stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/concelier/vex-consumption-from-sbom-documents.md

2.3 KiB
Raw Blame History

VEX Consumption from SBOM Documents (Embedded VEX Extraction)

Module

Concelier

Status

IMPLEMENTED

Description

Extracts embedded VEX statements from CycloneDX and SPDX SBOMs, evaluates per-statement trust based on source provenance and evidence quality, resolves conflicts when multiple VEX sources disagree, and generates consumption reports. This is distinct from the known "VEX Multi-Source Consensus Engine" which merges standalone VEX documents; this feature specifically processes VEX embedded within SBOM documents.

Implementation Details

  • Modules: src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/, src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/
  • Key Classes:
    • VexConsumptionReporter (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs) - generates consumption reports from extracted VEX statements
    • VexConsumptionPolicyLoader (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs) - loads trust and precedence policies for VEX evaluation
    • VexConflictResolver (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs) - resolves conflicts between embedded VEX statements
    • VexConsumptionOptions (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs) - configuration for VEX consumption behavior
    • ParsedSbomParser (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs) - extracts embedded VEX from CycloneDX and SPDX SBOMs
  • Interfaces: IVexConsumptionReporter, IVexConsumptionPolicyLoader, IVexConflictResolver
  • Source: SPRINT_20260119_020_Concelier_vex_consumption.md

E2E Test Plan

  • Parse a CycloneDX SBOM with embedded VEX statements and verify all VEX entries are extracted
  • Parse an SPDX SBOM with embedded VEX and verify extraction works across formats
  • Verify per-statement trust evaluation: VEX from a vendor SBOM receives higher trust than from a third-party
  • Verify conflict resolution: two embedded VEX statements with conflicting status for the same CVE are resolved with rationale
  • Verify consumption report: VexConsumptionReporter generates a report listing all consumed VEX statements with trust scores