# SBOM-VEX bom-ref Cross-Linking (ComponentRefExtractor)

## Module
Attestor

## Status
VERIFIED

## Description
Bidirectional linking between VEX statements and SBOM components via CycloneDX bom-ref and SPDX SPDXID extraction, with PURL-to-bom-ref resolution service.

## Implementation Details
- **Component Ref Extractor**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs` -- core extractor for SBOM component references.
  - `.Resolution` -- resolves PURL-to-bom-ref mappings for CycloneDX components, enabling VEX statements to reference components by PURL and resolve to bom-ref.
  - `.Spdx` -- extracts SPDXID references from SPDX documents for cross-linking.
- **SBOM Extraction Result**: `Linking/SbomExtractionResult.cs` -- result containing all extracted component references with PURLs, bom-refs, and SPDXIDs.
- **SBOM Reference**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/SbomReference.cs` -- reference model linking to a specific SBOM for cross-referencing.
- **Micro-Witness SBOM Ref**: `Predicates/MicroWitnessSbomRef.cs` -- links function-level witness evidence to specific SBOM components by bom-ref.
- **VEX Override Evidence Reference**: `__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/EvidenceReference.cs` -- links VEX override decisions to SBOM component evidence.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ComponentRefExtractorTests.cs`

## E2E Test Plan
- [ ] Extract bom-refs from a CycloneDX SBOM via `ComponentRefExtractor` and verify each component has a unique bom-ref
- [ ] Resolve PURLs to bom-refs via `.Resolution` and verify bidirectional mapping (PURL -> bom-ref and bom-ref -> PURL)
- [ ] Extract SPDXIDs from an SPDX document via `.Spdx` and verify each package has a unique SPDXID
- [ ] Verify `SbomExtractionResult` contains all components with PURLs, bom-refs, and/or SPDXIDs
- [ ] Link a VEX statement to an SBOM component by bom-ref and verify the cross-reference
- [ ] Link a `MicroWitnessSbomRef` to a specific bom-ref and verify the function evidence is linked to the correct component
- [ ] Verify cross-linking works for components with multiple identifiers (PURL + bom-ref + CPE)

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |