stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/sbomservice/sbom-verdict-linking-table.md

2.2 KiB
Raw Blame History

SBOM-Verdict Linking Table

Module

SbomService

Status

IMPLEMENTED

Description

Join table linking SBOM versions to VEX consensus verdicts per CVE. Fully implemented with PostgreSQL persistence, in-memory test implementation, and lineage integration.

Implementation Details

  • Persistence interface (Persistence layer): src/SbomService/__Libraries/StellaOps.SbomService.Persistence/Repositories/ISbomVerdictLinkRepository.cs -- LinkAsync, LinkBatchAsync, GetVerdictsBySbomAsync, GetSbomsByCveAsync, GetSbomsByStatusAsync
  • Postgres implementation: src/SbomService/__Libraries/StellaOps.SbomService.Persistence/Postgres/Repositories/PostgresSbomVerdictLinkRepository.cs -- PostgreSQL verdict link storage with upsert on conflict
  • Lineage interface: src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/ISbomVerdictLinkRepository.cs -- lineage-layer verdict link contract
  • Lineage Postgres implementation: src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/SbomVerdictLinkRepository.cs -- sbom.sbom_verdict_links table with columns: sbom_version_id, cve, consensus_projection_id, verdict_status, confidence_score, tenant_id; upsert on (sbom_version_id, cve, tenant_id) conflict
  • Schema migration: src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/Migrations/00001_InitialSchema.sql -- creates sbom_verdict_links table
  • DI registration: src/SbomService/__Libraries/StellaOps.SbomService.Lineage/DependencyInjection/ServiceCollectionExtensions.cs -- registers verdict link repository
  • Lineage domain: src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Domain/LineageModels.cs -- SbomVerdictLink model
  • Tests: src/SbomService/__Tests/StellaOps.SbomService.Lineage.Tests/Domain/LineageModelsTests.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify SBOM-to-verdict linking creates records in sbom_verdict_links table
  • Test batch linking of multiple verdicts per SBOM version
  • Verify query by CVE returns all linked SBOM versions
  • Test query by verdict status with limit parameter
  • Verify upsert behavior on (sbom_version_id, cve, tenant_id) conflict