stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/verifiable-sbom-to-vex-chain.md

3.0 KiB
Raw Blame History

Verifiable SBOM-to-VEX Chain

Module

Attestor

Status

IMPLEMENTED

Description

VEX proof integrator links VEX statements to SBOM components with component ref extraction, SBOM linkage statements, and VEX attestation predicates for chain verification.

Implementation Details

  • VEX Proof Integrator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- integrates VEX proofs with SBOM component references, embedding proof metadata (proof_ref, proof_method, proof_confidence) into VEX verdicts.
  • VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- payload containing VEX verdict with proof references linking back to SBOM components.
  • Component Ref Extractor: Linking/ComponentRefExtractor.cs (with .Resolution, .Spdx) -- extracts component references from SBOMs (CycloneDX bom-ref, SPDX SPDXID) for cross-linking with VEX statements.
  • SBOM Extraction Result: Linking/SbomExtractionResult.cs -- result of extracting component references from an SBOM document.
  • SBOM Linkage Payload: Statements/SbomLinkagePayload.cs -- payload for SBOM-to-VEX linkage statements, binding SBOM digest to VEX document reference.
  • VEX Attestation Predicate: Predicates/VexAttestationPredicate.cs -- attestation predicate for VEX statements with proof chain references.
  • VEX Verdict Summary: Predicates/VexVerdictSummary.cs -- summary of VEX verdicts per component/CVE.
  • VEX Document Reference: Predicates/VexDocumentReference.cs -- reference to a VEX document by digest and URI.
  • VEX Status Counts: Predicates/VexStatusCounts.cs -- counts of VEX statuses (affected, not_affected, fixed, under_investigation).
  • SBOM Reference: Predicates/SbomReference.cs -- reference to an SBOM document for linkage.
  • VEX Verdict Statement: Statements/VexVerdictStatement.cs -- in-toto statement wrapping the VEX verdict.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Extract component refs from a CycloneDX SBOM via ComponentRefExtractor and verify bom-ref IDs are captured for all components
  • Extract component refs from an SPDX SBOM via .Spdx and verify SPDXID references are captured
  • Create an SbomLinkagePayload linking an SBOM digest to a VEX document reference and verify the chain is valid
  • Integrate a VEX proof via VexProofIntegrator and verify the VexVerdictProofPayload contains proof_ref, proof_method, and proof_confidence
  • Build a VexAttestationPredicate with multiple component verdicts and verify each references the correct SBOM component ref
  • Verify SBOM-to-VEX chain: given an SBOM with 5 components and VEX with 3 affected, verify VexStatusCounts shows 3 affected and 2 not_assessed
  • Create a VEX verdict statement and verify it is a valid in-toto statement with SBOM linkage metadata
  • Attempt to link a VEX to an SBOM with mismatched component refs and verify the integrator detects the mismatch