Skip to content

Commit d69934d

Browse files
committed
docs(sbom): clarify risk model non-claims
1 parent da7aa1b commit d69934d

3 files changed

Lines changed: 17 additions & 0 deletions

File tree

docs/risk-model-boundary.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,17 @@ conclusions the tool must never infer.
88
The model is a deterministic local heuristic layer. It is not a vulnerability
99
scanner, not a CVE resolver, and not a dependency safety verdict.
1010

11+
## Explicit non-claims
12+
13+
The risk model has three deliberate product boundaries:
14+
15+
- **Not a CVE scanner.** It does not query vulnerability databases, resolve
16+
advisories against affected version ranges, or determine exploitability.
17+
- **Not a malware scanner.** It does not inspect package contents, source code,
18+
signatures, or runtime behavior for malicious payloads.
19+
- **Not a package safety verdict engine.** Risk buckets and policy decisions
20+
identify evidence for review; they do not certify a package as safe or unsafe.
21+
1122
Implementation references:
1223

1324
- [`risk.py`](../tools/sbom-diff-and-risk/src/sbom_diff_risk/risk.py)

scripts/validate-reviewer-routes.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -195,6 +195,9 @@
195195
"not a vulnerability scanner",
196196
"not a CVE resolver",
197197
"not a dependency safety verdict",
198+
"Not a CVE scanner",
199+
"Not a malware scanner",
200+
"Not a package safety verdict engine",
198201
"new_package",
199202
"major_upgrade",
200203
"version_change_unclassified",

tools/sbom-diff-and-risk/tests/test_risk_model_boundary_docs.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,9 @@ def test_risk_model_boundary_names_inputs_and_nonclaims() -> None:
3838
"not a vulnerability scanner",
3939
"not a CVE resolver",
4040
"not a dependency safety verdict",
41+
"Not a CVE scanner",
42+
"Not a malware scanner",
43+
"Not a package safety verdict engine",
4144
"hidden network enrichment",
4245
):
4346
assert phrase in text or _normalized_text(phrase) in normalized

0 commit comments

Comments
 (0)