Content-Addressed IDs for SBOM Components (bom-ref)

Module

Attestor

IMPLEMENTED

Content-addressed ID generator with SBOM entry IDs and CycloneDX subject extraction for deterministic component referencing.

SbomEntryId: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/SbomEntryId.cs -- content-addressed ID type for SBOM entries, ensuring deterministic bom-ref values.
Content-Addressed ID Generator: ContentAddressedIdGenerator.cs -- generates SHA-256 based IDs from canonical SBOM component content.
CycloneDX Subject Extractor: __Libraries/StellaOps.Attestor.ProofChain/Sbom/CycloneDxSubjectExtractor.cs -- implements ISbomSubjectExtractor. Extracts subjects from CycloneDX SBOM for attestation.
Component Ref Extractor: __Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs (with .Resolution, .Spdx partials) -- extracts component references from SBOMs for cross-linking. SbomExtractionResult.cs -- extraction result model.
SBOM Canonicalization: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs (with .Elements) -- deterministic element ordering for stable ID generation.
Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdTests.cs, ContentAddressedIdGeneratorTests.cs

Generate SbomEntryId for a CycloneDX component with name, version, and PURL and verify deterministic ID
Generate IDs for two components with same content but different field ordering and verify IDs match (canonicalization)
Extract subjects from a CycloneDX SBOM via CycloneDxSubjectExtractor and verify each component has a content-addressed subject ID
Extract component references via ComponentRefExtractor and verify bom-ref values are content-addressed
Extract SPDX component references via ComponentRefExtractor.Spdx and verify deterministic SPDX IDs
Canonicalize an SBOM via SbomCanonicalizer, generate content-addressed IDs, and verify stability across invocations
Modify a single component field and verify the SbomEntryId changes