# SBOM Ledger + Lineage (Moat Score 3)

## Module
Attestor

## Status
VERIFIED

## Description
Versioned SBOM storage with advisory and feed snapshot repositories, plus comprehensive SBOM parsing and writing for multiple formats.

## Implementation Details
- **SBOM Persistence**: `src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs` -- persisted SBOM entry with version, format, digest, and tenant_id for versioned storage.
- **SBOM Linkage Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs` -- in-toto statement linking SBOM versions to evidence chains.
- **SBOM Linkage Payload**: `Statements/SbomLinkagePayload.cs` -- payload containing SBOM descriptor, generator info, and linkage data.
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- descriptor with format (CycloneDX/SPDX), spec version, and content digest.
- **Generator Descriptor**: `Statements/GeneratorDescriptor.cs` -- metadata about the tool that generated the SBOM.
- **CycloneDX Parser/Writer**: `__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/CycloneDxPredicateParser.cs`, `Writers/CycloneDxWriter.cs` -- full CycloneDX support.
- **SPDX Parser/Writer**: `Parsers/SpdxPredicateParser.cs`, `Writers/SpdxWriter.cs` -- full SPDX support.
- **Verdict Ledger**: `__Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs` -- append-only ledger tracking SBOM-based verdicts over time.
- **Repository**: `__Libraries/StellaOps.Attestor.Persistence/Repositories/IProofChainRepository.cs` -- repository for SBOM entries.
- **Tests**: `__Tests/StellaOps.Attestor.Persistence.Tests/SbomEntryTests.cs`

## E2E Test Plan
- [ ] Persist an SBOM version via `SbomEntryEntity` and verify retrieval by digest and version
- [ ] Store multiple SBOM versions for the same image and verify version lineage (v1 -> v2 -> v3)
- [ ] Create an `SbomLinkageStatement` linking an SBOM version to its evidence chain and verify the linkage
- [ ] Verify `SbomDescriptor` correctly identifies format and spec version for both CycloneDX and SPDX
- [ ] Verify `GeneratorDescriptor` captures the tool name, version, and generation timestamp
- [ ] Record SBOM-based verdict via `VerdictLedgerService` and verify the ledger entry links to the SBOM version
- [ ] Query SBOM entries by tenant_id and verify tenant isolation
- [ ] Verify SBOM lineage: given an image digest, retrieve all SBOM versions in chronological order

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |