SBOM-Advisory Intersection Matching and Learning

Module

Concelier

Status

IMPLEMENTED

Description

SBOM registration and learning system that finds which canonical advisories affect an organization's components. Matches by PURL and CPE, triggers interest score updates, and supports incremental delta SBOM matching. Provides POST /api/v1/learn/sbom endpoint and auto-learning from scan events.

Implementation Details

Modules: src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/, src/Concelier/__Libraries/StellaOps.Concelier.Interest/
Key Classes:
- SbomAdvisoryMatcher (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs) - matches SBOM components against canonical advisories by PURL and CPE
- ParsedSbomParser (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs) - parses SBOMs for component extraction
- InterestScoringService (src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoringService.cs) - triggered to update interest scores after SBOM matching
- InterestScoreCalculator (src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoreCalculator.cs) - recalculates interest based on SBOM intersection
Interfaces: ISbomAdvisoryMatcher, IParsedSbomParser, IInterestScoringService
Source: SPRINT_8200_0013_0003_SCAN_sbom_intersection_scoring.md

E2E Test Plan

Submit an SBOM via the learn endpoint and verify advisories affecting its components are identified
Verify PURL matching: SBOM with a component matching an advisory PURL produces a match
Verify CPE matching: SBOM with a component matching an advisory CPE produces a match
Verify interest score update: after SBOM learning, affected advisories have their interest scores recalculated
Verify incremental delta: submit an updated SBOM with new components and verify only the delta is processed

1.9 KiB Raw Blame History