Add unit tests for SBOM ingestion and transformation

- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly.
- Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps.
- Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges.
- Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges.
- Set up project file for the test project with necessary dependencies and configurations.
- Include JSON fixture files for testing purposes.

tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/nodes.json

@@ -0,0 +1,280 @@
+[
+  {
+    "kind": "artifact",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "artifact_digest": "sha256:aaa111",
+      "sbom_digest": "sha256:sbom111"
+    },
+    "attributes": {
+      "display_name": "registry.example.com/team/app:1.2.3",
+      "artifact_digest": "sha256:aaa111",
+      "sbom_digest": "sha256:sbom111",
+      "environment": "prod",
+      "labels": [
+        "critical",
+        "payments"
+      ],
+      "origin_registry": "registry.example.com",
+      "supply_chain_stage": "deploy"
+    },
+    "provenance": {
+      "source": "scanner.sbom.v1",
+      "collected_at": "2025-10-30T12:00:00Z",
+      "sbom_digest": "sha256:sbom111",
+      "event_offset": 1182
+    },
+    "valid_from": "2025-10-30T12:00:00Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:artifact:RX033HH7S6JXMY66QM51S89SX76B3JXJHWHPXPPBJCD05BR3GVXG",
+    "hash": "891601471f7dea636ec2988966b3aee3721a1faedb7e1c8e2834355eb4e31cfd"
+  },
+  {
+    "kind": "artifact",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "artifact_digest": "sha256:base000",
+      "sbom_digest": "sha256:sbom-base"
+    },
+    "attributes": {
+      "display_name": "registry.example.com/base/runtime:2025.09",
+      "artifact_digest": "sha256:base000",
+      "sbom_digest": "sha256:sbom-base",
+      "environment": "prod",
+      "labels": [
+        "base-image"
+      ],
+      "origin_registry": "registry.example.com",
+      "supply_chain_stage": "build"
+    },
+    "provenance": {
+      "source": "scanner.sbom.v1",
+      "collected_at": "2025-10-22T08:00:00Z",
+      "sbom_digest": "sha256:sbom-base",
+      "event_offset": 800
+    },
+    "valid_from": "2025-10-22T08:00:00Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:artifact:KD207PSJ36Q0B19CT8K8H2FQCV0HGQRNK8QWHFXE1VWAKPF9XH00",
+    "hash": "11593184fe6aa37a0e1d1909d4a401084a9ca452959a369590ac20d4dff77bd8"
+  },
+  {
+    "kind": "component",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "purl": "pkg:nuget/Newtonsoft.Json@13.0.3",
+      "source_type": "inventory"
+    },
+    "attributes": {
+      "purl": "pkg:nuget/Newtonsoft.Json@13.0.3",
+      "version": "13.0.3",
+      "ecosystem": "nuget",
+      "scope": "runtime",
+      "license_spdx": "MIT",
+      "usage": "direct"
+    },
+    "provenance": {
+      "source": "scanner.sbom.v1",
+      "collected_at": "2025-10-30T12:00:01Z",
+      "sbom_digest": "sha256:sbom111",
+      "event_offset": 1183
+    },
+    "valid_from": "2025-10-30T12:00:01Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
+    "hash": "e4c22e7522573b746c654bb6bdd05d01db1bcd34db8b22e5e12d2e8528268786"
+  },
+  {
+    "kind": "component",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0",
+      "source_type": "inventory"
+    },
+    "attributes": {
+      "purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0",
+      "version": "4.7.0",
+      "ecosystem": "nuget",
+      "scope": "runtime",
+      "license_spdx": "MIT",
+      "usage": "transitive"
+    },
+    "provenance": {
+      "source": "scanner.sbom.v1",
+      "collected_at": "2025-10-30T12:00:01Z",
+      "sbom_digest": "sha256:sbom111",
+      "event_offset": 1184
+    },
+    "valid_from": "2025-10-30T12:00:01Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:component:FZ9EHXFFGPDQAEKAPWZ4JX5X6KYS467PJ5D1Y4T9NFFQG2SG0DV0",
+    "hash": "b941ff7178451b7a0403357d08ed8996e8aea1bf40032660e18406787e57ce3f"
+  },
+  {
+    "kind": "file",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "artifact_digest": "sha256:aaa111",
+      "normalized_path": "/src/app/Program.cs",
+      "content_sha256": "sha256:bbb222"
+    },
+    "attributes": {
+      "normalized_path": "/src/app/Program.cs",
+      "content_sha256": "sha256:bbb222",
+      "language_hint": "csharp",
+      "size_bytes": 3472,
+      "scope": "build"
+    },
+    "provenance": {
+      "source": "scanner.layer.v1",
+      "collected_at": "2025-10-30T12:00:02Z",
+      "sbom_digest": "sha256:sbom111",
+      "event_offset": 1185
+    },
+    "valid_from": "2025-10-30T12:00:02Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:file:M1MWHCXA66MQE8FZMPK3RNRMN7Z18H4VGWX6QTNNBKABFKRACKDG",
+    "hash": "a0a7e7b6ff4a8357bea3273e38b3a3d801531a4f6b716513b7d4972026db3a76"
+  },
+  {
+    "kind": "license",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "license_spdx": "Apache-2.0",
+      "source_digest": "sha256:ccc333"
+    },
+    "attributes": {
+      "license_spdx": "Apache-2.0",
+      "name": "Apache License 2.0",
+      "classification": "permissive",
+      "notice_uri": "https://www.apache.org/licenses/LICENSE-2.0"
+    },
+    "provenance": {
+      "source": "scanner.sbom.v1",
+      "collected_at": "2025-10-30T12:00:03Z",
+      "sbom_digest": "sha256:sbom111",
+      "event_offset": 1186
+    },
+    "valid_from": "2025-10-30T12:00:03Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:license:7SDDWTRKXYG9MBK89X7JFMAQRBEZHV1NFZNSN2PBRZT5H0FHZB90",
+    "hash": "790f1d803dd35d9f77b08977e4dd3fc9145218ee7c68524881ee13b7a2e9ede8"
+  },
+  {
+    "tenant": "tenant-alpha",
+    "kind": "advisory",
+    "canonical_key": {
+      "advisory_id": "GHSA-1234-5678-90AB",
+      "advisory_source": "ghsa",
+      "content_hash": "sha256:ddd444",
+      "tenant": "tenant-alpha"
+    },
+    "attributes": {
+      "advisory_source": "ghsa",
+      "advisory_id": "GHSA-1234-5678-90AB",
+      "severity": "HIGH",
+      "published_at": "2025-10-25T09:00:00Z",
+      "content_hash": "sha256:ddd444",
+      "linkset_digest": "sha256:linkset001"
+    },
+    "provenance": {
+      "source": "concelier.linkset.v1",
+      "collected_at": "2025-10-30T12:05:10Z",
+      "sbom_digest": null,
+      "event_offset": 3100
+    },
+    "valid_from": "2025-10-25T09:00:00Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:advisory:RFGYXZ2TG0BF117T3HCX3XYAZFXPD72991QD0JZWDVY7FXYY87R0",
+    "hash": "df4b4087dc6bf4c8b071ce808b97025036a6d33d30ea538a279a4f55ed7ffb8e"
+  },
+  {
+    "tenant": "tenant-alpha",
+    "kind": "vex_statement",
+    "canonical_key": {
+      "content_hash": "sha256:eee555",
+      "statement_id": "statement-789",
+      "tenant": "tenant-alpha",
+      "vex_source": "vendor-x"
+    },
+    "attributes": {
+      "status": "not_affected",
+      "statement_id": "statement-789",
+      "justification": "component not present",
+      "issued_at": "2025-10-27T14:30:00Z",
+      "expires_at": "2026-10-27T14:30:00Z",
+      "content_hash": "sha256:eee555"
+    },
+    "provenance": {
+      "source": "excititor.vex.v1",
+      "collected_at": "2025-10-30T12:06:00Z",
+      "sbom_digest": null,
+      "event_offset": 3302
+    },
+    "valid_from": "2025-10-27T14:30:00Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:vex_statement:BVRF35CX6TZTHPD7YFHYTJJACPYJD86JP7C74SH07QT9JT82NDSG",
+    "hash": "4b613e2b8460c542597bbc70b8ba3e6796c3e1d261d0c74ce30fba42f7681f25"
+  },
+  {
+    "kind": "policy_version",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "policy_pack_digest": "sha256:fff666",
+      "effective_from": "2025-10-28T00:00:00Z"
+    },
+    "attributes": {
+      "policy_pack_digest": "sha256:fff666",
+      "policy_name": "Default Runtime Policy",
+      "effective_from": "2025-10-28T00:00:00Z",
+      "expires_at": "2026-01-01T00:00:00Z",
+      "explain_hash": "sha256:explain001"
+    },
+    "provenance": {
+      "source": "policy.engine.v1",
+      "collected_at": "2025-10-28T00:00:05Z",
+      "sbom_digest": null,
+      "event_offset": 4100
+    },
+    "valid_from": "2025-10-28T00:00:00Z",
+    "valid_to": "2026-01-01T00:00:00Z",
+    "id": "gn:tenant-alpha:policy_version:YZSMWHHR6Y5XR1HFRBV3H5TR6GMZVN9BPDAAVQEACV7XRYP06390",
+    "hash": "a8539c4d611535c3afcfd406a08208ab3bbfc81f6e31f87dd727b7d8bd9c4209"
+  },
+  {
+    "kind": "runtime_context",
+    "tenant": "tenant-alpha",
+    "canonical_key": {
+      "tenant": "tenant-alpha",
+      "runtime_fingerprint": "pod-abc123",
+      "collector": "zastava.v1",
+      "observed_at": "2025-10-30T12:15:00Z"
+    },
+    "attributes": {
+      "runtime_fingerprint": "pod-abc123",
+      "collector": "zastava.v1",
+      "observed_at": "2025-10-30T12:15:00Z",
+      "cluster": "prod-cluster-1",
+      "namespace": "payments",
+      "workload_kind": "deployment",
+      "runtime_state": "Running"
+    },
+    "provenance": {
+      "source": "signals.runtime.v1",
+      "collected_at": "2025-10-30T12:15:05Z",
+      "sbom_digest": null,
+      "event_offset": 5109
+    },
+    "valid_from": "2025-10-30T12:15:00Z",
+    "valid_to": null,
+    "id": "gn:tenant-alpha:runtime_context:EFVARD7VM4710F8554Q3NGH0X8W7XRF3RDARE8YJWK1H3GABX8A0",
+    "hash": "0294c4131ba98d52674ca31a409488b73f47a193cf3a13cede8671e6112a5a29"
+  }
+]