Lineaje Learning Center
  • About Lineaje
  • Lineaje Product Offering
  • Getting started
    • Create an account
      • Configure Azure AD for sso
      • Configure Okta for sso
    • Onboarding workflow
  • SBOM360, OSM
    • Generate an SBOM
      • Source Code Management (SCM) As Source
        • Public Code Repositories
        • Private Code Repositories
          • Configure GitHub credentials
          • Configure Bitbucket credentials
          • Configure Gitlab credentials
          • Configure Git credentials
          • Configure Azure Repo
        • Frequently Asked Questions
      • Container Image As Source
        • Public Container Image
        • Private Container Image
          • Configure AWS Elastic Container Registry
          • Configure Google Container Registry
          • Configure Docker Hub
          • Configure Generic OCI Registry
          • Configure Azure Container Registry
        • Frequently Asked Questions
      • Existing SBOM As Source
        • EO 14028 checks
      • Manifest file As Source
      • Android Package Kit (APK)
      • Using Lineaje CLI
    • Explore Your SBOM
      • Info
      • Attestation
      • IRL
      • Dependencies
      • Provenance
      • Vulnerabilities
      • Mitigations
      • Security Posture
      • Code Quality
      • Suppliers & Licenses
      • Findings
    • Manage Your SBOM
    • Dashboard
    • Search
    • Policies and Gates
    • Organization and User Management
      • Organization example
    • Lineaje AI
    • AI Plan and AI Remediate
      • JIRA Integration
  • SBOM360 Hub
    • My Products
    • My SBOMS
    • Find & Review SBOMs
    • Manage Your Repository
    • Request and Share SBOMS
    • Settings
    • User Roles
  • Lineaje CLI
    • System Configuration
    • Toolset Configuration
    • CLI Installation
    • CLI Usage
    • Troubleshooting CLI issues
    • Support matrix
  • Integration with CICD pipeline
    • Pre-Requisites
    • Generate Project from source code
      • Project creation using Lineaje cloud
  • Abbreviations and Descriptions
  • Release Notes
    • Unified Scanner for AWS
Powered by GitBook
On this page
  • What is Attestation?
  • How is attestation calculated?
  • Understanding Attestation
  1. SBOM360, OSM
  2. Explore Your SBOM

Attestation

What is Attestation?

Lineaje checks for the integrity of every component in the software supply chain of your application. This includes direct and transitive dependencies. The integrity in represented in LCAL (Lineaje Component Attestation Level) in a scale of 0-4.

  • LCAL 0: Unknown Component

  • LCAL 1: Known Component

  • LCAL 2: Attested Component

  • LCAL 3: Attested Build & Source

  • LCAL 4: Fully Attested

Attested components are those whose integrity check passed along with its provenance thereby further classifying it as a “Known” open-source, private, and/or third-party component. (LCAL 2,3, & 4)

Unattested components are those whose integrity check failed, or provenance could not be verified, thereby further classifying it as an “Unknown” component. (LCAL 0 & 1)

How is attestation calculated?

SBOM360 validates software integrity with Lineaje's Deep Fingerprinting Technology and assigns it an attestation status for each component. Each attestation level is based on data found with Deep Fingerprinting Technology.

  • LCAL 0: Unknown Component

    • Component could not be resolved

    • Not EO14028 compliant

  • LCAL 1: Known Component

    • Component name and PURL are identified and attested

    • Package available at PURL location

    • Component fingerprints do not match

    • Not EO14028 compliant

  • LCAL 2: Attested Component

    • Component name and PURL are identified and attested

    • Package available at PURL location

    • Fingerprints match

    • EO14028 compliant with the attested components

  • LCAL 3: Attested Build & Source

    • Component package is Attested

    • Package source exists

    • Attested to be built from the source

    • EO14028 compliant with attested software supply chain and SBOM

  • LCAL 4: Fully Attested

    • Component package and source are untampered and malware free

    • Attestation shows no malicious code nor tamper in or between original source and built output

    • Compatible with builds previously produced

    • EO14028 compliant with untampered, attested supply chain, and SBOM

Attestation for a project is calculated based on the mean value of attestation scores of all components.

Understanding Attestation

  • Count of components with their attestation level is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).

  • Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version and a capsule for attestation level.

  • By clicking the attestation level capsule, next level details will be shown as below.

PreviousInfoNextIRL

Last updated 1 year ago