsed tree structure - Verify
CycloneDxWriterhandles all CycloneDX 1.6 sections: crypto, formulation, declarations, model cards, attestation maps - Parse a SLSA provenance predicate via
SlsaProvenancePredicateParserand verify build materials and builder info are extracted - Canonicalize an SBOM via
SbomCanonicalizerand verify deterministic output regardless of input element ordering
Verification
| Check | Result |
|---|---|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |