# SBOM Linkage to VEX

## Module
Attestor

## Status
VERIFIED

## Description
SBOM-to-VEX linkage with component reference extraction from both CycloneDX and SPDX SBOMs.

## Implementation Details
- **Component Ref Extractor**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs` -- extracts component references from SBOMs for VEX cross-linking.
  - `.Resolution` -- resolves PURL-to-bom-ref mappings for CycloneDX components.
  - `.Spdx` -- extracts SPDXID references for SPDX components.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- result containing extracted component references with PURLs and bom-refs/SPDXIDs.
- **VEX Proof Integrator**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates SBOM component references into VEX decisions.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- combined payload linking VEX verdict to SBOM components.
- **SBOM Reference**: `Predicates/SbomReference.cs` -- reference to the source SBOM for linkage.
- **Micro-Witness SBOM Ref**: `Predicates/MicroWitnessSbomRef.cs` -- links function-level witness evidence to SBOM components.
- **VEX Override**: `__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- VEX override linked to SBOM components.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ComponentRefExtractorTests.cs`

## E2E Test Plan
- [ ] Extract component refs from a CycloneDX SBOM via `ComponentRefExtractor.Resolution` and verify PURL-to-bom-ref mappings
- [ ] Extract component refs from an SPDX SBOM via `ComponentRefExtractor.Spdx` and verify SPDXID extraction
- [ ] Link extracted SBOM components to a VEX decision via `VexProofIntegrator` and verify the `VexVerdictProofPayload` contains the component reference
- [ ] Verify `SbomExtractionResult` contains all extracted components with PURLs
- [ ] Link a micro-witness to an SBOM component via `MicroWitnessSbomRef` and verify bom-ref cross-reference
- [ ] Create a VEX override via `VexOverridePredicate` linked to a specific SBOM component and verify the linkage
- [ ] Verify bidirectional linking: given a VEX statement, resolve the SBOM component; given an SBOM component, find all VEX statements

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |