From 3954615e8183a27af95933eb81b859b0eafaa3c6 Mon Sep 17 00:00:00 2001
From: StellaOps Bot <stellaops-bot@example.com>
Date: Sat, 6 Dec 2025 10:02:24 +0000
Subject: [PATCH] docs: clarify sbom sample placeholders for vuln parity

---
 docs/db/reports/vuln-parity-sbom-sample-20251209.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/docs/db/reports/vuln-parity-sbom-sample-20251209.md b/docs/db/reports/vuln-parity-sbom-sample-20251209.md
index a8d00422f..6cdeeb89d 100644
--- a/docs/db/reports/vuln-parity-sbom-sample-20251209.md
+++ b/docs/db/reports/vuln-parity-sbom-sample-20251209.md
@@ -11,13 +11,12 @@ Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts d
 ## SBOM sample set
 | # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes |
 |---|-----------|-----------|------|---------------|-------|
-| 1 | <populate> | | | | |
-| 2 | <populate> | | | | |
-| 3 | <populate> | | | | |
-| 4 | <populate> | | | | |
-| 5 | <populate> | | | | |
+| 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | <fill> | Deterministic compose sample used in sbom-vex proof. |
+| 2 | <add> | go | <fill> | TODO: pick Go SBOM fixture; store under docs/db/reports/assets/vuln-parity-20251211/. |
+| 3 | <add> | pypi | <fill> | TODO: pick Python SBOM fixture. |
+| 4 | <add> | maven | <fill> | TODO: pick Java/Maven SBOM fixture. |
+| 5 | <add> | rpm/deb | <fill> | TODO: pick OS package SBOM fixture (if available). |
 
 ## Determinism guardrails
 - Do not change sample set after hashes recorded.
 - Store exports under `docs/db/reports/assets/vuln-parity-20251211/` with hash manifest.
-