# Verifiable SBOM-to-VEX Chain

## Module
Attestor

## Status
VERIFIED

## Description
VEX proof integrator links VEX statements to SBOM components with component ref extraction, SBOM linkage statements, and VEX attestation predicates for chain verification.

## Implementation Details
- **VEX Proof Integrator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates VEX proofs with SBOM component references, embedding proof metadata (proof_ref, proof_method, proof_confidence) into VEX verdicts.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- payload containing VEX verdict with proof references linking back to SBOM components.
- **Component Ref Extractor**: `Linking/ComponentRefExtractor.cs` (with `.Resolution`, `.Spdx`) -- extracts component references from SBOMs (CycloneDX bom-ref, SPDX SPDXID) for cross-linking with VEX statements.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- result of extracting component references from an SBOM document.
- **SBOM Linkage Payload**: `Statements/SbomLinkagePayload.cs` -- payload for SBOM-to-VEX linkage statements, binding SBOM digest to VEX document reference.
- **VEX Attestation Predicate**: `Predicates/VexAttestationPredicate.cs` -- attestation predicate for VEX statements with proof chain references.
- **VEX Verdict Summary**: `Predicates/VexVerdictSummary.cs` -- summary of VEX verdicts per component/CVE.
- **VEX Document Reference**: `Predicates/VexDocumentReference.cs` -- reference to a VEX document by digest and URI.
- **VEX Status Counts**: `Predicates/VexStatusCounts.cs` -- counts of VEX statuses (affected, not_affected, fixed, under_investigation).
- **SBOM Reference**: `Predicates/SbomReference.cs` -- reference to an SBOM document for linkage.
- **VEX Verdict Statement**: `Statements/VexVerdictStatement.cs` -- in-toto statement wrapping the VEX verdict.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`

## E2E Test Plan
- [ ] Extract component refs from a CycloneDX SBOM via `ComponentRefExtractor` and verify bom-ref IDs are captured for all components
- [ ] Extract component refs from an SPDX SBOM via `.Spdx` and verify SPDXID references are captured
- [ ] Create an `SbomLinkagePayload` linking an SBOM digest to a VEX document reference and verify the chain is valid
- [ ] Integrate a VEX proof via `VexProofIntegrator` and verify the `VexVerdictProofPayload` contains proof_ref, proof_method, and proof_confidence
- [ ] Build a `VexAttestationPredicate` with multiple component verdicts and verify each references the correct SBOM component ref
- [ ] Verify SBOM-to-VEX chain: given an SBOM with 5 components and VEX with 3 affected, verify `VexStatusCounts` shows 3 affected and 2 not_assessed
- [ ] Create a VEX verdict statement and verify it is a valid in-toto statement with SBOM linkage metadata
- [ ] Attempt to link a VEX to an SBOM with mismatched component refs and verify the integrator detects the mismatch

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |