stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/sbom-linkage-to-vex.md

2.3 KiB
Raw Blame History

SBOM Linkage to VEX

Module

Attestor

Status

IMPLEMENTED

Description

SBOM-to-VEX linkage with component reference extraction from both CycloneDX and SPDX SBOMs.

Implementation Details

  • Component Ref Extractor: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs -- extracts component references from SBOMs for VEX cross-linking.
    • .Resolution -- resolves PURL-to-bom-ref mappings for CycloneDX components.
    • .Spdx -- extracts SPDXID references for SPDX components.
  • SBOM Extraction Result: Linking/SbomExtractionResult.cs -- result containing extracted component references with PURLs and bom-refs/SPDXIDs.
  • VEX Proof Integrator: __Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- integrates SBOM component references into VEX decisions.
  • VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- combined payload linking VEX verdict to SBOM components.
  • SBOM Reference: Predicates/SbomReference.cs -- reference to the source SBOM for linkage.
  • Micro-Witness SBOM Ref: Predicates/MicroWitnessSbomRef.cs -- links function-level witness evidence to SBOM components.
  • VEX Override: __Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs -- VEX override linked to SBOM components.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ComponentRefExtractorTests.cs

E2E Test Plan

  • Extract component refs from a CycloneDX SBOM via ComponentRefExtractor.Resolution and verify PURL-to-bom-ref mappings
  • Extract component refs from an SPDX SBOM via ComponentRefExtractor.Spdx and verify SPDXID extraction
  • Link extracted SBOM components to a VEX decision via VexProofIntegrator and verify the VexVerdictProofPayload contains the component reference
  • Verify SbomExtractionResult contains all extracted components with PURLs
  • Link a micro-witness to an SBOM component via MicroWitnessSbomRef and verify bom-ref cross-reference
  • Create a VEX override via VexOverridePredicate linked to a specific SBOM component and verify the linkage
  • Verify bidirectional linking: given a VEX statement, resolve the SBOM component; given an SBOM component, find all VEX statements