diff --git a/README.md b/README.md index edbda72f..3e5642f9 100644 --- a/README.md +++ b/README.md @@ -87,3 +87,69 @@ transmute vcwg issue-credential ./tests/fixtures/private.sig.jwk.json ./tests/fi See [scripts](./scripts/) for more examples. TODO: all command examples + +## Use Cases + +### Software Supply Chain + +#### In Search of Transparency + +##### Product Integrity + +```bash + +sbom-tool generate -b ./dist -bc ./ -pn transmute -ps transmute.industries -pv `jq -r .version package.json` -nsu `git rev-parse --verify HEAD` + +transmute scitt issue-statement ./tests/fixtures/private.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.json \ +--iss https://software.vendor.example \ +--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \ +--content-type application/spdx+json \ +--location https://github.com/transmute-industries/transmute/blob/main/dist/_manifest/spdx_2.2/manifest.spdx.json \ +--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor + +transmute scitt issue-receipt ./tests/fixtures/private.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \ +--iss https://software.notary.example \ +--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \ +--log ./tests/fixtures/trans.json \ +--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor + +transmute scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor `cat ./dist/_manifest/spdx_2.2/manifest.spdx.json.sha256` + +``` + +command line image of build script execution + +##### Compliance Automation + +```yaml +name: CI +on: [push] +jobs: + scitt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Push Transparency + uses: transmute-industries/transmute@main + with: + neo4j-uri: ${{ secrets.NEO4J_URI }} + neo4j-user: ${{ secrets.NEO4J_USERNAME }} + neo4j-password: ${{ secrets.NEO4J_PASSWORD }} + transmute: | + graph assist ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \ + --credential-type application/cose \ + --graph-type application/gql \ + --push +``` + +graph query results + +``` +MATCH (statement { + subject: 'https://spdx.org/spdxdocs/sbom-tool-2.2.7-66a07f86-0f12-4c6f-887b-9a1510b11d8a/transmute/0.9.2/2e57d4b2d9b45cccdd74dad91edbaabaa06074f9' +}) +MATCH (receipt { + subject: statement.subject +}) +RETURN statement, receipt +``` diff --git a/docs/build.png b/docs/build.png new file mode 100644 index 00000000..f9b5823e Binary files /dev/null and b/docs/build.png differ diff --git a/docs/receipt.png b/docs/receipt.png new file mode 100644 index 00000000..bf837a27 Binary files /dev/null and b/docs/receipt.png differ diff --git a/src/graph/collate/collate.ts b/src/graph/collate/collate.ts index 4a7725d4..ac99b60d 100644 --- a/src/graph/collate/collate.ts +++ b/src/graph/collate/collate.ts @@ -13,6 +13,8 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose', const payload = decoded.value[2].toString('hex') let sig = header.get(Protected.Alg) let hash = header.get(Protected.PayloadHashAlgorithm) + const payloadPreImageContentType = header.get(Protected.PayloadPreImageContentType) + const payloadLocation = header.get(Protected.PayloadLocation) const cwtClaims = header.get(Protected.CWTClaims) const iat = cwtClaims.get(6) const iss = cwtClaims.get(1) @@ -35,7 +37,8 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose', hash_value: payload, hash_algorithm: hash, signature_algorithm: sig, - content_type: 'application/cose', + content_type: payloadPreImageContentType, + location: payloadLocation, labels: ['scitt-statement'], }; nodes[statement.id] = statement; @@ -50,7 +53,7 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose', const iss = cwtClaims.get(1) const sub = cwtClaims.get(2) if (vds === VerifiableDataStructures["RFC9162-Binary-Merkle-Tree"]) { - vds = "RFC9162-Binary-Merkle-Tree" + vds = "Binary Merkle Tree" } if (alg === Signature.ES256) { alg = 'ES256' @@ -69,7 +72,7 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose', } nodes[receipt.id] = receipt if (vdp === 'RFC9162-Inclusion-Proof') { - vdp = 'Notarization' + vdp = 'Inclusion Proof' } const edge = { source: receipt.id,