|
| 1 | +# sbom-diff-and-risk v0.9.0 |
| 2 | + |
| 3 | +`v0.9.0` is the policy JSON sidecar and consumer integration usability |
| 4 | +release. |
| 5 | + |
| 6 | +## Theme |
| 7 | + |
| 8 | +Policy-focused machine-readable output for CI consumers. |
| 9 | + |
| 10 | +`v0.9.0` focuses on making local policy outcomes easier to consume without |
| 11 | +walking the full JSON report. It adds a policy-only JSON sidecar, checked-in |
| 12 | +policy sidecar examples, and copyable GitHub Actions consumer guidance. |
| 13 | + |
| 14 | +This release keeps the dependency diff model, existing full-report JSON shape, |
| 15 | +Markdown output behavior, SARIF output behavior, release workflows, and |
| 16 | +publishing status unchanged except for the new optional CLI output surface. |
| 17 | + |
| 18 | +## Highlights |
| 19 | + |
| 20 | +- Added optional `--policy-json PATH` support to `sbom-diff-risk compare`. |
| 21 | +- Added a checked-in `examples/sample-policy.json` artifact for the policy |
| 22 | + sidecar shape. |
| 23 | +- Added a GitHub Actions policy consumer example at |
| 24 | + `examples/github-actions-policy-consumer.yml`. |
| 25 | +- Updated reviewer-facing evidence documentation for reproducing and consuming |
| 26 | + `outputs/policy.json`. |
| 27 | +- Kept production PyPI intentionally deferred. |
| 28 | + |
| 29 | +## Policy JSON sidecar |
| 30 | + |
| 31 | +`--policy-json PATH` writes policy-related JSON sections from the same report |
| 32 | +model used by `--out-json`. It does not introduce a second policy schema. |
| 33 | + |
| 34 | +The sidecar includes: |
| 35 | + |
| 36 | +- `policy_evaluation` |
| 37 | +- `blocking_findings` |
| 38 | +- `warning_findings` |
| 39 | +- `suppressed_findings` |
| 40 | +- `rule_catalog` |
| 41 | +- `summary.policy` when policy evaluation is applied |
| 42 | +- provenance policy sections when those sections are relevant |
| 43 | + |
| 44 | +The sidecar intentionally omits full-report `components` and `risks`. Consumers |
| 45 | +that need the complete dependency diff should continue to use `--out-json`. |
| 46 | + |
| 47 | +When policy is not applied, the sidecar records |
| 48 | +`policy_evaluation.applied` as `false` and omits `summary.policy`. |
| 49 | + |
| 50 | +## Consumer integration examples |
| 51 | + |
| 52 | +`examples/sample-policy.json` is generated from the existing CycloneDX example |
| 53 | +pair with `examples/policy-strict.yml`. It is locked by tests and is expected to |
| 54 | +match the policy-related sections in the corresponding full policy-fail JSON |
| 55 | +report. |
| 56 | + |
| 57 | +`examples/github-actions-policy-consumer.yml` shows how a consumer repository |
| 58 | +can: |
| 59 | + |
| 60 | +- install from the GitHub Release wheel, not production PyPI |
| 61 | +- run `sbom-diff-risk compare` with `--policy-json` |
| 62 | +- keep `outputs/policy.json` as a CI artifact |
| 63 | +- upload evidence even when local policy fails |
| 64 | +- fail the job from `summary.policy` |
| 65 | + |
| 66 | +The example is documentation only. It is not a workflow for this repository and |
| 67 | +does not change this repository's GitHub Actions configuration. |
| 68 | + |
| 69 | +## Compatibility and boundaries |
| 70 | + |
| 71 | +- Existing `--out-json` behavior remains the full JSON report output. |
| 72 | +- Existing `--summary-json PATH` behavior remains summary-only output. |
| 73 | +- Existing Markdown output behavior is unchanged. |
| 74 | +- Existing SARIF output behavior is unchanged. |
| 75 | +- Existing policy pass, warn, and fail behavior is unchanged. |
| 76 | +- Existing exit codes are unchanged. |
| 77 | +- No hidden network behavior was added. |
| 78 | +- No CVE lookup or CVE resolution was added. |
| 79 | +- Policy findings remain local policy decisions, not dependency safety |
| 80 | + verdicts. |
| 81 | +- Consumers should treat unrecognized future fields as additive report data. |
| 82 | + |
| 83 | +## Distribution status |
| 84 | + |
| 85 | +- Production PyPI publishing remains intentionally deferred. |
| 86 | +- This release is expected to be distributed through GitHub Release assets. |
| 87 | +- The consumer examples install from GitHub Release assets or local checkout, |
| 88 | + not production PyPI. |
| 89 | +- This release does not publish to TestPyPI. |
| 90 | +- This release does not publish to production PyPI. |
| 91 | +- No production PyPI workflow is added. |
| 92 | + |
| 93 | +## Not in this release |
| 94 | + |
| 95 | +- No package safety verdicts. |
| 96 | +- No vulnerability scanning. |
| 97 | +- No CVE resolution. |
| 98 | +- No default network enrichment. |
| 99 | +- No workflow changes for this repository. |
| 100 | +- No TestPyPI publishing. |
| 101 | +- No production PyPI publishing. |
| 102 | +- No production PyPI workflow. |
| 103 | + |
| 104 | +This PR only drafts release notes. It does not bump package version, create a |
| 105 | +tag, create a GitHub Release, publish to PyPI/TestPyPI, or change runtime |
| 106 | +behavior. |
0 commit comments