You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Part of #199. Depends on #198 (attestation engine) and #106 (capability detection).
Why
SBOMs let downstream consumers answer "what's inside this binary" without rebuilding. CycloneDX is the de facto SBOM format on package registries in 2026. With the attestation engine in place (#198), this is a thin predicate slice: read a CycloneDX file, wrap, sign, attach.
What
Add --sbom FILE flag to ocx package push. Behavior:
Read the SBOM file; accept CycloneDX JSON 1.5, 1.6, or 1.7 by reading the BOM's specVersion field. Reject anything else with a clear error.
Wrap in an in-toto Statement (_type = https://in-toto.io/Statement/v1) with the versionless predicate type https://cyclonedx.org/bom — the in-toto registered type. The BOM's specVersion carries the version; no …/bom/1.5-style versioned URIs.
Sign + attach via the DSSE path from Attestation engine: in-toto/DSSE attach + verify #198. Attestation path ONLY — no raw SBOM referrer: do not add versioned MEDIA_TYPE_SBOM_*;version= constants, and drop the deprecated raw "attach sbom" vocabulary.
Media-type constants land in crates/ocx_lib/src/oci/referrer/media_types.rs (data-only constant table; media_type.rs does not exist).
Out of scope v1: SPDX — revisit on federal-compliance demand.
Acceptance criteria
ocx package push --sbom sbom.cdx.json my-pkg:1.0.0 succeeds against a referrers-capable registry; DSSE subject digest equals the pushed package manifest digest.
CycloneDX 1.5, 1.6, and 1.7 fixtures all accepted; non-CycloneDX input rejected with a clear error.
SBOM referrer discoverable via list-referrers.
Acceptance test test/tests/test_sbom_attach_discover.py (shared with SBOM discovery: ocx package sbom #101): push with --sbom, discover via ocx package sbom.
Docs generator guidance: cargo cyclonedx --format json; document that cargo-cyclonedx v0.5.9 emits only ≤1.5 — do not promise 1.6+ generation.
Part of #199. Depends on #198 (attestation engine) and #106 (capability detection).
Why
SBOMs let downstream consumers answer "what's inside this binary" without rebuilding. CycloneDX is the de facto SBOM format on package registries in 2026. With the attestation engine in place (#198), this is a thin predicate slice: read a CycloneDX file, wrap, sign, attach.
What
Add
--sbom FILEflag toocx package push. Behavior:specVersionfield. Reject anything else with a clear error._type=https://in-toto.io/Statement/v1) with the versionless predicate typehttps://cyclonedx.org/bom— the in-toto registered type. The BOM'sspecVersioncarries the version; no…/bom/1.5-style versioned URIs.MEDIA_TYPE_SBOM_*;version=constants, and drop the deprecated raw "attach sbom" vocabulary.crates/ocx_lib/src/oci/referrer/media_types.rs(data-only constant table;media_type.rsdoes not exist).Out of scope v1: SPDX — revisit on federal-compliance demand.
Acceptance criteria
ocx package push --sbom sbom.cdx.json my-pkg:1.0.0succeeds against a referrers-capable registry; DSSEsubjectdigest equals the pushed package manifest digest.test/tests/test_sbom_attach_discover.py(shared with SBOM discovery:ocx package sbom#101): push with--sbom, discover viaocx package sbom.cargo cyclonedx --format json; document that cargo-cyclonedx v0.5.9 emits only ≤1.5 — do not promise 1.6+ generation.References