# SBOM-to-VEX Proof Pipeline

## Module
Attestor

## Status
VERIFIED

## Description
Full SBOM-to-VEX proof pipeline with pipeline request/result models, SBOM component extraction, VEX proof integration, and Rekor transparency log entries.

## Implementation Details
- **Pipeline Request/Result**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/ProofChainRequest.cs`, `ProofChainResult.cs` -- pipeline orchestration models.
- **Pipeline Subject**: `Pipeline/PipelineSubject.cs` -- subject being processed through the pipeline.
- **Rekor Entry**: `Pipeline/RekorEntry.cs` -- Rekor transparency log entry from pipeline output.
- **Component Ref Extractor**: `Linking/ComponentRefExtractor.cs` (with `.Resolution`, `.Spdx`) -- extracts SBOM component references for VEX linkage.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- extracted components for VEX matching.
- **VEX Proof Integrator**: `Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates extracted SBOM components with VEX decisions.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- combined SBOM-component-linked VEX proof.
- **VEX Verdict Statement**: `Statements/VexVerdictStatement.cs` -- in-toto VEX verdict statement.
- **Proof Spine Assembly**: `Assembly/ProofSpineRequest.cs`, `ProofSpineResult.cs` -- assembles pipeline outputs into a verifiable spine.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs all pipeline outputs.
- **Rekor Submission**: `StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs` -- publishes to transparency log.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomToVexPipelineTests.cs`

## E2E Test Plan
- [ ] Run the SBOM-to-VEX pipeline via `ProofChainRequest` with an SBOM input and VEX data; verify `ProofChainResult` contains linked attestations
- [ ] Verify `ComponentRefExtractor` extracts component references from the input SBOM
- [ ] Verify `VexProofIntegrator` matches SBOM components to VEX statements and produces `VexVerdictProofPayload`
- [ ] Verify the VEX verdict statement is signed into a DSSE envelope
- [ ] Verify the pipeline output includes a Rekor entry with the signed VEX verdict
- [ ] Assemble pipeline outputs into a proof spine and verify the Merkle root covers both SBOM and VEX attestations
- [ ] Verify the pipeline handles components with no VEX coverage and reports them as unassessed
- [ ] Verify bidirectional traceability: from VEX verdict to SBOM component and from SBOM component to VEX verdict

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |