Skip to content

SBOM attach: ocx package push --sbom FILE (CycloneDX, cosign-attest envelope) #100

Description

@michael-herwig

Part of #199. Depends on #198 (attestation engine) and #106 (capability detection).

Why

SBOMs let downstream consumers answer "what's inside this binary" without rebuilding. CycloneDX is the de facto SBOM format on package registries in 2026. With the attestation engine in place (#198), this is a thin predicate slice: read a CycloneDX file, wrap, sign, attach.

What

Add --sbom FILE flag to ocx package push. Behavior:

  1. Read the SBOM file; accept CycloneDX JSON 1.5, 1.6, or 1.7 by reading the BOM's specVersion field. Reject anything else with a clear error.
  2. Wrap in an in-toto Statement (_type = https://in-toto.io/Statement/v1) with the versionless predicate type https://cyclonedx.org/bom — the in-toto registered type. The BOM's specVersion carries the version; no …/bom/1.5-style versioned URIs.
  3. Sign + attach via the DSSE path from Attestation engine: in-toto/DSSE attach + verify #198. Attestation path ONLY — no raw SBOM referrer: do not add versioned MEDIA_TYPE_SBOM_*;version= constants, and drop the deprecated raw "attach sbom" vocabulary.
  4. Media-type constants land in crates/ocx_lib/src/oci/referrer/media_types.rs (data-only constant table; media_type.rs does not exist).

Out of scope v1: SPDX — revisit on federal-compliance demand.

Acceptance criteria

  • ocx package push --sbom sbom.cdx.json my-pkg:1.0.0 succeeds against a referrers-capable registry; DSSE subject digest equals the pushed package manifest digest.
  • CycloneDX 1.5, 1.6, and 1.7 fixtures all accepted; non-CycloneDX input rejected with a clear error.
  • SBOM referrer discoverable via list-referrers.
  • Acceptance test test/tests/test_sbom_attach_discover.py (shared with SBOM discovery: ocx package sbom #101): push with --sbom, discover via ocx package sbom.
  • Docs generator guidance: cargo cyclonedx --format json; document that cargo-cyclonedx v0.5.9 emits only ≤1.5 — do not promise 1.6+ generation.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/cliSubsystem: cliarea/ociSubsystem: ocisecuritySecurity-relevant change or hardening

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions