docs: clarify sbom sample placeholders for vuln parity
This commit is contained in:
StellaOps Bot
@@ -11,13 +11,12 @@ Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts d
|
|||||||
## SBOM sample set
|
## SBOM sample set
|
||||||
| # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes |
|
| # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes |
|
||||||
|---|-----------|-----------|------|---------------|-------|
|
|---|-----------|-----------|------|---------------|-------|
|
||||||
| 1 | <populate> | | | | |
|
| 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | <fill> | Deterministic compose sample used in sbom-vex proof. |
|
||||||
| 2 | <populate> | | | | |
|
| 2 | <add> | go | <fill> | TODO: pick Go SBOM fixture; store under docs/db/reports/assets/vuln-parity-20251211/. |
|
||||||
| 3 | <populate> | | | | |
|
| 3 | <add> | pypi | <fill> | TODO: pick Python SBOM fixture. |
|
||||||
| 4 | <populate> | | | | |
|
| 4 | <add> | maven | <fill> | TODO: pick Java/Maven SBOM fixture. |
|
||||||
| 5 | <populate> | | | | |
|
| 5 | <add> | rpm/deb | <fill> | TODO: pick OS package SBOM fixture (if available). |
|
||||||
|
|
||||||
## Determinism guardrails
|
## Determinism guardrails
|
||||||
- Do not change sample set after hashes recorded.
|
- Do not change sample set after hashes recorded.
|
||||||
- Store exports under `docs/db/reports/assets/vuln-parity-20251211/` with hash manifest.
|
- Store exports under `docs/db/reports/assets/vuln-parity-20251211/` with hash manifest.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user