# SBOM Interop Round-Trip Testing

## Module
Attestor

## Status
VERIFIED

## Description
SBOM round-trip testing with canonical verification ensuring CycloneDX and SPDX outputs can be parsed, re-serialized, and verified for format compliance.

## Implementation Details
- **CycloneDX Parser**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.SerialNumber`, `.Validation`) -- parses CycloneDX BOMs.
- **CycloneDX Writer**: `Writers/CycloneDxWriter.cs` (with 50+ partials) -- writes CycloneDX BOMs from internal model.
- **SPDX Parser**: `Parsers/SpdxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`) -- parses SPDX documents.
- **SPDX Writer**: `Writers/SpdxWriter.cs` (with 40+ partials) -- writes SPDX 3.0.1 documents from internal model.
- **SBOM Canonicalizer**: `Canonicalization/SbomCanonicalizer.Elements.cs` -- deterministic element ordering for canonical comparison.
- **SBOM Models**: `Models/SbomDocument.cs` (with `.Collections`) -- internal SBOM document model bridging parse/write.
- **CycloneDX Validation**: `Writers/CycloneDxWriter.Validation.cs` -- validates written CycloneDX against schema.
- **SPDX Validation**: `Parsers/SpdxPredicateParser.Validation.cs` -- validates SPDX compliance.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/RoundTripTests.cs`

## E2E Test Plan
- [ ] Round-trip CycloneDX: parse a CycloneDX 1.6 BOM, write it back via `CycloneDxWriter`, re-parse, and verify semantic equivalence
- [ ] Round-trip SPDX: parse an SPDX 3.0.1 document, write it back via `SpdxWriter`, re-parse, and verify semantic equivalence
- [ ] Canonicalize both round-trip outputs via `SbomCanonicalizer` and verify canonical forms match
- [ ] Round-trip complex CycloneDX features: crypto, formulation, declarations, attestation maps
- [ ] Round-trip complex SPDX features: AI packages, dataset packages, build profiles, assessments
- [ ] Validate the written CycloneDX output via `CycloneDxWriter.Validation` and verify schema compliance
- [ ] Validate the written SPDX output via `SpdxPredicateParser.Validation` and verify format compliance
- [ ] Cross-format interop: parse CycloneDX, convert to internal model, write as SPDX, and verify key data (components, licenses) is preserved

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |