# SBOM Linkage Statement (in-toto predicate)

## Module
Attestor

## Status
VERIFIED

## Description
SBOM linkage statement model with SBOM descriptor (format, spec version, digest), generator info, incomplete subjects tracking, and tags for tenant/project/pipeline.

## Implementation Details
- **SBOM Linkage Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs` -- in-toto statement wrapping the SBOM linkage predicate.
- **SBOM Linkage Payload**: `Statements/SbomLinkagePayload.cs` -- payload containing SBOM descriptor, generator info, incomplete subjects, and tags.
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- descriptor with format (CycloneDX 1.6, SPDX 3.0.1), spec version, and content digest.
- **Generator Descriptor**: `Statements/GeneratorDescriptor.cs` -- metadata about the SBOM generation tool (name, version, timestamp).
- **Incomplete Subject**: `Statements/IncompleteSubject.cs` -- tracks subjects that could not be fully resolved during SBOM generation (missing digests, unresolved PURLs).
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds SBOM linkage statements with proper subject bindings.
- **Proof Subject**: `Builders/ProofSubject.cs` -- subject with name and digest map for the SBOM linkage.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs SBOM linkage statements.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomLinkageTests.cs`

## E2E Test Plan
- [ ] Create an `SbomLinkageStatement` with a CycloneDX SBOM descriptor and verify the statement structure
- [ ] Verify `SbomDescriptor` captures format="CycloneDX", specVersion="1.6", and the SHA-256 digest of the SBOM document
- [ ] Verify `GeneratorDescriptor` captures the tool name, version, and generation timestamp
- [ ] Add `IncompleteSubject` entries for unresolved components and verify they are tracked in the payload
- [ ] Build the statement via `StatementBuilder` with subject bindings and verify the in-toto subject list
- [ ] Sign the SBOM linkage statement into a DSSE envelope and verify the signature
- [ ] Add tags (tenant, project, pipeline) to the payload and verify they are present in the signed statement
- [ ] Create an SPDX linkage statement and verify the format field is "SPDX" with specVersion="3.0.1"

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |