stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/build-attestation-mapping.md

2.7 KiB
Raw Blame History

Build Attestation Mapping (SPDX 3.0.1 Build Profile)

Module

Attestor

Status

IMPLEMENTED

Description

Build attestation mapping to/from SPDX 3.0.1 is implemented with bidirectional mappers, build material, metadata, and invocation models.

Implementation Details

  • BuildAttestationMapper: src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs -- orchestrates bidirectional mapping. IBuildAttestationMapper.cs -- interface.
    • BuildAttestationMapper.MapToSpdx3.cs -- maps internal build attestation to SPDX 3.0.1 build profile format
    • BuildAttestationMapper.MapFromSpdx3.cs -- maps SPDX 3.0.1 build profile to internal format
  • Build Attestation Payload: BuildAttestationPayload.cs -- internal build attestation model.
  • Build Material: BuildMaterial.cs -- input materials (source code, dependencies, config files) with digests.
  • Build Metadata: BuildMetadata.cs -- build timestamp, build ID, reproducibility info.
  • Build Invocation: BuildInvocation.cs -- build command, parameters, environment.
  • Builder Info: BuilderInfo.cs -- builder identity (CI system, version).
  • Config Source: ConfigSource.cs -- build configuration source references.
  • Build Relationships: BuildRelationshipBuilder.cs (with .Linking partial) -- builds SPDX 3.0.1 relationships between build elements.
  • DSSE Signing: DsseSpdx3Signer.cs (with .SignBuildProfile partial) -- signs build profiles as DSSE envelopes.
  • Combined Document: CombinedDocumentBuilder.cs (with .Build, .Attestation, .Profiles partials) -- builds combined SPDX documents with build attestation profiles.
  • Tests: __Libraries/__Tests/StellaOps.Attestor.Spdx3.Tests/BuildAttestationMapperTests.cs, BuildProfileValidatorTests.cs, CombinedDocumentBuilderTests.cs

E2E Test Plan

  • Create a BuildAttestationPayload with materials, metadata, and invocation, map to SPDX 3.0.1 via MapToSpdx3, and verify the output contains correct build profile elements
  • Map an SPDX 3.0.1 document with build profile back to internal format via MapFromSpdx3 and verify round-trip fidelity
  • Create build materials with SHA-256 digests and verify they appear as SPDX 3.0.1 build inputs with correct hash references
  • Create BuildInvocation with build command and parameters and verify they map to SPDX 3.0.1 build invocation fields
  • Use BuildRelationshipBuilder to link build elements and verify SPDX relationships are correctly typed
  • Sign a build profile via DsseSpdx3Signer.SignBuildProfile and verify the DSSE envelope is valid
  • Build a combined SPDX document with SBOM + build attestation profile via CombinedDocumentBuilder and verify both profiles are present