You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The [`examples/`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples) directory includes:
163
+
The [examples/](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples) directory includes:
148
164
149
165
- before/after inputs for CycloneDX JSON, SPDX JSON, `requirements.txt`, and `pyproject.toml`
166
+
- dependency-group examples at `examples/pyproject_groups_before.toml` and `examples/pyproject_groups_after.toml`
150
167
- example policies at `examples/policy-minimal.yml` and `examples/policy-strict.yml`
151
-
- a sample CycloneDX-based JSON report at [`sample-report.json`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-report.json)
152
-
- a sample CycloneDX-based Markdown report at [`sample-report.md`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-report.md)
153
-
- sample policy-warn reports at [`sample-policy-warn-report.json`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-warn-report.json) and [`sample-policy-warn-report.md`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-warn-report.md)
154
-
- sample policy-fail reports at [`sample-policy-fail-report.json`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-fail-report.json) and [`sample-policy-fail-report.md`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-fail-report.md)
155
-
- a sample SARIF export at [`sample-sarif.sarif`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-sarif.sarif)
156
-
- requirements-based sample reports at [`sample-requirements-report.json`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-requirements-report.json) and [`sample-requirements-report.md`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-requirements-report.md)
168
+
- a sample pass JSON report at [sample-report.json](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-report.json)
169
+
- a sample pass Markdown report at [sample-report.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-report.md)
170
+
- sample policy-warn reports at [sample-policy-warn-report.json](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-warn-report.json) and [sample-policy-warn-report.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-warn-report.md)
171
+
- sample policy-fail reports at [sample-policy-fail-report.json](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-fail-report.json) and [sample-policy-fail-report.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-policy-fail-report.md)
172
+
- a sample SARIF export at [sample-sarif.sarif](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-sarif.sarif)
173
+
- requirements-based sample reports at [sample-requirements-report.json](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-requirements-report.json) and [sample-requirements-report.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-requirements-report.md)
157
174
158
-
## Enforcement
175
+
## Enforcement Mode
159
176
160
177
Policy enforcement is optional and deterministic. Exit codes are stable:
161
178
@@ -207,23 +224,47 @@ sbom-diff-risk compare \
207
224
--out-sarif outputs/report.sarif
208
225
```
209
226
210
-
For GitHub code scanning integration guidance and a minimal upload workflow, see [docs/github-code-scanning.md](D:/OneDrive/Code/scientific-computing-toolkit-real/tools/sbom-diff-and-risk/docs/github-code-scanning.md).
227
+
For GitHub code scanning integration guidance and a minimal upload workflow, see [docs/github-code-scanning.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/github-code-scanning.md).
228
+
229
+
## Parser Boundaries
230
+
231
+
Deterministic local mode intentionally supports a conservative subset of packaging syntax. The detailed matrix lives in [docs/parser-boundaries.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/parser-boundaries.md).
232
+
233
+
### requirements.txt subset
234
+
235
+
| Syntax | Status | Notes |
236
+
| --- | --- | --- |
237
+
| Plain PEP 508 requirement entries | Supported | Names, specifiers, extras, and markers |
238
+
| Comments, blank lines, line continuations | Supported | Normalized locally without installer behavior |
239
+
|`-r`, `--requirement`| Unsupported | Include chains fail closed |
| Editable installs | Unsupported |`-e` and `--editable` are rejected |
242
+
| Direct URL, VCS, and local path refs | Unsupported | Includes `pkg @ https://...`, `git+...`, wheels, archives, and local paths |
243
+
| Index and source options | Unsupported | Includes `--index-url`, `--extra-index-url`, `--find-links`, and related flags |
244
+
245
+
### pyproject.toml subset
246
+
247
+
- default parsing supports PEP 621 `[project.dependencies]` and `[project.optional-dependencies]`
248
+
- dependency groups are supported through PEP 735 `[dependency-groups]`
249
+
- dependency groups must be selected explicitly with `--pyproject-group <name>`
250
+
- dependency groups are not treated as aliases for `[project.optional-dependencies]`
251
+
- tool-specific layouts such as Poetry, Hatch, and PDM remain out of scope in v0.2
211
252
212
253
## Limitations
213
254
214
-
-v0.1 is local-file based only.
255
+
-default mode is local-file based only.
215
256
-`generated_at` remains `null` to preserve deterministic report output.
216
257
-`stale_package` is not resolved offline. The report emits `not_evaluated` instead.
217
-
- SARIF export intentionally covers only a conservative subset of findings in v0.1.
258
+
- SARIF export intentionally covers only a conservative subset of findings in v0.2.
218
259
- No vulnerability database integration, CVE matching, or advisory enrichment.
219
-
-`requirements.txt` support intentionally covers a conservative subset: plain PEP 508 requirement entries, comments, direct URL requirements, and line continuations.
220
-
-`requirements.txt` intentionally does not support pip include/constraint directives such as `-r`, `-c`, or arbitrary install flags in v0.1.
221
-
-`pyproject.toml` support intentionally covers a conservative subset: PEP 621 `[project.dependencies]` and `[project.optional-dependencies]`.
222
-
-`pyproject.toml` intentionally does not support tool-specific layouts such as Poetry, Hatch, or PDM sections in v0.1.
260
+
-`requirements.txt` support intentionally covers a conservative subset: plain PEP 508 requirement entries, comments, extras, markers, and line continuations.
261
+
-`requirements.txt` intentionally rejects include/constraint directives, editable installs, direct URL/path refs, index/source options, and other pip-only install flags in deterministic mode.
262
+
-`pyproject.toml` support intentionally covers a conservative subset: PEP 621 `[project.dependencies]`, `[project.optional-dependencies]`, and explicit PEP 735 `[dependency-groups]` selection.
263
+
-`pyproject.toml` intentionally does not support tool-specific layouts such as Poetry, Hatch, or PDM sections in v0.2.
223
264
- Risk buckets are heuristics, not security verdicts.
224
265
- Runtime-generated `outputs/` artifacts are ignored; tracked examples live in `examples/`.
225
-
- Policy files are YAML-only in v0.1 and unknown rule ids fail closed.
266
+
- Policy files are YAML-only in v0.2 and unknown rule ids fail closed.
226
267
227
268
## Current Status
228
269
229
-
The project now normalizes local CycloneDX JSON, SPDX JSON, `requirements.txt`, and PEP 621 `pyproject.toml` inputsinto the shared component model, diffs them deterministically, and generates stable JSON/Markdown/SARIF reports with golden tests and optional policy enforcement.
270
+
The project now normalizes local CycloneDX JSON, SPDX JSON, `requirements.txt`, and conservative `pyproject.toml` inputs, including explicit PEP 735 dependency-group selection, into the shared component model, diffs them deterministically, and generates stable JSON/Markdown/SARIF reports with tests and optional policy enforcement.
`sbom-diff-and-risk` intentionally supports a conservative parser subset so local runs remain deterministic, auditable, and CI-friendly.
4
+
5
+
The project does not try to emulate a package installer. When syntax would require resolver behavior, implicit includes, index lookups, or environment-specific side effects, the parser fails closed with an explicit error.
6
+
7
+
## requirements.txt
8
+
9
+
`requirements.txt` is treated as a narrow manifest format, not as "everything pip can do in a file".
10
+
11
+
| Syntax | Status | Notes |
12
+
| --- | --- | --- |
13
+
| Plain PEP 508 names and version specifiers | Supported | Example: `requests==2.31.0`|
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/sbom-basics.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
3
3
This project treats SBOMs as one possible source of dependency inventory data.
4
4
5
-
For v0.1, the tool is intentionally limited to local-file parsing, normalization, diffing, and heuristic reporting.
5
+
For v0.2, the tool is intentionally limited to local-file parsing, normalization, diffing, and conservative heuristic reporting.
6
6
7
7
## Supported local inputs
8
8
@@ -17,18 +17,20 @@ For v0.1, the tool is intentionally limited to local-file parsing, normalization
17
17
18
18
- supported: plain PEP 508 requirement entries
19
19
- supported: comments and blank lines
20
-
- supported: direct URL requirements
21
20
- supported: line continuations
22
-
- not supported: `-r`, `--requirement`, `-c`, `--constraint`, or arbitrary pip install flags
21
+
- not supported: `-r`, `--requirement`, `-c`, `--constraint`, editable installs, direct URL/path refs, or pip index/options
23
22
24
-
`pyproject.toml` support is intentionally conservative in v0.1:
23
+
`pyproject.toml` support is intentionally conservative in v0.2:
25
24
26
25
- supported: PEP 621 `[project.dependencies]`
27
26
- supported: PEP 621 `[project.optional-dependencies]`
27
+
- supported: PEP 735 `[dependency-groups]` with explicit `--pyproject-group` selection
28
28
- not supported: Poetry, Hatch, PDM, or other tool-specific dependency sections
29
29
30
30
These boundaries are deliberate so the tool can stay deterministic and explicit about what it does and does not parse.
31
31
32
+
For the detailed supported/unsupported matrix, see [parser-boundaries.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/parser-boundaries.md).
0 commit comments