# VEX Consumption from SBOM Documents (Embedded VEX Extraction)

## Module
Concelier

## Status
IMPLEMENTED

## Description
Extracts embedded VEX statements from CycloneDX and SPDX SBOMs, evaluates per-statement trust based on source provenance and evidence quality, resolves conflicts when multiple VEX sources disagree, and generates consumption reports. This is distinct from the known "VEX Multi-Source Consensus Engine" which merges standalone VEX documents; this feature specifically processes VEX embedded within SBOM documents.

## Implementation Details
- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/`, `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/`
- **Key Classes**:
  - `VexConsumptionReporter` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs`) - generates consumption reports from extracted VEX statements
  - `VexConsumptionPolicyLoader` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs`) - loads trust and precedence policies for VEX evaluation
  - `VexConflictResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs`) - resolves conflicts between embedded VEX statements
  - `VexConsumptionOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs`) - configuration for VEX consumption behavior
  - `ParsedSbomParser` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs`) - extracts embedded VEX from CycloneDX and SPDX SBOMs
- **Interfaces**: `IVexConsumptionReporter`, `IVexConsumptionPolicyLoader`, `IVexConflictResolver`
- **Source**: SPRINT_20260119_020_Concelier_vex_consumption.md

## E2E Test Plan
- [ ] Parse a CycloneDX SBOM with embedded VEX statements and verify all VEX entries are extracted
- [ ] Parse an SPDX SBOM with embedded VEX and verify extraction works across formats
- [ ] Verify per-statement trust evaluation: VEX from a vendor SBOM receives higher trust than from a third-party
- [ ] Verify conflict resolution: two embedded VEX statements with conflicting status for the same CVE are resolved with rationale
- [ ] Verify consumption report: `VexConsumptionReporter` generates a report listing all consumed VEX statements with trust scores