stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/spdx-3-0-1-writer-with-build-attestation-and-canonical-persistence.md

3.0 KiB
Raw Blame History

SPDX 3.0.1 Writer with Build Attestation and Canonical Persistence

Module

Attestor

Status

IMPLEMENTED

Description

SPDX 3.0 writer with build profile support, dedicated SPDX3 library for bidirectional build attestation mapping, combined document building with attestation/profile support, and canonical persistence.

Implementation Details

  • SPDX Writer: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/SpdxWriter.cs (with 40+ partials: .Convert, .ConvertLite, .Document, .Packages, .PackageConvert, .Relationships, .RelationshipMap, .Licensing, .LicensingCollect, .LicenseConvert, .Hashing, .Signatures, .Profiles, .Agents, .Builds, .Assessments, .AiPackage, .DatasetPackage, .Vulnerabilities, .Extensions, .ExternalIds, .ExternalRefs, .FileElement, .Snippets, .Imports, .Helpers, .MapHelpers, .IdBuilders, .IdValidation, .NamespaceMap, .CollectIds, .CreationInfo) -- comprehensive SPDX 3.0.1 writer.
  • SPDX3 Build Attestation Mapper: __Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs (with .MapFromSpdx3, .MapToSpdx3) -- bidirectional mapping between SPDX3 build profiles and internal attestation models.
  • Build Models: BuildAttestationPayload.cs, BuildInvocation.cs, BuildMaterial.cs, BuildMetadata.cs, BuilderInfo.cs, ConfigSource.cs -- build attestation data models.
  • Combined Document Builder: CombinedDocumentBuilder.cs (with .Attestation, .Build, .Profiles) -- builds combined SPDX3 documents with attestation and profile support.
  • Combined Document Extensions: CombinedDocumentExtensions.cs -- extension methods for combined documents.
  • DSSE SPDX3 Signer: DsseSpdx3Signer.cs (with .Encoding, .SignAsync, .SignBuildProfile, .Verify) -- DSSE signing for SPDX3 documents.
  • Build Relationship Builder: BuildRelationshipBuilder.cs (with .Linking) -- builds SPDX3 build relationships.
  • SPDX3 Serializer: ISpdx3Serializer.cs -- serializer interface for canonical SPDX3 output.
  • Tests: __Tests/StellaOps.Attestor.Spdx3.Tests/, __Tests/StellaOps.Attestor.StandardPredicates.Tests/SpdxWriterTests.cs

E2E Test Plan

  • Write an SPDX 3.0.1 document via SpdxWriter with packages, relationships, and licensing; verify well-formed output
  • Map a build attestation to SPDX3 via BuildAttestationMapper.MapToSpdx3 and verify build profile data
  • Map an SPDX3 build profile back via .MapFromSpdx3 and verify round-trip fidelity
  • Build a combined document via CombinedDocumentBuilder with both SBOM and attestation profiles
  • Sign the SPDX3 document via DsseSpdx3Signer.SignBuildProfile and verify the DSSE envelope
  • Verify the signed document via DsseSpdx3Signer.Verify and confirm signature validity
  • Write SPDX3 with AI package and dataset package profiles and verify profile-specific data is included
  • Verify canonical persistence: serialize the same document twice and confirm byte-identical output