Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/Concelier/StellaOps.Concelier.WebService/Program.cs

@@ -82,6 +82,8 @@ builder.Services.AddOptions<ConcelierOptions>()
     })
     .ValidateOnStart();
 
+builder.Services.AddStellaOpsCrypto(concelierOptions.Crypto);
+
 builder.ConfigureConcelierTelemetry(concelierOptions);
 
 builder.Services.TryAddSingleton<TimeProvider>(_ => TimeProvider.System);
@@ -387,6 +389,14 @@ var advisoryIngestEndpoint = app.MapPost("/ingest/advisory", async (
         return authorizationError;
     }
 
+    using var ingestScope = logger.BeginScope(new Dictionary<string, object?>(StringComparer.Ordinal)
+    {
+        ["tenant"] = tenant,
+        ["source.vendor"] = ingestRequest.Source.Vendor,
+        ["upstream.upstreamId"] = ingestRequest.Upstream.UpstreamId,
+        ["contentHash"] = ingestRequest.Upstream.ContentHash ?? "(null)"
+    });
+
     AdvisoryRawDocument document;
     try
     {
@@ -423,12 +433,12 @@ var advisoryIngestEndpoint = app.MapPost("/ingest/advisory", async (
             context.Response.Headers.Location = $"/advisories/raw/{Uri.EscapeDataString(result.Record.Id)}";
         }
 
-        IngestionMetrics.WriteCounter.Add(1, new[]
-        {
-            new KeyValuePair<string, object?>("tenant", tenant),
-            new KeyValuePair<string, object?>("source", result.Record.Document.Source.Vendor),
-            new KeyValuePair<string, object?>("result", result.Inserted ? "inserted" : "duplicate")
-        });
+        IngestionMetrics.IngestionWriteCounter.Add(
+            1,
+            IngestionMetrics.BuildWriteTags(
+                tenant,
+                ingestRequest.Source.Vendor ?? "(unknown)",
+                result.Inserted ? "inserted" : "duplicate"));
 
         return JsonResult(response, statusCode);
     }
@@ -443,12 +453,12 @@ var advisoryIngestEndpoint = app.MapPost("/ingest/advisory", async (
             string.IsNullOrWhiteSpace(document.Upstream.ContentHash) ? "(empty)" : document.Upstream.ContentHash,
             string.Join(',', guardException.Violations.Select(static violation => violation.ErrorCode)));
 
-        IngestionMetrics.ViolationCounter.Add(1, new[]
-        {
-            new KeyValuePair<string, object?>("tenant", tenant),
-            new KeyValuePair<string, object?>("source", document.Source.Vendor),
-            new KeyValuePair<string, object?>("code", guardException.PrimaryErrorCode)
-        });
+        IngestionMetrics.IngestionWriteCounter.Add(
+            1,
+            IngestionMetrics.BuildWriteTags(
+                tenant,
+                ingestRequest.Source.Vendor ?? "(unknown)",
+                "rejected"));
 
         return MapAocGuardException(context, guardException);
     }
@@ -467,25 +477,8 @@ advisoryIngestEndpoint.RequireAocGuard<AdvisoryIngestRequest>(request =>
         return Array.Empty<object?>();
     }
 
-    var linkset = request.Linkset ?? new AdvisoryLinksetRequest(
-        Array.Empty<string>(),
-        Array.Empty<string>(),
-        Array.Empty<string>(),
-        Array.Empty<AdvisoryLinksetReferenceRequest>(),
-        Array.Empty<string>(),
-        new Dictionary<string, string>(StringComparer.Ordinal));
-
-    var payload = new
-    {
-        tenant = "guard-tenant",
-        source = request.Source,
-        upstream = request.Upstream,
-        content = request.Content,
-        identifiers = request.Identifiers,
-        linkset
-    };
-
-    return new object?[] { payload };
+    var guardDocument = AdvisoryRawRequestMapper.Map(request, "guard-tenant", TimeProvider.System);
+    return new object?[] { guardDocument };
 }, guardOptions: advisoryIngestGuardOptions);
 
 if (authorityConfigured)
@@ -796,11 +789,9 @@ var aocVerifyEndpoint = app.MapPost("/aoc/verify", async (
     var verificationOutcome = response.Truncated
         ? "truncated"
         : (violationResponses.Length == 0 ? "ok" : "violations");
-    IngestionMetrics.VerificationCounter.Add(1, new[]
-    {
-        new KeyValuePair<string, object?>("tenant", tenant),
-        new KeyValuePair<string, object?>("result", verificationOutcome)
-    });
+    IngestionMetrics.VerificationCounter.Add(
+        1,
+        IngestionMetrics.BuildVerifyTags(tenant, verificationOutcome));
 
     return JsonResult(response);
 });