Skip to content

Commit 61af62b

Browse files
authored
Merge pull request #101 from stacknil/codex/sbr-v1-final-candidate
feat(sbom): prepare v1 final release surface
2 parents cbd5319 + 3339700 commit 61af62b

35 files changed

Lines changed: 472 additions & 82 deletions

.github/workflows/sbom-diff-and-risk-ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -196,6 +196,9 @@ jobs:
196196
if [[ "${RELEASE_TAG}" == *"rc"* ]]; then
197197
create_args+=(--prerelease --latest=false)
198198
edit_args+=(--prerelease)
199+
else
200+
create_args+=(--latest)
201+
edit_args+=(--latest)
199202
fi
200203
201204
if [ -f "${notes_file}" ]; then

README.md

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
# scientific-computing-toolkit
22

3-
This repository is a portfolio space for scientific-computing infrastructure,
4-
systems tooling, and supply-chain-security experiments that favor deterministic
5-
behavior, auditable outputs, and clear release evidence.
3+
This repository centers on a release-facing supply-chain review tool that
4+
favors deterministic behavior, auditable outputs, and clear release evidence.
5+
The scientific diagnostics projects remain bounded supporting material.
66

77
## Current Flagship Tool
88

@@ -11,6 +11,14 @@ current flagship tool. It compares SBOMs and dependency manifests, produces
1111
JSON, Markdown, and SARIF review artifacts, supports local policy checks, and
1212
can optionally record PyPI provenance and OpenSSF Scorecard evidence.
1313

14+
### Supply-chain non-claims
15+
16+
- not a CVE scanner
17+
- not a malware scanner
18+
- not a package safety verdict engine
19+
20+
These boundaries apply to the CLI, its reports, and its policy decisions.
21+
1422
For the clearest reviewer route, start with the
1523
[`sbom-diff-and-risk` reviewer path](tools/sbom-diff-and-risk/docs/reviewer-path.md);
1624
it separates orientation, artifact inspection, local reproduction, and release
@@ -72,7 +80,8 @@ Project:
7280
[`sbom-diff-and-risk`](tools/sbom-diff-and-risk/README.md)
7381

7482
Status:
75-
Released at `v1.0-rc.1` as a release candidate.
83+
Main is the `v1.0.0` final candidate. The currently published release remains
84+
`v1.0-rc.1` until the final tag is explicitly approved and created.
7685

7786
What to review:
7887
Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy
@@ -86,6 +95,7 @@ Useful entry points:
8695
- [Reviewer path](tools/sbom-diff-and-risk/docs/reviewer-path.md)
8796
- [Reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md)
8897
- [Reviewer evidence pack](tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md)
98+
- [v1.0.0 release notes draft][release-notes-v100]
8999
- [v1.0-rc.1 release notes][release-notes-v10rc1]
90100
- [Examples](tools/sbom-diff-and-risk/examples/)
91101

@@ -212,10 +222,13 @@ the review question:
212222

213223
## Status
214224

215-
- Current flagship release candidate: `sbom-diff-and-risk` `v1.0-rc.1`
225+
- Current published flagship release candidate: `sbom-diff-and-risk` `v1.0-rc.1`
216226
- GitHub Release assets: available for `v1.0-rc.1`
217227
- GitHub Latest may still show `v0.9.0` because `v1.0-rc.1` is a release candidate.
228+
- Next release policy: GitHub `v1.0.0` final, with production PyPI still deferred
229+
- Main package metadata: `1.0.0` final candidate
218230
- TestPyPI Trusted Publishing dry-run: completed
219231
- Production PyPI publishing: intentionally deferred
220232

233+
[release-notes-v100]: tools/sbom-diff-and-risk/RELEASE_NOTES_v1.0.0.md
221234
[release-notes-v10rc1]: tools/sbom-diff-and-risk/RELEASE_NOTES_v1.0-rc.1.md

scripts/validate-reviewer-routes.py

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
Path("tools/sbom-diff-and-risk/docs/report-schema.md"),
2020
Path("tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md"),
2121
Path("tools/sbom-diff-and-risk/docs/policy-warning-reviewer-case.md"),
22+
Path("tools/sbom-diff-and-risk/docs/release-provenance.md"),
2223
Path("tools/sbom-diff-and-risk/docs/reviewer-path.md"),
2324
Path("projects/precipitation-anomaly-diagnostics/docs/reviewer-path.md"),
2425
Path("projects/precipitation-anomaly-diagnostics-lab/docs/reviewer-path.md"),
@@ -95,6 +96,11 @@
9596
"tools/sbom-diff-and-risk/examples/policy-minimal.yml",
9697
"tools/sbom-diff-and-risk/examples/sample-policy-warn-report.json",
9798
"tools/sbom-diff-and-risk/examples/sample-policy-warn-report.md",
99+
"tools/sbom-diff-and-risk/examples/sample-policy-warn-report.sarif",
100+
},
101+
Path("tools/sbom-diff-and-risk/docs/release-provenance.md"): {
102+
"tools/sbom-diff-and-risk/docs/pypi-production-publishing-decision.md",
103+
"tools/sbom-diff-and-risk/docs/verification.md",
98104
},
99105
Path("tools/sbom-diff-and-risk/docs/reviewer-path.md"): {
100106
".github/workflows/reviewer-route-contract-ci.yml",
@@ -109,6 +115,7 @@
109115
"tools/sbom-diff-and-risk/examples/sample-report.json",
110116
"tools/sbom-diff-and-risk/examples/sample-summary.json",
111117
"tools/sbom-diff-and-risk/examples/sample-policy.json",
118+
"tools/sbom-diff-and-risk/examples/sample-policy-warn-report.sarif",
112119
"tools/sbom-diff-and-risk/examples/sample-sarif.sarif",
113120
},
114121
Path("projects/precipitation-anomaly-diagnostics/docs/reviewer-path.md"): {
@@ -164,6 +171,9 @@
164171
REQUIRED_TEXT = {
165172
Path("README.md"): (
166173
"current flagship tool",
174+
"not a CVE scanner",
175+
"not a malware scanner",
176+
"not a package safety verdict engine",
167177
"not part of the `sbom-diff-and-risk` release surface",
168178
"why the scientific-computing background helps",
169179
"GitHub Latest may still show `v0.9.0` because `v1.0-rc.1` is a release candidate.",
@@ -223,8 +233,8 @@
223233
"local_manifest_only",
224234
"sbom_present",
225235
"policy_matched",
226-
"enrichment_recorded",
227236
"provenance_recorded",
237+
"scorecard_recorded",
228238
"not a package safety verdict",
229239
"not a CVE result",
230240
),
@@ -248,10 +258,19 @@
248258
"risk_finding_matched_policy_rule",
249259
"severity_source",
250260
"warn_on",
261+
"sample-policy-warn-report.sarif",
262+
"sdr.new_package",
263+
"policy_level",
251264
"not a package safety verdict",
252265
"any CVE result",
253266
"any malware verdict",
254267
),
268+
Path("tools/sbom-diff-and-risk/docs/release-provenance.md"): (
269+
"publish `v1.0.0` as the stable GitHub Release contract",
270+
"production PyPI publishing deferred",
271+
"marks a final tag such as `v1.0.0` as GitHub Latest",
272+
"workflow artifact attestation",
273+
),
255274
Path("tools/sbom-diff-and-risk/docs/reviewer-path.md"): (
256275
"Artifact evidence map",
257276
"Reviewer route contract",

tools/sbom-diff-and-risk/README.md

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,20 @@
11
# sbom-diff-and-risk
22

3-
v1.0-rc.1 is the Policy Evidence release candidate. It fixes the reviewer path
4-
for policy decision examples, evidence-confidence labels, a one-page policy
5-
warning case, and copyable GitHub Actions consumer guidance. It keeps
6-
dependency analysis local and deterministic by default, preserves the completed
7-
TestPyPI dry-run story, and keeps production PyPI publishing intentionally
8-
deferred.
3+
Main is the `v1.0.0` Policy Evidence final candidate. The currently published
4+
release remains `v1.0-rc.1` until the final tag is explicitly approved and
5+
created. The selected release policy is a stable GitHub `v1.0.0` release while
6+
production PyPI publishing remains intentionally deferred.
97

108
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
119

1210
It uses conservative heuristics for change intelligence. By default it does not resolve CVEs, does not act as a reputation oracle, and does not perform hidden network enrichment.
1311

12+
## Supply-chain non-claims
13+
14+
- not a CVE scanner
15+
- not a malware scanner
16+
- not a package safety verdict engine
17+
1418
## Start Here
1519

1620
For the clearest reviewer route, start with
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
# sbom-diff-and-risk v1.0.0
2+
3+
`v1.0.0` is the Policy Evidence release.
4+
5+
The Python package metadata version for this tag is `1.0.0`.
6+
7+
## Theme
8+
9+
A stable, bounded release surface for dependency diff and local policy evidence.
10+
11+
## Highlights
12+
13+
- Provides minimal policy decision examples for `pass`, `warn`, `fail`, and
14+
consumer-side `needs-review`.
15+
- Stabilizes `evidence_confidence` as `local_manifest_only`, `sbom_present`,
16+
`policy_matched`, `provenance_recorded`, or `scorecard_recorded`.
17+
- Fixes one reviewer case from dependency diff to `new_package` policy warning
18+
across JSON, Markdown, and SARIF artifacts.
19+
- Records policy match metadata in direct SARIF risk results, including the
20+
local policy level and rule ID.
21+
- Keeps the three supply-chain non-claims visible: not a CVE scanner, not a
22+
malware scanner, and not a package safety verdict engine.
23+
- Keeps the minimal GitHub Actions consumer path for running policy, uploading
24+
`policy.json`, and enforcing the tool's exit code.
25+
26+
## Release policy
27+
28+
- `v1.0.0` is the stable GitHub Release contract.
29+
- GitHub Release assets are the distribution surface for this release.
30+
- Production PyPI publishing remains intentionally deferred.
31+
- The TestPyPI Trusted Publishing dry-run remains evidence of the test
32+
publishing path only.
33+
34+
## Compatibility and boundaries
35+
36+
- Default analysis remains local-file based and deterministic.
37+
- No default network enrichment was added.
38+
- No CVE lookup, advisory resolution, malware scanning, or package safety
39+
verdict was added.
40+
- Policy warnings and failures remain bounded local policy decisions.
41+
- `enrichment_recorded` was an rc label and is replaced by the more specific
42+
`scorecard_recorded` label in the final contract.
43+
44+
## Release evidence
45+
46+
The tag-gated GitHub Actions workflow builds the wheel and source distribution,
47+
generates a SHA256 checksum manifest, records workflow artifact attestations,
48+
and publishes the same built files as GitHub Release assets. Final tags are
49+
explicitly marked as GitHub Latest; rc tags remain prereleases.
50+
51+
Expected assets:
52+
53+
- `sbom_diff_and_risk-1.0.0-py3-none-any.whl`
54+
- `sbom_diff_and_risk-1.0.0.tar.gz`
55+
- `sbom-diff-and-risk-SHA256SUMS.txt`
56+
57+
Use `docs/verification.md`, `docs/release-provenance.md`, and
58+
`docs/self-provenance.md` for the correct verification path.

tools/sbom-diff-and-risk/docs/example-artifact-regeneration.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,8 @@ python scripts/regenerate-example-artifacts.py --check --only requirements
6969
## Boundaries
7070

7171
The regeneration script covers no-network JSON, Markdown, summary, policy
72-
sidecar, and strict-policy SARIF examples produced through the public CLI.
72+
sidecar, policy-warning SARIF, and strict-policy SARIF examples produced
73+
through the public CLI.
7374

7475
It does not perform PyPI or Scorecard enrichment, does not call external
7576
services, and does not make dependency safety claims. Provenance-aware,

tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ Production PyPI publishing is intentionally deferred, so consumers should not
1212
install `sbom-diff-and-risk` from production PyPI. Use a GitHub Release asset or
1313
a local checkout instead.
1414

15+
The checked-in workflow pins the selected stable contract, `v1.0.0`. Before
16+
that final release is published, use the currently available `v1.0-rc.1`
17+
release asset instead.
18+
1519
## Minimal policy workflow
1620

1721
Replace the placeholder input and policy paths with files from the consumer
@@ -47,15 +51,15 @@ jobs:
4751
GH_TOKEN: ${{ github.token }}
4852
run: |
4953
mkdir -p .tooling/sbom-diff-risk
50-
gh release download v1.0-rc.1 \
54+
gh release download v1.0.0 \
5155
--repo stacknil/scientific-computing-toolkit \
52-
--pattern "sbom_diff_and_risk-1.0rc1-py3-none-any.whl" \
56+
--pattern "sbom_diff_and_risk-1.0.0-py3-none-any.whl" \
5357
--dir .tooling/sbom-diff-risk
5458
5559
- name: Install sbom-diff-risk
5660
run: |
5761
python -m pip install \
58-
.tooling/sbom-diff-risk/sbom_diff_and_risk-1.0rc1-py3-none-any.whl
62+
.tooling/sbom-diff-risk/sbom_diff_and_risk-1.0.0-py3-none-any.whl
5963
6064
- name: Run dependency policy
6165
id: compare

tools/sbom-diff-and-risk/docs/policy-warning-reviewer-case.md

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,8 @@ sbom-diff-risk compare `
1717
--after examples/cdx_after.json `
1818
--policy examples/policy-minimal.yml `
1919
--out-json outputs/policy-warn-report.json `
20-
--out-md outputs/policy-warn-report.md
20+
--out-md outputs/policy-warn-report.md `
21+
--out-sarif outputs/policy-warn-report.sarif
2122
```
2223

2324
Reference inputs and policy:
@@ -42,6 +43,7 @@ The checked-in reference outputs are:
4243
4344
- [`examples/sample-policy-warn-report.json`](../examples/sample-policy-warn-report.json)
4445
- [`examples/sample-policy-warn-report.md`](../examples/sample-policy-warn-report.md)
46+
- [`examples/sample-policy-warn-report.sarif`](../examples/sample-policy-warn-report.sarif)
4547

4648
The fixed JSON facts for this case are:
4749

@@ -59,6 +61,16 @@ The fixed JSON facts for this case are:
5961
| `warning_findings[0].severity_source` | `warn_on` |
6062
| `warning_findings[0].observed_value` | `new_package` |
6163

64+
The fixed SARIF facts for the same decision are:
65+
66+
| Field | Value |
67+
| --- | --- |
68+
| `runs[0].results[0].ruleId` | `sdr.new_package` |
69+
| `runs[0].results[0].level` | `warning` |
70+
| `runs[0].results[0].properties.component_name` | `urllib3` |
71+
| `runs[0].results[0].properties.policy_matched` | `true` |
72+
| `runs[0].results[0].properties.policy_level` | `warn` |
73+
6274
## Explanation
6375

6476
The after input contains `urllib3` `2.2.1`, which is not present in the before
@@ -73,10 +85,12 @@ source of this policy warning. It receives `version_change_unclassified` and
7385
`not_evaluated` findings in offline mode, and the minimal policy does not warn
7486
or block on either rule.
7587

76-
## Fixed boundary
88+
## Bounded decision
7789

7890
This case proves that local policy matching can explain why a dependency diff
79-
triggered a warning.
91+
triggered a warning and can preserve that decision in Markdown and SARIF. The
92+
bounded decision is: review the added dependency under local policy; do not
93+
convert the warning into a security verdict.
8094

8195
It does not prove:
8296

tools/sbom-diff-and-risk/docs/release-provenance.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,20 @@ This document is about the second surface: verifying a GitHub Release and a down
99

1010
This page is only about the `sbom-diff-and-risk` tool's own GitHub Releases. If you want the quick "which verification page do I need?" guide, start with [verification.md](verification.md).
1111

12+
## v1.0 release policy
13+
14+
Chosen policy: publish `v1.0.0` as the stable GitHub Release contract while
15+
keeping production PyPI publishing deferred.
16+
17+
For `v1.0.0`, stability applies to the CLI, report schemas, policy decision
18+
examples, evidence-confidence labels, reviewer case, and GitHub Release asset
19+
verification path. It does not claim production PyPI availability. Until the
20+
final tag is explicitly approved and created, `v1.0-rc.1` remains the current
21+
published release candidate.
22+
23+
The tag workflow marks rc tags as prereleases and not Latest. It explicitly
24+
marks a final tag such as `v1.0.0` as GitHub Latest.
25+
1226
Release assets produced by the updated workflow also include a deterministic SHA256 checksum manifest named `sbom-diff-and-risk-SHA256SUMS.txt`. The manifest is written with filenames sorted in a stable order. It is not a separate provenance system; it is a local byte-integrity check that helps reviewers confirm downloaded wheel and source distribution files match the hashes published with the same GitHub Release.
1327

1428
## What the release workflow now does

tools/sbom-diff-and-risk/docs/report-schema.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -130,8 +130,13 @@ not a CVE result. The same value appears at top level, in `summary`, and in
130130
| `local_manifest_only` | The report was produced from local manifest-style inputs without SBOM input, policy matches, or enrichment evidence. |
131131
| `sbom_present` | At least one input is an SBOM format such as CycloneDX JSON or SPDX JSON. |
132132
| `policy_matched` | Local policy evaluation produced at least one blocking, warning, or suppressed policy match. |
133-
| `enrichment_recorded` | Optional non-provenance enrichment evidence, such as OpenSSF Scorecard evidence, was recorded for the report. |
134133
| `provenance_recorded` | PyPI provenance evidence or provenance-enrichment metadata was recorded for the report. |
134+
| `scorecard_recorded` | OpenSSF Scorecard evidence or Scorecard-enrichment metadata was recorded for the report. |
135+
136+
When both provenance and Scorecard evidence are recorded, the single summary
137+
label is deterministically `scorecard_recorded`. This precedence keeps the
138+
field stable; it does not rank package safety or claim that one evidence source
139+
is universally stronger than another.
135140

136141
`summary.policy` appears only when a policy is applied. Absence of
137142
`summary.policy` means policy was not used, not that policy evaluation failed.

0 commit comments

Comments
 (0)