stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/cyclonedx-1-6-and-spdx-3-0-1-full-sbom-support.md

3.3 KiB
Raw Blame History

CycloneDX 1.6 and SPDX 3.0.1 Full SBOM Support (Parsers, Writers, Attestation)

Module

Attestor

Status

IMPLEMENTED

Description

Comprehensive CycloneDX 1.6 and SPDX 3.0.1 parsers and writers supporting all major SBOM elements: components, services, vulnerabilities, crypto, attestation maps, declarations, evidence, formulation, and more. Includes predicate parsers with metadata extraction and validation, SPDX 3.0 build attestation mappers, and CycloneDX VEX normalizer. 40+ partial class files for CycloneDX alone.

Implementation Details

  • CycloneDX Writer: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs -- 40+ partial files:
    • Core: .Convert, .Validation, .Metadata, .SerialNumber
    • Components: .Components, .Dependencies, .Pedigree, .Swid
    • Services: .Services
    • Vulnerabilities: .Vulnerabilities
    • Crypto: .Crypto, .CryptoCertificates, .CryptoMaterial
    • Attestation: .AttestationMaps, .Claims, .Declarations, .DeclarationTargets, .Definitions
    • Evidence: .Evidence, .EvidenceOccurrences
    • Formulation: .Formulation, .InputsOutputs, .Tasks
    • Compliance: .Compositions, .Considerations, .Environmental
    • DTOs: .DtoBom, .DtoComponent, .DtoService, .DtoVulnerability, .DtoCrypto, etc.
  • SPDX Writer: SpdxWriter.cs -- 50+ partial files covering all SPDX 3.0.1 profiles: .Packages, .FileElement, .Snippets, .Relationships, .Licensing, .Vulnerabilities, .Builds, .Assessments, .AiPackage, .DatasetPackage, .Agents, .Signatures, etc.
  • CycloneDX Parser: Parsers/CycloneDxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .Validation, .SerialNumber)
  • SPDX Parser: Parsers/SpdxPredicateParser.cs (with .ExtractMetadata, .ExtractSbom, .Validation)
  • SBOM Models: Models/ -- 106 model files: SbomComponent, SbomService, SbomVulnerability, SbomDocument, etc.
  • SBOM Canonicalizer: Canonicalization/SbomCanonicalizer.cs (with .Elements)
  • License Expression Parser: Licensing/SpdxLicenseExpressionParser.cs (with partials)
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/ -- 25+ test files including CycloneDx/SpdxDeterminismTests, SchemaValidationTests, ParserTests, WriterProfileTests

E2E Test Plan

  • Write a CycloneDX 1.6 SBOM with components, services, and vulnerabilities via CycloneDxWriter.Convert and verify all elements are present in the output
  • Write an SPDX 3.0.1 document with packages, files, snippets, and relationships via SpdxWriter.Convert and verify all profiles are populated
  • Parse a CycloneDX SBOM via CycloneDxPredicateParser and verify metadata extraction (serial number, version, timestamp)
  • Parse an SPDX SBOM via SpdxPredicateParser and verify package extraction with licensing info
  • Write a CycloneDX SBOM with crypto properties and verify crypto algorithm and certificate elements
  • Write an SPDX document with AI/ML profiles (AiPackage, DatasetPackage) and verify profile elements
  • Round-trip test: write CycloneDX -> parse -> write again and verify deterministic output
  • Round-trip test: write SPDX -> parse -> write again and verify deterministic output
  • Verify license expression parsing for complex SPDX expressions (e.g., (MIT OR Apache-2.0) AND BSD-3-Clause)