save checkpoint
This commit is contained in:
master
41
docs/features/checked/attestor/sbom-linkage-to-vex.md
Normal file
41
docs/features/checked/attestor/sbom-linkage-to-vex.md
Normal file
@@ -0,0 +1,41 @@
|
||||
# SBOM Linkage to VEX
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
SBOM-to-VEX linkage with component reference extraction from both CycloneDX and SPDX SBOMs.
|
||||
|
||||
## Implementation Details
|
||||
- **Component Ref Extractor**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs` -- extracts component references from SBOMs for VEX cross-linking.
|
||||
- `.Resolution` -- resolves PURL-to-bom-ref mappings for CycloneDX components.
|
||||
- `.Spdx` -- extracts SPDXID references for SPDX components.
|
||||
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- result containing extracted component references with PURLs and bom-refs/SPDXIDs.
|
||||
- **VEX Proof Integrator**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates SBOM component references into VEX decisions.
|
||||
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- combined payload linking VEX verdict to SBOM components.
|
||||
- **SBOM Reference**: `Predicates/SbomReference.cs` -- reference to the source SBOM for linkage.
|
||||
- **Micro-Witness SBOM Ref**: `Predicates/MicroWitnessSbomRef.cs` -- links function-level witness evidence to SBOM components.
|
||||
- **VEX Override**: `__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- VEX override linked to SBOM components.
|
||||
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ComponentRefExtractorTests.cs`
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Extract component refs from a CycloneDX SBOM via `ComponentRefExtractor.Resolution` and verify PURL-to-bom-ref mappings
|
||||
- [ ] Extract component refs from an SPDX SBOM via `ComponentRefExtractor.Spdx` and verify SPDXID extraction
|
||||
- [ ] Link extracted SBOM components to a VEX decision via `VexProofIntegrator` and verify the `VexVerdictProofPayload` contains the component reference
|
||||
- [ ] Verify `SbomExtractionResult` contains all extracted components with PURLs
|
||||
- [ ] Link a micro-witness to an SBOM component via `MicroWitnessSbomRef` and verify bom-ref cross-reference
|
||||
- [ ] Create a VEX override via `VexOverridePredicate` linked to a specific SBOM component and verify the linkage
|
||||
- [ ] Verify bidirectional linking: given a VEX statement, resolve the SBOM component; given an SBOM component, find all VEX statements
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source Verification | PASS |
|
||||
| Tier 1 - Build + Code Review | PASS |
|
||||
| Tier 2 - Behavioral Verification | PASS |
|
||||
| Verified Date | 2026-02-13 |
|
||||
| Run ID | run-001 |
|
||||
Reference in New Issue
Block a user