# Derivative Distro Mapping for Backport Detection

## Module
Scanner

## Status
IMPLEMENTED

## Description
Cross-distro OVAL/CSAF mapping that enables fetching backport rules from derivative distros (RHEL->Alma/Rocky/CentOS, Ubuntu->LinuxMint/Pop!_OS, Debian->Ubuntu) with confidence penalty multipliers (0.95x for same-major, 0.80x for cross-family).

## Implementation Details
- **Pedigree & Backport Evidence**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/FeedserPedigreeDataProvider.cs` - Provides pedigree data with cross-distro backport rules
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CycloneDxPedigreeMapper.cs` - Maps pedigree data including derivative distro mappings
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PatchInfoBuilder.cs` - Builds patch info with backport detection data
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PedigreeNotesGenerator.cs` - Generates pedigree notes with confidence levels
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/IPedigreeDataProvider.cs` - Interface
- **Version Comparison Evidence**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/VersionComparisonEvidence.cs` - Version comparison evidence for backport detection
  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/DeltaSignatureEvidence.cs` - Delta signature evidence
  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/EvidenceBundle.cs` - Evidence bundle model
- **VEX Gate Integration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs` - VEX gate service considering backport status
  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicyEvaluator.cs` - Policy evaluator with backport awareness

## E2E Test Plan
- [ ] Scan an AlmaLinux image and verify backport rules are fetched from RHEL OVAL data with 0.95x confidence
- [ ] Scan a Linux Mint image and verify backport rules map from Ubuntu with appropriate confidence penalty
- [ ] Verify cross-family mapping (e.g., Debian rules applied to Ubuntu) uses 0.80x confidence multiplier
- [ ] Verify pedigree output includes derivative distro source attribution
- [ ] Verify backport evidence reduces false positive vulnerability counts for patched packages