Skip to content

Commit d972beb

Browse files
authored
[codex] Release sbom-diff-and-risk v0.5.1
Release-only maintenance patch for sbom-diff-and-risk v0.5.1 to exercise checksum manifest publication on GitHub Release assets. CLI behavior, TestPyPI behavior, and production PyPI status remain unchanged.
1 parent b15769c commit d972beb

7 files changed

Lines changed: 617 additions & 610 deletions

File tree

tools/sbom-diff-and-risk/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# sbom-diff-and-risk
22

3-
v0.5.0 is the GitHub Release for the production PyPI decision gate. The TestPyPI dry-run is completed, production PyPI publishing is intentionally deferred, dependency analysis stays local and deterministic by default, and CLI analysis behavior is unchanged.
3+
v0.5.1 is a release-only maintenance update for the GitHub Release checksum manifest path. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
44

55
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
66

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
## sbom-diff-and-risk v0.5.1
2+
3+
Release-only maintenance update.
4+
5+
- Adds `sbom-diff-and-risk-SHA256SUMS.txt` to GitHub Release assets.
6+
- Keeps CLI behavior unchanged.
7+
- Keeps production PyPI deferred.
Lines changed: 150 additions & 150 deletions
Original file line numberDiff line numberDiff line change
@@ -1,150 +1,150 @@
1-
{
2-
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
3-
"version": "2.1.0",
4-
"runs": [
5-
{
6-
"tool": {
7-
"driver": {
8-
"name": "sbom-diff-risk",
9-
"fullName": "sbom-diff-risk",
10-
"version": "0.5.0",
11-
"semanticVersion": "0.5.0",
12-
"rules": [
13-
{
14-
"id": "sdr.policy_violation.provenance_required",
15-
"name": "policy_violation.provenance_required",
16-
"shortDescription": {
17-
"text": "Policy violation: provenance_required"
18-
},
19-
"fullDescription": {
20-
"text": "A configured provenance requirement was not satisfied for the component."
21-
},
22-
"defaultConfiguration": {
23-
"level": "error"
24-
},
25-
"properties": {
26-
"tags": [
27-
"supply-chain",
28-
"policy",
29-
"provenance"
30-
]
31-
}
32-
},
33-
{
34-
"id": "sdr.policy_violation.unverified_provenance",
35-
"name": "policy_violation.unverified_provenance",
36-
"shortDescription": {
37-
"text": "Policy violation: unverified_provenance"
38-
},
39-
"fullDescription": {
40-
"text": "PyPI attestations were present, but provenance could not be verified against publisher metadata."
41-
},
42-
"defaultConfiguration": {
43-
"level": "error"
44-
},
45-
"properties": {
46-
"tags": [
47-
"supply-chain",
48-
"policy",
49-
"provenance"
50-
]
51-
}
52-
}
53-
]
54-
}
55-
},
56-
"artifacts": [
57-
{
58-
"location": {
59-
"uri": "examples/requirements_before.txt",
60-
"uriBaseId": "%SRCROOT%"
61-
}
62-
},
63-
{
64-
"location": {
65-
"uri": "examples/requirements_after.txt",
66-
"uriBaseId": "%SRCROOT%"
67-
}
68-
}
69-
],
70-
"properties": {
71-
"sbom_diff_risk": {
72-
"result_limit": 5000,
73-
"total_candidate_results": 2,
74-
"emitted_results": 2,
75-
"omitted_results": 0,
76-
"truncated": false,
77-
"prioritization": "error results first, then warning, then note; direct mapped findings before policy-only checks; stable rule priority and component key tie-breakers.",
78-
"warning": null
79-
}
80-
},
81-
"results": [
82-
{
83-
"ruleId": "sdr.policy_violation.provenance_required",
84-
"level": "error",
85-
"message": {
86-
"text": "mystery-lib: Provenance required for new package; no attestations were published."
87-
},
88-
"locations": [
89-
{
90-
"physicalLocation": {
91-
"artifactLocation": {
92-
"uri": "examples/requirements_after.txt",
93-
"uriBaseId": "%SRCROOT%"
94-
},
95-
"region": {
96-
"startLine": 1
97-
}
98-
}
99-
}
100-
],
101-
"partialFingerprints": {
102-
"ruleId": "sdr.policy_violation.provenance_required",
103-
"componentKey": "purl:pkg:pypi/mystery-lib"
104-
},
105-
"properties": {
106-
"policy_rule_id": "provenance_required",
107-
"component_key": "purl:pkg:pypi/mystery-lib",
108-
"component_name": "mystery-lib",
109-
"result_kind": "policy_violation"
110-
}
111-
},
112-
{
113-
"ruleId": "sdr.policy_violation.unverified_provenance",
114-
"level": "error",
115-
"message": {
116-
"text": "legacy-lib: PyPI attestation publisher could not be verified by policy."
117-
},
118-
"locations": [
119-
{
120-
"physicalLocation": {
121-
"artifactLocation": {
122-
"uri": "examples/requirements_after.txt",
123-
"uriBaseId": "%SRCROOT%"
124-
},
125-
"region": {
126-
"startLine": 1
127-
}
128-
}
129-
}
130-
],
131-
"partialFingerprints": {
132-
"ruleId": "sdr.policy_violation.unverified_provenance",
133-
"componentKey": "purl:pkg:pypi/legacy-lib"
134-
},
135-
"properties": {
136-
"policy_rule_id": "unverified_provenance",
137-
"component_key": "purl:pkg:pypi/legacy-lib",
138-
"component_name": "legacy-lib",
139-
"result_kind": "policy_violation"
140-
}
141-
}
142-
],
143-
"originalUriBaseIds": {
144-
"%SRCROOT%": {
145-
"uri": "file:///__PROJECT_ROOT__/"
146-
}
147-
}
148-
}
149-
]
150-
}
1+
{
2+
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
3+
"version": "2.1.0",
4+
"runs": [
5+
{
6+
"tool": {
7+
"driver": {
8+
"name": "sbom-diff-risk",
9+
"fullName": "sbom-diff-risk",
10+
"version": "0.5.1",
11+
"semanticVersion": "0.5.1",
12+
"rules": [
13+
{
14+
"id": "sdr.policy_violation.provenance_required",
15+
"name": "policy_violation.provenance_required",
16+
"shortDescription": {
17+
"text": "Policy violation: provenance_required"
18+
},
19+
"fullDescription": {
20+
"text": "A configured provenance requirement was not satisfied for the component."
21+
},
22+
"defaultConfiguration": {
23+
"level": "error"
24+
},
25+
"properties": {
26+
"tags": [
27+
"supply-chain",
28+
"policy",
29+
"provenance"
30+
]
31+
}
32+
},
33+
{
34+
"id": "sdr.policy_violation.unverified_provenance",
35+
"name": "policy_violation.unverified_provenance",
36+
"shortDescription": {
37+
"text": "Policy violation: unverified_provenance"
38+
},
39+
"fullDescription": {
40+
"text": "PyPI attestations were present, but provenance could not be verified against publisher metadata."
41+
},
42+
"defaultConfiguration": {
43+
"level": "error"
44+
},
45+
"properties": {
46+
"tags": [
47+
"supply-chain",
48+
"policy",
49+
"provenance"
50+
]
51+
}
52+
}
53+
]
54+
}
55+
},
56+
"artifacts": [
57+
{
58+
"location": {
59+
"uri": "examples/requirements_before.txt",
60+
"uriBaseId": "%SRCROOT%"
61+
}
62+
},
63+
{
64+
"location": {
65+
"uri": "examples/requirements_after.txt",
66+
"uriBaseId": "%SRCROOT%"
67+
}
68+
}
69+
],
70+
"properties": {
71+
"sbom_diff_risk": {
72+
"result_limit": 5000,
73+
"total_candidate_results": 2,
74+
"emitted_results": 2,
75+
"omitted_results": 0,
76+
"truncated": false,
77+
"prioritization": "error results first, then warning, then note; direct mapped findings before policy-only checks; stable rule priority and component key tie-breakers.",
78+
"warning": null
79+
}
80+
},
81+
"results": [
82+
{
83+
"ruleId": "sdr.policy_violation.provenance_required",
84+
"level": "error",
85+
"message": {
86+
"text": "mystery-lib: Provenance required for new package; no attestations were published."
87+
},
88+
"locations": [
89+
{
90+
"physicalLocation": {
91+
"artifactLocation": {
92+
"uri": "examples/requirements_after.txt",
93+
"uriBaseId": "%SRCROOT%"
94+
},
95+
"region": {
96+
"startLine": 1
97+
}
98+
}
99+
}
100+
],
101+
"partialFingerprints": {
102+
"ruleId": "sdr.policy_violation.provenance_required",
103+
"componentKey": "purl:pkg:pypi/mystery-lib"
104+
},
105+
"properties": {
106+
"policy_rule_id": "provenance_required",
107+
"component_key": "purl:pkg:pypi/mystery-lib",
108+
"component_name": "mystery-lib",
109+
"result_kind": "policy_violation"
110+
}
111+
},
112+
{
113+
"ruleId": "sdr.policy_violation.unverified_provenance",
114+
"level": "error",
115+
"message": {
116+
"text": "legacy-lib: PyPI attestation publisher could not be verified by policy."
117+
},
118+
"locations": [
119+
{
120+
"physicalLocation": {
121+
"artifactLocation": {
122+
"uri": "examples/requirements_after.txt",
123+
"uriBaseId": "%SRCROOT%"
124+
},
125+
"region": {
126+
"startLine": 1
127+
}
128+
}
129+
}
130+
],
131+
"partialFingerprints": {
132+
"ruleId": "sdr.policy_violation.unverified_provenance",
133+
"componentKey": "purl:pkg:pypi/legacy-lib"
134+
},
135+
"properties": {
136+
"policy_rule_id": "unverified_provenance",
137+
"component_key": "purl:pkg:pypi/legacy-lib",
138+
"component_name": "legacy-lib",
139+
"result_kind": "policy_violation"
140+
}
141+
}
142+
],
143+
"originalUriBaseIds": {
144+
"%SRCROOT%": {
145+
"uri": "file:///__PROJECT_ROOT__/"
146+
}
147+
}
148+
}
149+
]
150+
}

0 commit comments

Comments
 (0)