sbom-diff-and-risk classifies change-related heuristics. It does not claim vulnerability truth.
The current rules are intentionally conservative:
new_package: a component appears only in the after input.major_upgrade: strict SemVerx.y.zmajor version increase.version_change_unclassified: version changed, but not a clear SemVer major bump.unknown_license: license metadata is missing or explicitly unknown.suspicious_source: provenance fields are missing or use suspicious schemes or hosts.stale_package: reserved for future enrichment work. When enrichment is disabled, the tool emitsnot_evaluatedinstead of guessing.
new_packageis a change signal, not a vulnerability claim.major_upgradefires only when both versions look reliably parseable as strict SemVer.- uncertain version changes fall back to
version_change_unclassified. - suspicious source is a provenance-quality heuristic, not a malware verdict.
- missing metadata is reported as unknown rather than silently treated as safe.
not_evaluatedmeans the stale-package question was intentionally left unanswered offline.
- real
stale_packageevaluation behind explicit enrichment - provenance-based policy gates over opt-in enrichment evidence
- ecosystem-specific trust rules
- advisory and CVE enrichment
- configurable risk policy profiles