stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/sbom-delta-system.md

2.6 KiB
Raw Blame History

SBOM Delta System (Component Diffing, Predicates, Signed Evidence)

Module

Attestor

Status

IMPLEMENTED

Description

Complete SBOM delta system: component-level diff tracking (added/removed/version changes), formal JSON schema for delta predicates, structured taxonomy, DSSE-signed delta evidence objects, and dedicated UI visualization. SBOM diffs are first-class signed evidence objects with attestation service producing DSSE-signed delta predicates.

Implementation Details

  • SBOM Delta Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/SbomDeltaPredicate.cs -- predicate containing the full SBOM delta (added, removed, changed components).
  • SBOM Delta Component: Predicates/SbomDeltaComponent.cs -- individual component in the delta (name, version, purl, change type).
  • SBOM Delta Summary: Predicates/SbomDeltaSummary.cs -- summary statistics (added count, removed count, version change count).
  • SBOM Delta Version Change: Predicates/SbomDeltaVersionChange.cs -- version change detail (from_version, to_version, component).
  • SBOM Reference: Predicates/SbomReference.cs -- reference to the baseline and current SBOM documents.
  • Predicate Schema Validator: Json/PredicateSchemaValidator.DeltaValidators.cs -- schema validation for SBOM delta predicates.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs SBOM delta predicates into DSSE envelopes.
  • Content-Addressed ID: Identifiers/ContentAddressedIdGenerator.cs -- generates deterministic IDs for delta predicates.
  • Change Trace: ChangeTrace/ChangeTraceAttestationService.cs -- creates change trace attestations that can include SBOM delta data.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/SbomDeltaTests.cs

E2E Test Plan

  • Create an SbomDeltaPredicate with 3 added components, 2 removed, and 1 version change; verify all entries are captured
  • Verify SbomDeltaComponent correctly identifies component name, version, purl, and change type (Added/Removed/Modified)
  • Verify SbomDeltaSummary counts: 3 added, 2 removed, 1 version changed
  • Verify SbomDeltaVersionChange captures from_version="1.0" to_version="2.0" for a specific component
  • Sign the SBOM delta predicate into a DSSE envelope and verify the signature
  • Validate the delta predicate via PredicateSchemaValidator.DeltaValidators and verify schema compliance
  • Generate a content-addressed ID for the delta and verify determinism (same delta = same ID)
  • Create an SBOM delta between two SbomReference documents and verify cross-reference integrity