stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/sbom-schema-validation-gating.md

2.3 KiB
Raw Blame History

SBOM Schema Validation/Gating

Module

Attestor

Status

IMPLEMENTED

Description

Schema validation for SBOM predicates (both CycloneDX and SPDX) with structured validation results for gating decisions.

Implementation Details

  • Predicate Schema Validator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/PredicateSchemaValidator.cs (with .Validators) -- validates SBOM predicates against registered schemas.
  • Schema Validation Result: Json/SchemaValidationResult.cs -- result with pass/fail and list of errors.
  • Schema Validation Error: Json/SchemaValidationError.cs -- individual error with JSON path, message, and severity.
  • CycloneDX Validation: __Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.Validation.cs -- CycloneDX-specific schema validation rules.
  • CycloneDX Parser Validation: Parsers/CycloneDxPredicateParser.Validation.cs -- validates CycloneDX input during parsing.
  • SPDX Validation: Parsers/SpdxPredicateParser.Validation.cs -- validates SPDX input during parsing.
  • SLSA Validation: Validation/SlsaSchemaValidator.cs (with .BuildDefinition, .Helpers, .Level, .RunDetails) -- SLSA provenance schema validation.
  • Binary Diff Schema: BinaryDiff/BinaryDiffSchema.SchemaJson.cs -- embedded JSON schema for binary diff predicates.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/ValidationTests.cs

E2E Test Plan

  • Validate a well-formed CycloneDX 1.6 BOM via CycloneDxWriter.Validation and verify it passes
  • Validate a malformed CycloneDX BOM (missing required fields) and verify SchemaValidationResult fails with specific errors
  • Validate a well-formed SPDX 3.0.1 document via SpdxPredicateParser.Validation and verify it passes
  • Validate a malformed SPDX document and verify validation errors include JSON paths
  • Validate a CycloneDX serial number via CycloneDxPredicateParser.SerialNumber and verify format compliance
  • Use validation results as a gating decision: block a pipeline submission when SBOM validation fails
  • Validate a SLSA provenance predicate and verify build definition and run details are checked
  • Verify SchemaValidationError provides actionable details: JSON path, human-readable message, severity level