Attestation

What is Attestation?

Lineaje checks for the integrity of every component in the software supply chain of your application. This includes direct and transitive dependencies. The integrity in represented in LCAL (Lineaje Component Attestation Level) in a scale of 0-4.

  • LCAL 0: Unknown Component

  • LCAL 1: Known Component

  • LCAL 2: Attested Component

  • LCAL 3: Attested Build & Source

  • LCAL 4: Fully Attested

Attested components are those whose integrity check passed along with its provenance thereby further classifying it as a “Known” open-source, private, and/or third-party component. (LCAL 2,3, & 4)

Unattested components are those whose integrity check failed, or provenance could not be verified, thereby further classifying it as an “Unknown” component. (LCAL 0 & 1)

How is attestation calculated?

SBOM360 validates software integrity with Lineaje's Deep Fingerprinting Technology and assigns it an attestation status for each component. Each attestation level is based on data found with Deep Fingerprinting Technology.

  • LCAL 0: Unknown Component

    • Component could not be resolved

    • Not EO14028 compliant

  • LCAL 1: Known Component

    • Component name and PURL are identified and attested

    • Package available at PURL location

    • Component fingerprints do not match

    • Not EO14028 compliant

  • LCAL 2: Attested Component

    • Component name and PURL are identified and attested

    • Package available at PURL location

    • Fingerprints match

    • EO14028 compliant with the attested components

  • LCAL 3: Attested Build & Source

    • Component package is Attested

    • Package source exists

    • Attested to be built from the source

    • EO14028 compliant with attested software supply chain and SBOM

  • LCAL 4: Fully Attested

    • Component package and source are untampered and malware free

    • Attestation shows no malicious code nor tamper in or between original source and built output

    • Compatible with builds previously produced

    • EO14028 compliant with untampered, attested supply chain, and SBOM

Attestation for a project is calculated based on the mean value of attestation scores of all components.

Understanding Attestation

  • Count of components with their attestation level is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).

  • Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version and a capsule for attestation level.

  • By clicking the attestation level capsule, next level details will be shown as below.

PreviousInfoNextIRL

Last updated