stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/concelier/vex-consumption-from-sbom-documents.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

29 lines
2.3 KiB
Markdown
Raw Blame History

# VEX Consumption from SBOM Documents (Embedded VEX Extraction)
## Module
Concelier
## Status
IMPLEMENTED
## Description
Extracts embedded VEX statements from CycloneDX and SPDX SBOMs, evaluates per-statement trust based on source provenance and evidence quality, resolves conflicts when multiple VEX sources disagree, and generates consumption reports. This is distinct from the known "VEX Multi-Source Consensus Engine" which merges standalone VEX documents; this feature specifically processes VEX embedded within SBOM documents.
## Implementation Details
- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/`, `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/`
- **Key Classes**:
- `VexConsumptionReporter` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs`) - generates consumption reports from extracted VEX statements
- `VexConsumptionPolicyLoader` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs`) - loads trust and precedence policies for VEX evaluation
- `VexConflictResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs`) - resolves conflicts between embedded VEX statements
- `VexConsumptionOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs`) - configuration for VEX consumption behavior
- `ParsedSbomParser` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs`) - extracts embedded VEX from CycloneDX and SPDX SBOMs
- **Interfaces**: `IVexConsumptionReporter`, `IVexConsumptionPolicyLoader`, `IVexConflictResolver`
- **Source**: SPRINT_20260119_020_Concelier_vex_consumption.md
## E2E Test Plan
- [ ] Parse a CycloneDX SBOM with embedded VEX statements and verify all VEX entries are extracted
- [ ] Parse an SPDX SBOM with embedded VEX and verify extraction works across formats
- [ ] Verify per-statement trust evaluation: VEX from a vendor SBOM receives higher trust than from a third-party
- [ ] Verify conflict resolution: two embedded VEX statements with conflicting status for the same CVE are resolved with rationale
- [ ] Verify consumption report: `VexConsumptionReporter` generates a report listing all consumed VEX statements with trust scores
Reference in New Issue View Git Blame Copy Permalink