Skip to content

Commit 6819995

Browse files
authored
Merge pull request #99 from stacknil/codex/v1rc1-policy-warning-case
Prepare sbom-diff-and-risk v1.0-rc.1 evidence
2 parents 09a251e + 53d9375 commit 6819995

18 files changed

Lines changed: 608 additions & 340 deletions

.github/workflows/sbom-diff-and-risk-ci.yml

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,7 @@ jobs:
170170
assets=( $(printf '%s\n' "${assets[@]}" | LC_ALL=C sort) )
171171
unset IFS
172172
checksum_manifest="release-assets/${SBOM_DIFF_RISK_CHECKSUM_MANIFEST}"
173+
notes_file="tools/sbom-diff-and-risk/RELEASE_NOTES_${RELEASE_TAG}.md"
173174
174175
if [ "${#assets[@]}" -ne 2 ]; then
175176
echo "Expected exactly one wheel and one source distribution in release-assets/." >&2
@@ -188,6 +189,19 @@ jobs:
188189
assets+=( "${checksum_manifest}" )
189190
190191
title="${RELEASE_TITLE_PREFIX} ${RELEASE_TAG}"
192+
create_args=(--draft --verify-tag --title "${title}")
193+
edit_args=(--draft=false --title "${title}")
194+
notes_args=(--notes "Release assets for ${RELEASE_TAG}. See docs/release-provenance.md for provenance verification guidance.")
195+
196+
if [[ "${RELEASE_TAG}" == *"rc"* ]]; then
197+
create_args+=(--prerelease --latest=false)
198+
edit_args+=(--prerelease)
199+
fi
200+
201+
if [ -f "${notes_file}" ]; then
202+
notes_args=(--notes-file "${notes_file}")
203+
edit_args+=(--notes-file "${notes_file}")
204+
fi
191205
192206
if gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" >/dev/null 2>&1; then
193207
is_draft="$(gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" --json isDraft -q .isDraft)"
@@ -198,11 +212,9 @@ jobs:
198212
else
199213
gh release create "${RELEASE_TAG}" \
200214
--repo "${GH_REPO}" \
201-
--draft \
202-
--verify-tag \
203-
--title "${title}" \
204-
--notes "Release assets for ${RELEASE_TAG}. See docs/release-provenance.md for provenance verification guidance."
215+
"${create_args[@]}" \
216+
"${notes_args[@]}"
205217
fi
206218
207219
gh release upload "${RELEASE_TAG}" "${assets[@]}" --repo "${GH_REPO}"
208-
gh release edit "${RELEASE_TAG}" --repo "${GH_REPO}" --draft=false --title "${title}"
220+
gh release edit "${RELEASE_TAG}" --repo "${GH_REPO}" "${edit_args[@]}"

README.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ Project:
7272
[`sbom-diff-and-risk`](tools/sbom-diff-and-risk/README.md)
7373

7474
Status:
75-
Released at `v0.9.0`.
75+
Released at `v1.0-rc.1` as a release candidate.
7676

7777
What to review:
7878
Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy
@@ -86,7 +86,7 @@ Useful entry points:
8686
- [Reviewer path](tools/sbom-diff-and-risk/docs/reviewer-path.md)
8787
- [Reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md)
8888
- [Reviewer evidence pack](tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md)
89-
- [v0.9.0 release notes][release-notes-v090]
89+
- [v1.0-rc.1 release notes][release-notes-v10rc1]
9090
- [Examples](tools/sbom-diff-and-risk/examples/)
9191

9292
Project:
@@ -212,9 +212,9 @@ the review question:
212212

213213
## Status
214214

215-
- Current flagship release: `sbom-diff-and-risk` `v0.9.0`
216-
- GitHub Release assets: available for `v0.9.0`
215+
- Current flagship release candidate: `sbom-diff-and-risk` `v1.0-rc.1`
216+
- GitHub Release assets: available for `v1.0-rc.1`
217217
- TestPyPI Trusted Publishing dry-run: completed
218218
- Production PyPI publishing: intentionally deferred
219219

220-
[release-notes-v090]: tools/sbom-diff-and-risk/RELEASE_NOTES_v0.9.0.md
220+
[release-notes-v10rc1]: tools/sbom-diff-and-risk/RELEASE_NOTES_v1.0-rc.1.md

scripts/validate-reviewer-routes.py

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
Path("docs/risk-model-boundary.md"),
1919
Path("tools/sbom-diff-and-risk/docs/report-schema.md"),
2020
Path("tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md"),
21+
Path("tools/sbom-diff-and-risk/docs/policy-warning-reviewer-case.md"),
2122
Path("tools/sbom-diff-and-risk/docs/reviewer-path.md"),
2223
Path("projects/precipitation-anomaly-diagnostics/docs/reviewer-path.md"),
2324
Path("projects/precipitation-anomaly-diagnostics-lab/docs/reviewer-path.md"),
@@ -86,10 +87,20 @@
8687
"tools/sbom-diff-and-risk/docs/policy-decision-ci-cookbook.md",
8788
"tools/sbom-diff-and-risk/examples/github-actions-policy-consumer.yml",
8889
},
90+
Path("tools/sbom-diff-and-risk/docs/policy-warning-reviewer-case.md"): {
91+
"docs/risk-model-boundary.md",
92+
"tools/sbom-diff-and-risk/docs/policy-decision-explainability.md",
93+
"tools/sbom-diff-and-risk/examples/cdx_after.json",
94+
"tools/sbom-diff-and-risk/examples/cdx_before.json",
95+
"tools/sbom-diff-and-risk/examples/policy-minimal.yml",
96+
"tools/sbom-diff-and-risk/examples/sample-policy-warn-report.json",
97+
"tools/sbom-diff-and-risk/examples/sample-policy-warn-report.md",
98+
},
8999
Path("tools/sbom-diff-and-risk/docs/reviewer-path.md"): {
90100
".github/workflows/reviewer-route-contract-ci.yml",
91101
"docs/risk-model-boundary.md",
92102
"scripts/validate-reviewer-routes.py",
103+
"tools/sbom-diff-and-risk/docs/policy-warning-reviewer-case.md",
93104
"tools/sbom-diff-and-risk/examples/github-actions-policy-consumer.yml",
94105
"tools/sbom-diff-and-risk/docs/reviewer-brief.md",
95106
"tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md",
@@ -225,6 +236,21 @@
225236
"not a CVE scanner",
226237
"not a dependency safety oracle",
227238
),
239+
Path("tools/sbom-diff-and-risk/docs/policy-warning-reviewer-case.md"): (
240+
"Policy warning reviewer case",
241+
"how does a dependency diff produce a local policy warning?",
242+
"summary.policy.status",
243+
"warn",
244+
"policy_matched",
245+
"new_package",
246+
"urllib3",
247+
"risk_finding_matched_policy_rule",
248+
"severity_source",
249+
"warn_on",
250+
"not a package safety verdict",
251+
"any CVE result",
252+
"any malware verdict",
253+
),
228254
Path("tools/sbom-diff-and-risk/docs/reviewer-path.md"): (
229255
"Artifact evidence map",
230256
"Reviewer route contract",

tools/sbom-diff-and-risk/README.md

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
11
# sbom-diff-and-risk
22

3-
v0.9.0 is the policy JSON sidecar and consumer integration usability release.
4-
It adds optional `--policy-json PATH` output, checked-in policy sidecar
5-
examples, and copyable GitHub Actions consumer guidance. It keeps dependency
6-
analysis local and deterministic by default, preserves the completed TestPyPI
7-
dry-run story, and keeps production PyPI publishing intentionally deferred.
3+
v1.0-rc.1 is the Policy Evidence release candidate. It fixes the reviewer path
4+
for policy decision examples, evidence-confidence labels, a one-page policy
5+
warning case, and copyable GitHub Actions consumer guidance. It keeps
6+
dependency analysis local and deterministic by default, preserves the completed
7+
TestPyPI dry-run story, and keeps production PyPI publishing intentionally
8+
deferred.
89

910
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
1011

@@ -29,6 +30,9 @@ explainability fields, see
2930
[docs/policy-decision-explainability.md](docs/policy-decision-explainability.md).
3031
For CI consumption of policy decision fields, see
3132
[docs/policy-decision-ci-cookbook.md](docs/policy-decision-ci-cookbook.md).
33+
For a fixed one-page case showing how a dependency diff triggers a policy
34+
warning, see
35+
[docs/policy-warning-reviewer-case.md](docs/policy-warning-reviewer-case.md).
3236
For CI consumption of summary-only output, see
3337
[docs/summary-json-ci-cookbook.md](docs/summary-json-ci-cookbook.md).
3438
For a consumer-facing GitHub Actions example, see
@@ -319,6 +323,7 @@ The [examples/](examples/) directory includes:
319323
- sample policy-fail reports at [sample-policy-fail-report.json](examples/sample-policy-fail-report.json) and [sample-policy-fail-report.md](examples/sample-policy-fail-report.md)
320324
- a sample policy-only sidecar at [sample-policy.json](examples/sample-policy.json)
321325
- compact policy-decision examples at [examples/policy-decisions](examples/policy-decisions/README.md)
326+
- a one-page policy warning reviewer case at [docs/policy-warning-reviewer-case.md](docs/policy-warning-reviewer-case.md)
322327
- a sample SARIF export at [sample-sarif.sarif](examples/sample-sarif.sarif)
323328
- provenance-aware sample reports at [sample-provenance-report.json](examples/sample-provenance-report.json), [sample-provenance-report.md](examples/sample-provenance-report.md), and [sample-provenance-report.sarif](examples/sample-provenance-report.sarif)
324329
- Scorecard-aware sample reports at [sample-scorecard-report.json](examples/sample-scorecard-report.json), [sample-scorecard-report.md](examples/sample-scorecard-report.md), and [sample-scorecard-report.sarif](examples/sample-scorecard-report.sarif)
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# sbom-diff-and-risk v1.0-rc.1
2+
3+
`v1.0-rc.1` is the Policy Evidence release candidate.
4+
5+
The Python package metadata version for this tag is `1.0rc1`, which is the
6+
PEP 440 form used in the wheel and source distribution filenames.
7+
8+
## Theme
9+
10+
Reviewer-stable policy evidence without expanding the tool's claims.
11+
12+
This release candidate turns the post-`v0.9.0` policy work into a tighter
13+
review surface: fixed policy decision examples, explicit evidence-confidence
14+
labels, a risk-model boundary, and a minimal CI consumer path.
15+
16+
## Highlights
17+
18+
- Added policy decision examples for `pass`, `warn`, `fail`, and
19+
consumer-side `needs-review`.
20+
- Added `summary.evidence_confidence` and top-level `evidence_confidence`
21+
labels for `local_manifest_only`, `sbom_present`, `policy_matched`,
22+
`enrichment_recorded`, and `provenance_recorded`.
23+
- Added a one-page policy warning reviewer case that traces an added
24+
dependency from diff input to local policy warning.
25+
- Strengthened the risk-model boundary with explicit non-claims: not a CVE
26+
scanner, not a malware scanner, and not a package safety verdict engine.
27+
- Added a minimal GitHub Actions consumer workflow that runs the tool, uploads
28+
`policy.json`, and fails or passes from the local policy result.
29+
- Added repository scope and scientific-computing background notes to keep the
30+
repository from widening beyond the flagship SBOM release surface.
31+
32+
## Compatibility and boundaries
33+
34+
- This is a release candidate, not the final `v1.0.0`.
35+
- Production PyPI publishing remains intentionally deferred.
36+
- The GitHub Release assets are the expected distribution surface for this rc.
37+
- Default analysis remains local-file based and deterministic.
38+
- No default network enrichment was added.
39+
- No CVE lookup, advisory resolution, malware scanning, or package safety
40+
verdict was added.
41+
- Policy warnings and failures remain local policy decisions for review.
42+
43+
## Release evidence
44+
45+
The tag-gated GitHub Actions workflow builds the wheel and source distribution,
46+
generates a SHA256 checksum manifest, records workflow artifact attestations,
47+
and publishes the same built files as GitHub Release assets.
48+
49+
Expected assets:
50+
51+
- `sbom_diff_and_risk-1.0rc1-py3-none-any.whl`
52+
- `sbom_diff_and_risk-1.0rc1.tar.gz`
53+
- `sbom-diff-and-risk-SHA256SUMS.txt`
54+
55+
Use `docs/verification.md`, `docs/release-provenance.md`, and
56+
`docs/self-provenance.md` for the correct verification path.

tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -47,15 +47,15 @@ jobs:
4747
GH_TOKEN: ${{ github.token }}
4848
run: |
4949
mkdir -p .tooling/sbom-diff-risk
50-
gh release download v0.9.0 \
50+
gh release download v1.0-rc.1 \
5151
--repo stacknil/scientific-computing-toolkit \
52-
--pattern "sbom_diff_and_risk-0.9.0-py3-none-any.whl" \
52+
--pattern "sbom_diff_and_risk-1.0rc1-py3-none-any.whl" \
5353
--dir .tooling/sbom-diff-risk
5454
5555
- name: Install sbom-diff-risk
5656
run: |
5757
python -m pip install \
58-
.tooling/sbom-diff-risk/sbom_diff_and_risk-0.9.0-py3-none-any.whl
58+
.tooling/sbom-diff-risk/sbom_diff_and_risk-1.0rc1-py3-none-any.whl
5959
6060
- name: Run dependency policy
6161
id: compare
Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
# Policy warning reviewer case
2+
3+
This one-page case fixes a single reviewer question: how does a dependency diff
4+
produce a local policy warning?
5+
6+
It uses the checked-in CycloneDX example pair and the minimal policy. No
7+
network enrichment, CVE lookup, malware scan, or package safety verdict is
8+
involved.
9+
10+
## Fixed input
11+
12+
Run from `tools/sbom-diff-and-risk`:
13+
14+
```powershell
15+
sbom-diff-risk compare `
16+
--before examples/cdx_before.json `
17+
--after examples/cdx_after.json `
18+
--policy examples/policy-minimal.yml `
19+
--out-json outputs/policy-warn-report.json `
20+
--out-md outputs/policy-warn-report.md
21+
```
22+
23+
Reference inputs and policy:
24+
25+
- [`examples/cdx_before.json`](../examples/cdx_before.json)
26+
- [`examples/cdx_after.json`](../examples/cdx_after.json)
27+
- [`examples/policy-minimal.yml`](../examples/policy-minimal.yml)
28+
29+
The minimal policy is intentionally small:
30+
31+
```yaml
32+
version: 1
33+
block_on:
34+
- unknown_license
35+
warn_on:
36+
- new_package
37+
```
38+
39+
## Fixed output
40+
41+
The checked-in reference outputs are:
42+
43+
- [`examples/sample-policy-warn-report.json`](../examples/sample-policy-warn-report.json)
44+
- [`examples/sample-policy-warn-report.md`](../examples/sample-policy-warn-report.md)
45+
46+
The fixed JSON facts for this case are:
47+
48+
| Field | Value |
49+
| --- | --- |
50+
| `summary.added` | `1` |
51+
| `summary.changed` | `1` |
52+
| `summary.evidence_confidence` | `policy_matched` |
53+
| `summary.policy.status` | `warn` |
54+
| `summary.policy.blocking` | `0` |
55+
| `summary.policy.warning` | `1` |
56+
| `warning_findings[0].policy_rule` | `new_package` |
57+
| `warning_findings[0].component_name` | `urllib3` |
58+
| `warning_findings[0].decision_reason` | `risk_finding_matched_policy_rule` |
59+
| `warning_findings[0].severity_source` | `warn_on` |
60+
| `warning_findings[0].observed_value` | `new_package` |
61+
62+
## Explanation
63+
64+
The after input contains `urllib3` `2.2.1`, which is not present in the before
65+
input. The local risk model classifies that component as `new_package`.
66+
67+
`examples/policy-minimal.yml` maps `new_package` to `warn_on`, so policy
68+
evaluation adds one warning finding for `urllib3`. The tool exits successfully
69+
because the warning does not become a blocking policy violation.
70+
71+
The `requests` version change is still visible in the report, but it is not the
72+
source of this policy warning. It receives `version_change_unclassified` and
73+
`not_evaluated` findings in offline mode, and the minimal policy does not warn
74+
or block on either rule.
75+
76+
## Fixed boundary
77+
78+
This case proves that local policy matching can explain why a dependency diff
79+
triggered a warning.
80+
81+
It does not prove:
82+
83+
- `urllib3` is unsafe
84+
- `requests` is safe
85+
- any CVE result
86+
- any malware verdict
87+
- not a package safety verdict
88+
- current PyPI package truth
89+
- current repository reputation
90+
91+
For field-level policy metadata, see
92+
[policy-decision-explainability.md](policy-decision-explainability.md). For
93+
the risk inputs and non-claims, see
94+
[risk-model-boundary.md](../../../docs/risk-model-boundary.md).

tools/sbom-diff-and-risk/docs/reviewer-brief.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
`sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring.
66

7-
Current released version: `v0.9.0`.
7+
Current released version: `v1.0-rc.1` release candidate.
88

99
For the shortest ordered review route, use
1010
[reviewer-path.md](reviewer-path.md).
@@ -32,6 +32,7 @@ Dependency review often needs evidence that is stable enough for code review, CI
3232
| How can a reviewer reproduce the core evidence? | [reviewer-evidence-pack.md](reviewer-evidence-pack.md) for demo, release, TestPyPI, and SARIF verification paths. |
3333
| What is the stable JSON shape? | [report-schema.md](report-schema.md) documents the machine-readable report structure and `summary` contract. |
3434
| How are policy findings explained? | [policy-decision-explainability.md](policy-decision-explainability.md) documents the policy decision metadata in JSON reports. |
35+
| How does one dependency diff trigger a policy warning? | [policy-warning-reviewer-case.md](policy-warning-reviewer-case.md) fixes the input, output, explanation, and boundary for a `new_package` warning. |
3536
| Can CI consume compact policy decisions? | [policy-decision-ci-cookbook.md](policy-decision-ci-cookbook.md), [examples/sample-policy.json](../examples/sample-policy.json), and [examples/github-actions-policy-consumer.yml](../examples/github-actions-policy-consumer.yml) show the policy sidecar path. |
3637
| Are default runs offline? | CLI docs, tests for no-enrichment behavior, and explicit enrichment flags. |
3738
| Can code scanning consume the output? | `docs/github-code-scanning.md` and `examples/sample-sarif.sarif`. |
@@ -64,4 +65,3 @@ Dependency review often needs evidence that is stable enough for code review, CI
6465
## Resume / application wording
6566

6667
Built `sbom-diff-and-risk`, a deterministic SBOM and dependency diff CLI that produces JSON, Markdown, and SARIF review artifacts; supports local policy checks and optional provenance/Scorecard evidence; and documents a release verification story covering GitHub artifact attestations, GitHub Release assets, TestPyPI Trusted Publishing validation, and intentionally deferred production PyPI publishing.
67-

0 commit comments

Comments
 (0)