Skip to content

Commit

Permalink
updates
Browse files Browse the repository at this point in the history
  • Loading branch information
OR13 committed Aug 13, 2024
1 parent c4c76a1 commit 90724ed
Show file tree
Hide file tree
Showing 4 changed files with 72 additions and 3 deletions.
66 changes: 66 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,69 @@ transmute vcwg issue-credential ./tests/fixtures/private.sig.jwk.json ./tests/fi
See [scripts](./scripts/) for more examples.

TODO: all command examples

## Use Cases

### Software Supply Chain

#### In Search of Transparency

##### Product Integrity

```bash

sbom-tool generate -b ./dist -bc ./ -pn transmute -ps transmute.industries -pv `jq -r .version package.json` -nsu `git rev-parse --verify HEAD`

transmute scitt issue-statement ./tests/fixtures/private.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.json \
--iss https://software.vendor.example \
--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
--content-type application/spdx+json \
--location https://github.com/transmute-industries/transmute/blob/main/dist/_manifest/spdx_2.2/manifest.spdx.json \
--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor

transmute scitt issue-receipt ./tests/fixtures/private.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
--iss https://software.notary.example \
--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
--log ./tests/fixtures/trans.json \
--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor

transmute scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor `cat ./dist/_manifest/spdx_2.2/manifest.spdx.json.sha256`

```

<img src="./docs/build.png" alt="command line image of build script execution" />

##### Compliance Automation

```yaml
name: CI
on: [push]
jobs:
scitt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Push Transparency
uses: transmute-industries/transmute@main
with:
neo4j-uri: ${{ secrets.NEO4J_URI }}
neo4j-user: ${{ secrets.NEO4J_USERNAME }}
neo4j-password: ${{ secrets.NEO4J_PASSWORD }}
transmute: |
graph assist ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
--credential-type application/cose \
--graph-type application/gql \
--push
```
<img src="./docs/receipt.png.png" alt="graph query results" />
```
MATCH (statement {
subject: 'https://spdx.org/spdxdocs/sbom-tool-2.2.7-66a07f86-0f12-4c6f-887b-9a1510b11d8a/transmute/0.9.2/2e57d4b2d9b45cccdd74dad91edbaabaa06074f9'
})
MATCH (receipt {
subject: statement.subject
})
RETURN statement, receipt
```
Binary file added docs/build.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/receipt.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
9 changes: 6 additions & 3 deletions src/graph/collate/collate.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
const payload = decoded.value[2].toString('hex')
let sig = header.get(Protected.Alg)
let hash = header.get(Protected.PayloadHashAlgorithm)
const payloadPreImageContentType = header.get(Protected.PayloadPreImageContentType)
const payloadLocation = header.get(Protected.PayloadLocation)
const cwtClaims = header.get(Protected.CWTClaims)
const iat = cwtClaims.get(6)
const iss = cwtClaims.get(1)
Expand All @@ -35,7 +37,8 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
hash_value: payload,
hash_algorithm: hash,
signature_algorithm: sig,
content_type: 'application/cose',
content_type: payloadPreImageContentType,
location: payloadLocation,
labels: ['scitt-statement'],
};
nodes[statement.id] = statement;
Expand All @@ -50,7 +53,7 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
const iss = cwtClaims.get(1)
const sub = cwtClaims.get(2)
if (vds === VerifiableDataStructures["RFC9162-Binary-Merkle-Tree"]) {
vds = "RFC9162-Binary-Merkle-Tree"
vds = "Binary Merkle Tree"
}
if (alg === Signature.ES256) {
alg = 'ES256'
Expand All @@ -69,7 +72,7 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
}
nodes[receipt.id] = receipt
if (vdp === 'RFC9162-Inclusion-Proof') {
vdp = 'Notarization'
vdp = 'Inclusion Proof'
}
const edge = {
source: receipt.id,
Expand Down

0 comments on commit 90724ed

Please sign in to comment.