# BYOS (Bring Your Own SBOM) Ingestion Workflow

## Module
Scanner

## Status
VERIFIED

## Description
Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3.0) via REST API. Includes automatic format detection, schema validation, component normalization, quality scoring (PURL/version/license coverage weighted 40/30/30), SHA-256 digest computation, and automatic scan/analysis triggering. Supports both inline JSON and base64-encoded payloads with CI context metadata.

## Implementation Details
- **Upload Endpoints**:
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomUploadEndpoints.cs` - `SbomUploadEndpoints` for REST upload API
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomEndpoints.cs` - Additional SBOM query endpoints
- **Contracts**:
  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/SbomContracts.cs` - `SbomUploadRequestDto`, `SbomUploadResponseDto`, `SbomValidationSummaryDto`, `SbomFormats`, `SbomAncestryDto`, `SbomUploadSourceDto`, `SbomUploadCiContextDto`
- **Ingestion Service**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/ISbomIngestionService.cs` - `ISbomIngestionService`, `SbomIngestionResult`, `SbomValidationResult`
  - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomIngestionService.cs` - Format detection, schema validation, component normalization, quality scoring, digest computation
- **BYOS Upload Service**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomByosUploadService.cs` - `ISbomByosUploadService` / `SbomByosUploadService` for external SBOM ingestion
- **Upload Store**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomUploadStore.cs` - `ISbomUploadStore`, `InMemorySbomUploadStore`, `SbomUploadRecord`

## E2E Test Plan
- [ ] Upload a CycloneDX 1.6 JSON SBOM via `POST /api/v1/sbom/upload` with inline JSON payload and verify acceptance
- [ ] Upload an SPDX 2.3 SBOM via base64-encoded payload with CI context metadata and verify ingestion
- [ ] Verify automatic format detection correctly identifies CycloneDX vs SPDX format
- [ ] Verify schema validation rejects an invalid SBOM with appropriate error details
- [ ] Verify quality scoring returns PURL/version/license coverage percentages (40/30/30 weighted)
- [ ] Verify SHA-256 digest is computed and returned in the response
- [ ] Verify automatic scan/analysis is triggered after successful ingestion
- [ ] Query the uploaded SBOM status via `GET /api/v1/sbom/uploads/{id}` and verify metadata

## Verification
- Verified in `run-001` on 2026-02-12 with Tier 0/1/2 evidence in `docs/qa/feature-checks/runs/scanner/byos-ingestion-workflow/run-001/`.
- Tier 2 API checks validated CycloneDX inline upload, SPDX base64 upload, upload record retrieval, and unknown-format rejection paths.