stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/features/checked/attestor/sbom-vex-bom-ref-cross-linking.md Normal file
View File

@@ -0,0 +1,39 @@
# SBOM-VEX bom-ref Cross-Linking (ComponentRefExtractor)
## Module
Attestor
## Status
VERIFIED
## Description
Bidirectional linking between VEX statements and SBOM components via CycloneDX bom-ref and SPDX SPDXID extraction, with PURL-to-bom-ref resolution service.
## Implementation Details
- **Component Ref Extractor**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs` -- core extractor for SBOM component references.
- `.Resolution` -- resolves PURL-to-bom-ref mappings for CycloneDX components, enabling VEX statements to reference components by PURL and resolve to bom-ref.
- `.Spdx` -- extracts SPDXID references from SPDX documents for cross-linking.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- result containing all extracted component references with PURLs, bom-refs, and SPDXIDs.
- **SBOM Reference**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/SbomReference.cs` -- reference model linking to a specific SBOM for cross-referencing.
- **Micro-Witness SBOM Ref**: `Predicates/MicroWitnessSbomRef.cs` -- links function-level witness evidence to specific SBOM components by bom-ref.
- **VEX Override Evidence Reference**: `__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/EvidenceReference.cs` -- links VEX override decisions to SBOM component evidence.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ComponentRefExtractorTests.cs`
## E2E Test Plan
- [ ] Extract bom-refs from a CycloneDX SBOM via `ComponentRefExtractor` and verify each component has a unique bom-ref
- [ ] Resolve PURLs to bom-refs via `.Resolution` and verify bidirectional mapping (PURL -> bom-ref and bom-ref -> PURL)
- [ ] Extract SPDXIDs from an SPDX document via `.Spdx` and verify each package has a unique SPDXID
- [ ] Verify `SbomExtractionResult` contains all components with PURLs, bom-refs, and/or SPDXIDs
- [ ] Link a VEX statement to an SBOM component by bom-ref and verify the cross-reference
- [ ] Link a `MicroWitnessSbomRef` to a specific bom-ref and verify the function evidence is linked to the correct component
- [ ] Verify cross-linking works for components with multiple identifiers (PURL + bom-ref + CPE)
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |