Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00
parent 7ac70ece71
commit 491e883653
409 changed files with 23797 additions and 17779 deletions
--- a/docs/vex/consensus-json.md
+++ b/docs/vex/consensus-json.md
@@ -1,52 +1,6 @@
-# Excitor consensus JSON sample (beta)
+# Archived: VEX Consensus JSON

-```jsonc
-{
-  "vulnId": "CVE-2025-12345",
-  "productKey": "pkg:maven/org.apache.commons/commons-text@1.11.0",
-  "rollupStatus": "NOT_AFFECTED",
-  "sources": [
-    {
-      "providerId": "redhat",
-      "status": "NOT_AFFECTED",
-      "justification": "component_not_present",
-      "weight": 0.62,
-      "trust": {
-        "tier": "distro",
-        "note": "tier=distro;weight=0.62",
-        "weight": 0.62,
-        "cosign": {
-          "issuer": "https://issuer.redhat.com",
-          "identityPattern": "spiffe://redhat/vex/*"
-        },
-        "pgpFingerprints": [
-          "04F2C0A87B1D9E90B1D8A35DCEB5ABCD12345678"
-        ]
-      },
-      "lastObserved": "2025-11-04T18:22:31Z",
-      "accepted": true,
-      "reason": "trust-tier vendor, signed OpenVEX"
-    },
-    {
-      "providerId": "github",
-      "status": "AFFECTED",
-      "justification": null,
-      "weight": 0.27,
-      "trust": {
-        "tier": "community",
-        "note": "tier=community;weight=0.27",
-        "weight": 0.27
-      },
-      "lastObserved": "2025-11-05T01:12:03Z",
-      "accepted": false,
-      "reason": "lower trust tier and stale statement"
-    }
-  ],
-  "policyRevisionId": "vex-consensus-policy@2025-11-05",
-  "evaluatedAt": "2025-11-05T02:05:14Z",
-  "consensusDigest": "sha256:41f2d96728b24f7a8b7f1251983b8edccd1e0f5781d4a51e51c8e6b20c1fa31a"
-}
-```
+This document was consolidated during docs cleanup.

-> **Note:** This payload is generated from the beta consensus endpoint and is subject to change prior to GA. Keys and semantics are documented alongside API previews in `docs/modules/excitor/README.md`.
-> **New:** `sources[].trust` mirrors the `vex.provenance.*` envelope emitted by Excititor connectors (provider weight/tier, cosign hints, PGP fingerprints). VEX Lens copies the raw metadata so Policy Engine, Console, and Advisory AI can explain consensus decisions without replaying ingestion.
+- Canonical guide: `docs/16_VEX_CONSENSUS_GUIDE.md`
+- Module dossier: `docs/modules/vex-lens/architecture.md`