# SBOM Spine (Image to SBOM to DSSE to Transparency Log)

## Module
Attestor

## Status
VERIFIED

## Description
The full SBOM spine (SBOM generation in CycloneDX/SPDX, DSSE signing, Rekor transparency log integration) is implemented.

## Implementation Details
- **SBOM Linkage Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/SbomLinkageStatement.cs` -- in-toto statement linking image digest to SBOM. `SbomLinkagePayload.cs` -- linkage payload.
- **SBOM Descriptor**: `Statements/SbomDescriptor.cs` -- SBOM format, spec version, and content digest.
- **CycloneDX Writer**: `__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs` (with partials) -- generates CycloneDX SBOMs.
- **SPDX Writer**: `Writers/SpdxWriter.cs` (with partials) -- generates SPDX SBOMs.
- **DSSE Signing**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` -- signs SBOM linkage statements into DSSE envelopes.
- **Rekor Submission**: `StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs` -- submits signed SBOM attestations to Rekor.
- **Proof Spine**: `Assembly/ProofSpineRequest.cs`, `ProofSpineResult.cs` -- assembles SBOM attestation into proof spine with Merkle root.
- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs` -- publishes SBOM as OCI referrer.
- **Persistence**: `__Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs` -- persists SBOM entries. `RekorEntryEntity.cs` -- persists Rekor entries.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomSpineTests.cs`

## E2E Test Plan
- [ ] Generate a CycloneDX SBOM from an image scan, create an `SbomLinkageStatement` with the image digest as subject, and verify the linkage
- [ ] Sign the SBOM linkage statement into a DSSE envelope via `ProofChainSigner` and verify the envelope
- [ ] Submit the signed SBOM attestation to Rekor and verify a log entry is created with log index
- [ ] Assemble the SBOM attestation into a proof spine via `ProofSpineRequest` and verify the Merkle root
- [ ] Publish the SBOM to OCI via `SbomOciPublisher` and verify it is discoverable as a referrer
- [ ] Persist the SBOM entry and Rekor entry and verify retrieval
- [ ] Verify the full spine: Image -> SBOM -> DSSE Envelope -> Rekor Entry, each step linked and verifiable
- [ ] Generate an SPDX SBOM and repeat the spine verification to confirm format-agnostic support

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |