Verdict Ledger bom-ref Extraction and Indexing

Module

EvidenceLocker

Status

IMPLEMENTED

Description

Added bom-ref extraction and component-level indexing to the verdict ledger, enabling queries by SBOM component reference for auditing which components were evaluated in each verdict.

Implementation Details

Modules: src/EvidenceLocker/StellaOps.EvidenceLocker/, src/EvidenceLocker/StellaOps.EvidenceLocker/Api/
Key Classes:
- PostgresVerdictRepository (src/EvidenceLocker/StellaOps.EvidenceLocker/Storage/PostgresVerdictRepository.cs) - PostgreSQL repository with bom-ref extraction and component-level indexing
- VerdictEndpoints (src/EvidenceLocker/StellaOps.EvidenceLocker/Api/VerdictEndpoints.cs) - API endpoints for verdict queries including by bom-ref
- VerdictContracts (src/EvidenceLocker/StellaOps.EvidenceLocker/Api/VerdictContracts.cs) - contract models for verdict data with bom-ref fields
- EvidenceLockerDataSource (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Db/EvidenceLockerDataSource.cs) - database connection for verdict queries
Interfaces: IVerdictRepository
Source: SPRINT_20260118_015_Attestor_verdict_ledger_foundation.md

E2E Test Plan

Store a verdict via PostgresVerdictRepository and verify bom-ref fields are extracted and indexed
Query verdicts by bom-ref via VerdictEndpoints and verify only verdicts for that component are returned
Verify VerdictContracts include bom-ref in response models
Verify component-level indexing: query by bom-ref returns all verdicts that evaluated that component
Verify multiple bom-refs per verdict are correctly indexed and queryable
Verify bom-ref extraction handles edge cases (empty bom-ref, special characters, very long refs)

1.8 KiB Raw Blame History