FindingEvidence Composition API Endpoint

Module

Scanner

Status

IMPLEMENTED

Description

REST API endpoint that composes per-finding evidence bundles by aggregating SBOM slices, reachability proofs, VEX documents, and attestation chains into a unified evidence response. EvidenceCompositionService orchestrates multi-source evidence assembly on demand.

Implementation Details

Evidence Composition Service:
- src/Scanner/StellaOps.Scanner.WebService/Services/IEvidenceCompositionService.cs - IEvidenceCompositionService interface
- src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceCompositionService.cs - Orchestrates multi-source evidence assembly (SBOM slices, reachability, VEX, attestations)
- src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceCompositionService.cs - EvidenceCompositionOptions for configuring evidence sources
Evidence Endpoints:
- src/Scanner/StellaOps.Scanner.WebService/Endpoints/EvidenceEndpoints.cs - EvidenceEndpoints for listing and querying evidence
- src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityEvidenceEndpoints.cs - Reachability-specific evidence endpoints
- src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs - Delta evidence endpoints
Evidence Export:
- src/Scanner/StellaOps.Scanner.WebService/Services/IEvidenceBundleExporter.cs - Evidence bundle export interface
- src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs - Exports evidence bundles in multiple formats

E2E Test Plan

Call the evidence composition endpoint for a specific finding and verify a unified evidence response is returned
Verify the response includes SBOM slice data for the affected component
Verify the response includes reachability proof when reachability analysis was performed
Verify the response includes VEX document references when VEX data is available
Verify the response includes attestation chain verification status
Verify evidence bundle export works in supported formats

2.0 KiB Raw Blame History