stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/in-toto-statement-and-provenance-system.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.8 KiB
Raw Blame History

In-toto Statement and Provenance System (SBOM, Evidence, Reasoning, VEX, SLSA)

Module

Attestor

Status

VERIFIED

Description

Full in-toto statement builder framework generating Evidence, Reasoning, VexVerdict, ProofSpine, and SbomLinkage statements with snapshot-based golden testing. In-toto/DSSE provenance attestation with SLSA provenance parsing, schema validation, layout verification, and SPDX3 build attestation mapping.

Implementation Details

  • Statement Builder: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Builders/StatementBuilder.cs (with .Extended) -- fluent builder creating in-toto statements for all predicate types. IStatementBuilder.cs -- interface.
  • Proof Subject: Builders/ProofSubject.cs -- subject model with name and digest map for in-toto statements.
  • Core In-toto Link: StellaOps.Attestor.Core/InToto/InTotoLink.cs -- in-toto link with materials, products, and predicate. LinkBuilder.cs -- builds links with material/product specs. InTotoLinkPredicate.cs -- link predicate model.
  • Layout Verification: StellaOps.Attestor.Core/InToto/Layout/ -- in-toto layout verification for supply chain steps.
  • Link Recording: StellaOps.Attestor.Core/InToto/LinkRecorder.cs -- records links during build. ILinkRecorder.cs -- interface.
  • SLSA Provenance Parser: __Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs (with .ExtractMetadata, .Validation) -- parses SLSA v1 provenance predicates.
  • SLSA Schema Validator: __Libraries/StellaOps.Attestor.StandardPredicates/Validation/SlsaSchemaValidator.cs (with .BuildDefinition, .Helpers, .Level, .RunDetails) -- validates SLSA provenance against schema. SlsaValidationResult.cs -- result model.
  • SPDX3 Build Attestation: __Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs (with .MapFromSpdx3, .MapToSpdx3) -- maps between SPDX3 build profiles and internal attestation models. BuildAttestationPayload.cs, BuildInvocation.cs, BuildMaterial.cs, BuildMetadata.cs -- build attestation models.
  • DSSE SPDX3 Signer: __Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.cs (with .Encoding, .SignAsync, .SignBuildProfile, .Verify) -- signs SPDX3 build attestations.
  • Statement Types: 46 statement files in Statements/ -- Evidence, Reasoning, VexVerdict, ProofSpine, SbomLinkage, DeltaVerdict, ChangeTrace, Uncertainty, ReachabilityWitness, etc.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/StatementBuilderTests.cs, __Tests/StellaOps.Attestor.StandardPredicates.Tests/SlsaSchemaValidatorTests.cs

E2E Test Plan

  • Build an Evidence statement via StatementBuilder with subject digests and verify the in-toto statement structure
  • Build a VexVerdict statement and verify it wraps the VEX predicate with correct predicate type URI
  • Build a ProofSpine statement and verify it contains the Merkle root and linked evidence IDs
  • Parse a SLSA v1 provenance JSON via SlsaProvenancePredicateParser and verify builder, build definition, and run details are extracted
  • Validate SLSA provenance via SlsaSchemaValidator and verify it passes for valid provenance and fails for invalid (e.g., missing buildDefinition)
  • Map a build attestation to SPDX3 via BuildAttestationMapper.MapToSpdx3 and back via .MapFromSpdx3; verify round-trip fidelity
  • Sign an SPDX3 build attestation via DsseSpdx3Signer.SignBuildProfile and verify the DSSE envelope
  • Record an in-toto link via LinkRecorder with materials and products, then verify the link digest matches

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001