# SBOM-First Pipeline (Scanner -> Sbomer -> Authority -> Graphs)

## Module
Attestor

## Status
VERIFIED

## Description
End-to-end SBOM-first pipeline with scanner producing SBOMs, Attestor parsing CycloneDX/SPDX predicates, and Graph module ingesting SBOMs for indexing.

## Implementation Details
- **CycloneDX Parser**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.SerialNumber`, `.Validation`) -- parses CycloneDX SBOMs from scanner output.
- **SPDX Parser**: `Parsers/SpdxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`) -- parses SPDX documents from scanner output.
- **SBOM Models**: `Models/SbomDocument.cs` (with `.Collections`) -- internal SBOM document model. `SbomService.cs` (with `.Collections`) -- service layer models.
- **SBOM Linkage**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkagePayload.cs` -- payload linking SBOM to evidence. `SbomLinkageStatement.cs` -- in-toto statement.
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- descriptor with format, spec version, and digest.
- **Component Ref Extractor**: `__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs` (with `.Resolution`, `.Spdx`) -- extracts component references for cross-linking.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- result of SBOM extraction with components and relationships.
- **Pipeline Models**: `Pipeline/ProofChainRequest.cs`, `ProofChainResult.cs`, `PipelineSubject.cs` -- pipeline orchestration.
- **Persistence**: `__Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs` -- persists SBOM entries.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/CycloneDxParserTests.cs`, `SpdxParserTests.cs`

## E2E Test Plan
- [ ] Parse a CycloneDX 1.6 BOM via `CycloneDxPredicateParser` and verify all components are extracted into internal model
- [ ] Parse an SPDX 3.0.1 document via `SpdxPredicateParser` and verify packages and relationships are extracted
- [ ] Build an `SbomLinkageStatement` linking the parsed SBOM to its pipeline subject and verify the linkage
- [ ] Extract component references via `ComponentRefExtractor` from CycloneDX (bom-ref) and SPDX (SPDXID) and verify cross-linking
- [ ] Run the pipeline from SBOM input through linkage to proof chain output via `ProofChainRequest`/`ProofChainResult`
- [ ] Persist the SBOM entry via `SbomEntryEntity` and verify retrieval by digest
- [ ] Verify `SbomDescriptor` captures format (CycloneDX/SPDX), spec version, and document digest
- [ ] Verify `SbomExtractionResult` captures all components with PURLs for downstream indexing

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |