stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

docs: add multi-ecosystem sbom fixtures for vuln parity

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-06 10:37:41 +00:00
parent ee317d3f61
commit 6145d89468
9 changed files with 198 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/db/reports/assets/vuln-parity-20251211/hashes.sha256
View File

@@ -1,4 +1,8 @@
# filename sha256 # filename sha256
sbom.json 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac
sample-sbom.json 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941 sample-sbom.json 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941
sbom-go-sample.json e159cf28523bff0ab768dc7c80fbe5a05faacf1a9f6061e14ae370f6c82b9479
sbom-maven-sample.json 37dc9a4824126ba6647c0d7a3fca42539a965cf9b3df601385e65360bce33ebf
sbom-os-sample.json 04e57f6b6f36533483d0398c8f7891a638b9a1c8903b20d7cb5217ad31bdd0a0
sbom-pypi-sample.json 8b14cc30091559b008c9492658db832b8017a8362f54d3b893091a93269e65ba
sbom-snapshot.json 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e sbom-snapshot.json 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e
sbom.json 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac

19
docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json Normal file
View File

@@ -0,0 +1,19 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "demo-lib",
"version": "1.0.0",
"purl": "pkg:npm/demo-lib@1.0.0"
},
{
"type": "library",
"name": "lodash",
"version": "4.17.21",
"purl": "pkg:npm/lodash@4.17.21"
}
]
}

13
docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json Normal file
View File

@@ -0,0 +1,13 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "github.com/gin-gonic/gin",
"version": "1.9.1",
"purl": "pkg:go/github.com/gin-gonic/gin@v1.9.1"
}
]
}

13
docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json Normal file
View File

@@ -0,0 +1,13 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "org.apache.logging.log4j:log4j-core",
"version": "2.17.1",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1"
}
]
}

13
docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json Normal file
View File

@@ -0,0 +1,13 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "openssl",
"version": "1.1.1-1ubuntu2.1",
"purl": "pkg:deb/ubuntu/openssl@1.1.1-1ubuntu2.1"
}
]
}

13
docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json Normal file
View File

@@ -0,0 +1,13 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "requests",
"version": "2.31.0",
"purl": "pkg:pypi/requests@2.31.0"
}
]
}

110
docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json Normal file
View File

@@ -0,0 +1,110 @@
{
"tenant": "tenant-alpha",
"source": "scanner.sbom.v1",
"artifactDigest": "sha256:aaa111",
"sbomDigest": "sha256:sbom111",
"collectedAt": "2025-10-30T12:00:00Z",
"eventOffset": 1182,
"artifact": {
"displayName": "registry.example.com/team/app:1.2.3",
"environment": "prod",
"labels": [
"critical",
"payments"
],
"originRegistry": "registry.example.com",
"supplyChainStage": "deploy"
},
"build": {
"builderId": "builder://tekton/pipeline/default",
"buildType": "https://slsa.dev/provenance/v1",
"attestationDigest": "sha256:attestation001",
"source": "scanner.provenance.v1",
"collectedAt": "2025-10-30T12:00:05Z",
"eventOffset": 2103
},
"components": [
{
"purl": "pkg:nuget/Newtonsoft.Json@13.0.3",
"version": "13.0.3",
"ecosystem": "nuget",
"scope": "runtime",
"license": {
"spdx": "MIT",
"name": "MIT License",
"classification": "permissive",
"noticeUri": "https://opensource.org/licenses/MIT",
"sourceDigest": "sha256:ccc333"
},
"usage": "direct",
"detectedBy": "sbom.analyzer.nuget",
"layerDigest": "sha256:layer123",
"evidenceDigest": "sha256:evidence001",
"collectedAt": "2025-10-30T12:00:01Z",
"eventOffset": 1183,
"source": "scanner.sbom.v1",
"files": [
{
"path": "/src/app/Program.cs",
"contentSha256": "sha256:bbb222",
"languageHint": "csharp",
"sizeBytes": 3472,
"scope": "build",
"detectedBy": "sbom.analyzer.nuget",
"evidenceDigest": "sha256:evidence003",
"collectedAt": "2025-10-30T12:00:02Z",
"eventOffset": 1185,
"source": "scanner.layer.v1"
}
],
"dependencies": [
{
"purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0",
"version": "4.7.0",
"relationship": "direct",
"evidenceDigest": "sha256:evidence002",
"collectedAt": "2025-10-30T12:00:01Z",
"eventOffset": 1183
}
]
},
{
"purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0",
"version": "4.7.0",
"ecosystem": "nuget",
"scope": "runtime",
"license": {
"spdx": "MIT",
"name": "MIT License",
"classification": "permissive",
"noticeUri": "https://opensource.org/licenses/MIT",
"sourceDigest": "sha256:ccc333"
},
"usage": "transitive",
"detectedBy": "sbom.analyzer.nuget",
"layerDigest": "sha256:layer123",
"evidenceDigest": "sha256:evidence001",
"collectedAt": "2025-10-30T12:00:01Z",
"eventOffset": 1184,
"source": "scanner.sbom.v1",
"files": [],
"dependencies": []
}
],
"baseArtifacts": [
{
"artifactDigest": "sha256:base000",
"sbomDigest": "sha256:sbom-base",
"displayName": "registry.example.com/base/runtime:2025.09",
"environment": "prod",
"labels": [
"base-image"
],
"originRegistry": "registry.example.com",
"supplyChainStage": "build",
"collectedAt": "2025-10-22T08:00:00Z",
"eventOffset": 800,
"source": "scanner.sbom.v1"
}
]
}

8
docs/db/reports/assets/vuln-parity-20251211/sbom.json Normal file
View File

@@ -0,0 +1,8 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"components": [
{"type": "container", "name": "example", "version": "1.0.0"}
]
}

8
docs/db/reports/vuln-parity-sbom-sample-20251209.md
View File

@@ -14,10 +14,10 @@ Use this list for PG-T5b.35b.4 parity runs (Mongo vs Postgres). Keep counts d
| 1 | docs/db/reports/assets/vuln-parity-20251211/sbom.json | npm | ~95 KB | 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac | Deterministic compose sample used in sbom-vex proof (copied locally). | | 1 | docs/db/reports/assets/vuln-parity-20251211/sbom.json | npm | ~95 KB | 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac | Deterministic compose sample used in sbom-vex proof (copied locally). |
| 2 | docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json | npm | small | 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941 | Tiny npm sample for quick parity sanity. | | 2 | docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json | npm | small | 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941 | Tiny npm sample for quick parity sanity. |
| 3 | docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json | mixed | <fill size> | 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e | Graph indexer SBOM snapshot used in tests. | | 3 | docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json | mixed | <fill size> | 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e | Graph indexer SBOM snapshot used in tests. |
| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | <fill> | <fill> | Placeholder to add Go SBOM. | | 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | <fill size> | e159cf28523bff0ab768dc7c80fbe5a05faacf1a9f6061e14ae370f6c82b9479 | Go sample (gin). |
| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | <fill> | <fill> | Placeholder to add PyPI SBOM. | | 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | <fill size> | 8b14cc30091559b008c9492658db832b8017a8362f54d3b893091a93269e65ba | PyPI sample (requests). |
| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | <fill> | <fill> | Placeholder to add Maven/Java SBOM. | | 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | <fill size> | 37dc9a4824126ba6647c0d7a3fca42539a965cf9b3df601385e65360bce33ebf | Maven sample (log4j-core). |
| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | <fill> | <fill> | Optional OS package SBOM for coverage. | | 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | <fill size> | 04e57f6b6f36533483d0398c8f7891a638b9a1c8903b20d7cb5217ad31bdd0a0 | OS package sample (openssl deb). |
## Determinism guardrails ## Determinism guardrails
- Do not change sample set after hashes recorded. - Do not change sample set after hashes recorded.