efc4f5f761
- Added `PolicyFindings` property to `SbomCompositionRequest` to include policy findings in SBOM. - Implemented `NormalizePolicyFindings` method to process and validate policy findings. - Updated `SbomCompositionRequest.Create` method to accept policy findings as an argument. - Upgraded CycloneDX.Core package from version 5.1.0 to 10.0.1. - Marked several tasks as DONE in TASKS.md, reflecting completion of SBOM-related features. - Introduced telemetry metrics for Go analyzer to track heuristic fallbacks. - Added performance benchmarks for .NET and Go analyzers. - Created new test fixtures for .NET applications, including dependencies and runtime configurations. - Added licenses and nuspec files for logging and toolkit packages used in tests. - Implemented `SbomPolicyFinding` record to encapsulate policy finding details and normalization logic.
59 lines
2.6 KiB
JSON
59 lines
2.6 KiB
JSON
{
|
|
"report": {
|
|
"reportId": "report-3def5f362aa475ef14b6",
|
|
"imageDigest": "sha256:deadbeef",
|
|
"generatedAt": "2025-10-19T08:28:09.3699267+00:00",
|
|
"verdict": "blocked",
|
|
"policy": {
|
|
"revisionId": "rev-1",
|
|
"digest": "27d2ec2b34feedc304fc564d252ecee1c8fa14ea581a5ff5c1ea8963313d5c8d"
|
|
},
|
|
"summary": {
|
|
"total": 1,
|
|
"blocked": 1,
|
|
"warned": 0,
|
|
"ignored": 0,
|
|
"quieted": 1
|
|
},
|
|
"verdicts": [
|
|
{
|
|
"findingId": "finding-1",
|
|
"status": "Blocked",
|
|
"ruleName": "Block Critical",
|
|
"ruleAction": "Block",
|
|
"score": 40.5,
|
|
"configVersion": "1.0",
|
|
"inputs": {
|
|
"reachabilityWeight": 0.45,
|
|
"baseScore": 40.5,
|
|
"severityWeight": 90,
|
|
"trustWeight": 1,
|
|
"trustWeight.NVD": 1,
|
|
"reachability.runtime": 0.45,
|
|
"unknownConfidence": 0.52,
|
|
"unknownAgeDays": 4
|
|
},
|
|
"quietedBy": "policy/quiet-critical-runtime",
|
|
"quiet": true,
|
|
"unknownConfidence": 0.52,
|
|
"confidenceBand": "medium",
|
|
"unknownAgeDays": 4,
|
|
"sourceTrust": "NVD",
|
|
"reachability": "runtime"
|
|
}
|
|
],
|
|
"issues": []
|
|
},
|
|
"dsse": {
|
|
"payloadType": "application/vnd.stellaops.report+json",
|
|
"payload": "eyJyZXBvcnRJZCI6InJlcG9ydC0zZGVmNWYzNjJhYTQ3NWVmMTRiNiIsImltYWdlRGlnZXN0Ijoic2hhMjU2OmRlYWRiZWVmIiwiZ2VuZXJhdGVkQXQiOiIyMDI1LTEwLTE5VDA4OjI4OjA5LjM2OTkyNjcrMDA6MDAiLCJ2ZXJkaWN0IjoiYmxvY2tlZCIsInBvbGljeSI6eyJyZXZpc2lvbklkIjoicmV2LTEiLCJkaWdlc3QiOiIyN2QyZWMyYjM0ZmVlZGMzMDRmYzU2NGQyNTJlY2VlMWM4ZmExNGVhNTgxYTVmZjVjMWVhODk2MzMxM2Q1YzhkIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MX0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwicnVsZU5hbWUiOiJCbG9jayBDcml0aWNhbCIsInJ1bGVBY3Rpb24iOiJCbG9jayIsInNjb3JlIjo0MC41LCJjb25maWdWZXJzaW9uIjoiMS4wIiwiaW5wdXRzIjp7InJlYWNoYWJpbGl0eVdlaWdodCI6MC40NSwiYmFzZVNjb3JlIjo0MC41LCJzZXZlcml0eVdlaWdodCI6OTAsInRydXN0V2VpZ2h0IjoxLCJ0cnVzdFdlaWdodC5OVkQiOjEsInJlYWNoYWJpbGl0eS5ydW50aW1lIjowLjQ1LCJ1bmtub3duQ29uZmlkZW5jZSI6MC41MiwidW5rbm93bkFnZURheXMiOjR9LCJxdWlldGVkQnkiOiJwb2xpY3kvcXVpZXQtY3JpdGljYWwtcnVudGltZSIsInF1aWV0Ijp0cnVlLCJ1bmtub3duQ29uZmlkZW5jZSI6MC41MiwiY29uZmlkZW5jZUJhbmQiOiJtZWRpdW0iLCJ1bmtub3duQWdlRGF5cyI6NCwic291cmNlVHJ1c3QiOiJOVkQiLCJyZWFjaGFiaWxpdHkiOiJydW50aW1lIn1dLCJpc3N1ZXMiOltdfQ==",
|
|
"signatures": [
|
|
{
|
|
"keyId": "scanner-report-signing",
|
|
"algorithm": "hs256",
|
|
"signature": "s3qnWeRsYs+QA/nO84Us8G2xjZcvphc2P7KnOdTVwQs="
|
|
}
|
|
]
|
|
}
|
|
}
|