# CycloneDX 1.6 and SPDX 3.0.1 Full SBOM Support (Parsers, Writers, Attestation)

## Module
Attestor

## Status
IMPLEMENTED

## Description
Comprehensive CycloneDX 1.6 and SPDX 3.0.1 parsers and writers supporting all major SBOM elements: components, services, vulnerabilities, crypto, attestation maps, declarations, evidence, formulation, and more. Includes predicate parsers with metadata extraction and validation, SPDX 3.0 build attestation mappers, and CycloneDX VEX normalizer. 40+ partial class files for CycloneDX alone.

## Implementation Details
- **CycloneDX Writer**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs` -- 40+ partial files:
  - Core: `.Convert`, `.Validation`, `.Metadata`, `.SerialNumber`
  - Components: `.Components`, `.Dependencies`, `.Pedigree`, `.Swid`
  - Services: `.Services`
  - Vulnerabilities: `.Vulnerabilities`
  - Crypto: `.Crypto`, `.CryptoCertificates`, `.CryptoMaterial`
  - Attestation: `.AttestationMaps`, `.Claims`, `.Declarations`, `.DeclarationTargets`, `.Definitions`
  - Evidence: `.Evidence`, `.EvidenceOccurrences`
  - Formulation: `.Formulation`, `.InputsOutputs`, `.Tasks`
  - Compliance: `.Compositions`, `.Considerations`, `.Environmental`
  - DTOs: `.DtoBom`, `.DtoComponent`, `.DtoService`, `.DtoVulnerability`, `.DtoCrypto`, etc.
- **SPDX Writer**: `SpdxWriter.cs` -- 50+ partial files covering all SPDX 3.0.1 profiles: `.Packages`, `.FileElement`, `.Snippets`, `.Relationships`, `.Licensing`, `.Vulnerabilities`, `.Builds`, `.Assessments`, `.AiPackage`, `.DatasetPackage`, `.Agents`, `.Signatures`, etc.
- **CycloneDX Parser**: `Parsers/CycloneDxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`, `.SerialNumber`)
- **SPDX Parser**: `Parsers/SpdxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`)
- **SBOM Models**: `Models/` -- 106 model files: `SbomComponent`, `SbomService`, `SbomVulnerability`, `SbomDocument`, etc.
- **SBOM Canonicalizer**: `Canonicalization/SbomCanonicalizer.cs` (with `.Elements`)
- **License Expression Parser**: `Licensing/SpdxLicenseExpressionParser.cs` (with partials)
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/` -- 25+ test files including CycloneDx/SpdxDeterminismTests, SchemaValidationTests, ParserTests, WriterProfileTests

## E2E Test Plan
- [ ] Write a CycloneDX 1.6 SBOM with components, services, and vulnerabilities via `CycloneDxWriter.Convert` and verify all elements are present in the output
- [ ] Write an SPDX 3.0.1 document with packages, files, snippets, and relationships via `SpdxWriter.Convert` and verify all profiles are populated
- [ ] Parse a CycloneDX SBOM via `CycloneDxPredicateParser` and verify metadata extraction (serial number, version, timestamp)
- [ ] Parse an SPDX SBOM via `SpdxPredicateParser` and verify package extraction with licensing info
- [ ] Write a CycloneDX SBOM with crypto properties and verify crypto algorithm and certificate elements
- [ ] Write an SPDX document with AI/ML profiles (AiPackage, DatasetPackage) and verify profile elements
- [ ] Round-trip test: write CycloneDX -> parse -> write again and verify deterministic output
- [ ] Round-trip test: write SPDX -> parse -> write again and verify deterministic output
- [ ] Verify license expression parsing for complex SPDX expressions (e.g., `(MIT OR Apache-2.0) AND BSD-3-Clause`)