# SBOM Schema Validation/Gating

## Module
Attestor

## Status
VERIFIED

## Description
Schema validation for SBOM predicates (both CycloneDX and SPDX) with structured validation results for gating decisions.

## Implementation Details
- **Predicate Schema Validator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/PredicateSchemaValidator.cs` (with `.Validators`) -- validates SBOM predicates against registered schemas.
- **Schema Validation Result**: `Json/SchemaValidationResult.cs` -- result with pass/fail and list of errors.
- **Schema Validation Error**: `Json/SchemaValidationError.cs` -- individual error with JSON path, message, and severity.
- **CycloneDX Validation**: `__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.Validation.cs` -- CycloneDX-specific schema validation rules.
- **CycloneDX Parser Validation**: `Parsers/CycloneDxPredicateParser.Validation.cs` -- validates CycloneDX input during parsing.
- **SPDX Validation**: `Parsers/SpdxPredicateParser.Validation.cs` -- validates SPDX input during parsing.
- **SLSA Validation**: `Validation/SlsaSchemaValidator.cs` (with `.BuildDefinition`, `.Helpers`, `.Level`, `.RunDetails`) -- SLSA provenance schema validation.
- **Binary Diff Schema**: `BinaryDiff/BinaryDiffSchema.SchemaJson.cs` -- embedded JSON schema for binary diff predicates.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/ValidationTests.cs`

## E2E Test Plan
- [ ] Validate a well-formed CycloneDX 1.6 BOM via `CycloneDxWriter.Validation` and verify it passes
- [ ] Validate a malformed CycloneDX BOM (missing required fields) and verify `SchemaValidationResult` fails with specific errors
- [ ] Validate a well-formed SPDX 3.0.1 document via `SpdxPredicateParser.Validation` and verify it passes
- [ ] Validate a malformed SPDX document and verify validation errors include JSON paths
- [ ] Validate a CycloneDX serial number via `CycloneDxPredicateParser.SerialNumber` and verify format compliance
- [ ] Use validation results as a gating decision: block a pipeline submission when SBOM validation fails
- [ ] Validate a SLSA provenance predicate and verify build definition and run details are checked
- [ ] Verify `SchemaValidationError` provides actionable details: JSON path, human-readable message, severity level

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |