diff --git a/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 b/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 index 5d6e6a74f..e2afde2cf 100644 --- a/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 +++ b/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 @@ -1,4 +1,8 @@ # filename sha256 -sbom.json 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac sample-sbom.json 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941 +sbom-go-sample.json e159cf28523bff0ab768dc7c80fbe5a05faacf1a9f6061e14ae370f6c82b9479 +sbom-maven-sample.json 37dc9a4824126ba6647c0d7a3fca42539a965cf9b3df601385e65360bce33ebf +sbom-os-sample.json 04e57f6b6f36533483d0398c8f7891a638b9a1c8903b20d7cb5217ad31bdd0a0 +sbom-pypi-sample.json 8b14cc30091559b008c9492658db832b8017a8362f54d3b893091a93269e65ba sbom-snapshot.json 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e +sbom.json 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac diff --git a/docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json b/docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json new file mode 100644 index 000000000..e675c38b7 --- /dev/null +++ b/docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json @@ -0,0 +1,19 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "components": [ + { + "type": "library", + "name": "demo-lib", + "version": "1.0.0", + "purl": "pkg:npm/demo-lib@1.0.0" + }, + { + "type": "library", + "name": "lodash", + "version": "4.17.21", + "purl": "pkg:npm/lodash@4.17.21" + } + ] +} diff --git a/docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json b/docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json new file mode 100644 index 000000000..1b44ce21f --- /dev/null +++ b/docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json @@ -0,0 +1,13 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "components": [ + { + "type": "library", + "name": "github.com/gin-gonic/gin", + "version": "1.9.1", + "purl": "pkg:go/github.com/gin-gonic/gin@v1.9.1" + } + ] +} diff --git a/docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json b/docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json new file mode 100644 index 000000000..71faf7832 --- /dev/null +++ b/docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json @@ -0,0 +1,13 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "components": [ + { + "type": "library", + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.17.1", + "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1" + } + ] +} diff --git a/docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json b/docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json new file mode 100644 index 000000000..88cd0e3ae --- /dev/null +++ b/docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json @@ -0,0 +1,13 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "components": [ + { + "type": "library", + "name": "openssl", + "version": "1.1.1-1ubuntu2.1", + "purl": "pkg:deb/ubuntu/openssl@1.1.1-1ubuntu2.1" + } + ] +} diff --git a/docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json b/docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json new file mode 100644 index 000000000..4c6a78e32 --- /dev/null +++ b/docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json @@ -0,0 +1,13 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "components": [ + { + "type": "library", + "name": "requests", + "version": "2.31.0", + "purl": "pkg:pypi/requests@2.31.0" + } + ] +} diff --git a/docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json b/docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json new file mode 100644 index 000000000..b8c0473bb --- /dev/null +++ b/docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json @@ -0,0 +1,110 @@ +{ + "tenant": "tenant-alpha", + "source": "scanner.sbom.v1", + "artifactDigest": "sha256:aaa111", + "sbomDigest": "sha256:sbom111", + "collectedAt": "2025-10-30T12:00:00Z", + "eventOffset": 1182, + "artifact": { + "displayName": "registry.example.com/team/app:1.2.3", + "environment": "prod", + "labels": [ + "critical", + "payments" + ], + "originRegistry": "registry.example.com", + "supplyChainStage": "deploy" + }, + "build": { + "builderId": "builder://tekton/pipeline/default", + "buildType": "https://slsa.dev/provenance/v1", + "attestationDigest": "sha256:attestation001", + "source": "scanner.provenance.v1", + "collectedAt": "2025-10-30T12:00:05Z", + "eventOffset": 2103 + }, + "components": [ + { + "purl": "pkg:nuget/Newtonsoft.Json@13.0.3", + "version": "13.0.3", + "ecosystem": "nuget", + "scope": "runtime", + "license": { + "spdx": "MIT", + "name": "MIT License", + "classification": "permissive", + "noticeUri": "https://opensource.org/licenses/MIT", + "sourceDigest": "sha256:ccc333" + }, + "usage": "direct", + "detectedBy": "sbom.analyzer.nuget", + "layerDigest": "sha256:layer123", + "evidenceDigest": "sha256:evidence001", + "collectedAt": "2025-10-30T12:00:01Z", + "eventOffset": 1183, + "source": "scanner.sbom.v1", + "files": [ + { + "path": "/src/app/Program.cs", + "contentSha256": "sha256:bbb222", + "languageHint": "csharp", + "sizeBytes": 3472, + "scope": "build", + "detectedBy": "sbom.analyzer.nuget", + "evidenceDigest": "sha256:evidence003", + "collectedAt": "2025-10-30T12:00:02Z", + "eventOffset": 1185, + "source": "scanner.layer.v1" + } + ], + "dependencies": [ + { + "purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0", + "version": "4.7.0", + "relationship": "direct", + "evidenceDigest": "sha256:evidence002", + "collectedAt": "2025-10-30T12:00:01Z", + "eventOffset": 1183 + } + ] + }, + { + "purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0", + "version": "4.7.0", + "ecosystem": "nuget", + "scope": "runtime", + "license": { + "spdx": "MIT", + "name": "MIT License", + "classification": "permissive", + "noticeUri": "https://opensource.org/licenses/MIT", + "sourceDigest": "sha256:ccc333" + }, + "usage": "transitive", + "detectedBy": "sbom.analyzer.nuget", + "layerDigest": "sha256:layer123", + "evidenceDigest": "sha256:evidence001", + "collectedAt": "2025-10-30T12:00:01Z", + "eventOffset": 1184, + "source": "scanner.sbom.v1", + "files": [], + "dependencies": [] + } + ], + "baseArtifacts": [ + { + "artifactDigest": "sha256:base000", + "sbomDigest": "sha256:sbom-base", + "displayName": "registry.example.com/base/runtime:2025.09", + "environment": "prod", + "labels": [ + "base-image" + ], + "originRegistry": "registry.example.com", + "supplyChainStage": "build", + "collectedAt": "2025-10-22T08:00:00Z", + "eventOffset": 800, + "source": "scanner.sbom.v1" + } + ] +} \ No newline at end of file diff --git a/docs/db/reports/assets/vuln-parity-20251211/sbom.json b/docs/db/reports/assets/vuln-parity-20251211/sbom.json new file mode 100644 index 000000000..fb806e062 --- /dev/null +++ b/docs/db/reports/assets/vuln-parity-20251211/sbom.json @@ -0,0 +1,8 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "version": 1, + "components": [ + {"type": "container", "name": "example", "version": "1.0.0"} + ] +} diff --git a/docs/db/reports/vuln-parity-sbom-sample-20251209.md b/docs/db/reports/vuln-parity-sbom-sample-20251209.md index d2792f396..be6159172 100644 --- a/docs/db/reports/vuln-parity-sbom-sample-20251209.md +++ b/docs/db/reports/vuln-parity-sbom-sample-20251209.md @@ -14,10 +14,10 @@ Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts d | 1 | docs/db/reports/assets/vuln-parity-20251211/sbom.json | npm | ~95 KB | 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac | Deterministic compose sample used in sbom-vex proof (copied locally). | | 2 | docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json | npm | small | 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941 | Tiny npm sample for quick parity sanity. | | 3 | docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json | mixed | | 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e | Graph indexer SBOM snapshot used in tests. | -| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | | | Placeholder to add Go SBOM. | -| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | | | Placeholder to add PyPI SBOM. | -| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | | | Placeholder to add Maven/Java SBOM. | -| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | | | Optional OS package SBOM for coverage. | +| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | | e159cf28523bff0ab768dc7c80fbe5a05faacf1a9f6061e14ae370f6c82b9479 | Go sample (gin). | +| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | | 8b14cc30091559b008c9492658db832b8017a8362f54d3b893091a93269e65ba | PyPI sample (requests). | +| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | | 37dc9a4824126ba6647c0d7a3fca42539a965cf9b3df601385e65360bce33ebf | Maven sample (log4j-core). | +| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | | 04e57f6b6f36533483d0398c8f7891a638b9a1c8903b20d7cb5217ad31bdd0a0 | OS package sample (openssl deb). | ## Determinism guardrails - Do not change sample set after hashes recorded.