audit, advisories and doctors/setup work

2026-01-13 18:53:39 +02:00
parent 9ca7cb183e
commit d7be6ba34b
811 changed files with 54242 additions and 4056 deletions
--- a/docs/examples/binary-diff/basic-comparison.md
+++ b/docs/examples/binary-diff/basic-comparison.md
@@ -30,15 +30,17 @@ Output:
 ```
 Binary Diff: docker://registry.example.com/myapp:1.0.0 -> docker://registry.example.com/myapp:1.0.1
 Platform: linux/amd64
-Analysis Mode: ELF Section Hashes
+Analysis Mode: ELF section hashes

-PATH                              CHANGE      VERDICT    CONFIDENCE
--------------------------------------------------------------------------------
-/usr/lib/libssl.so.3              modified    patched    0.95
-/usr/lib/libcrypto.so.3           modified    patched    0.92
-/app/bin/myapp                    modified    vanilla    0.98
+PATH                              CHANGE    VERDICT   CONFIDENCE  SECTIONS CHANGED
+-----------------------------------------------------------------------------------
+/app/bin/myapp                    modified  unknown   0.65        .rodata, .text
+/usr/lib/libcrypto.so.3           modified  unknown   0.70        .text
+/usr/lib/libssl.so.3              modified  unknown   0.75        .rodata, .text

 Summary: 156 binaries analyzed, 3 modified, 153 unchanged
+         Added: 0, Removed: 0
+         Verdicts: unknown: 3, vanilla: 153
 ```

 ### JSON Output
@@ -65,12 +67,13 @@ Output:
 ```
 Binary Diff Summary
 -------------------
-Base:     docker://registry.example.com/myapp:1.0.0 (sha256:abc123...)
-Target:   docker://registry.example.com/myapp:1.0.1 (sha256:def456...)
+Base:     docker://registry.example.com/myapp:1.0.0
+Target:   docker://registry.example.com/myapp:1.0.1
 Platform: linux/amd64

 Binaries: 156 total, 3 modified, 153 unchanged
-Verdicts: 2 patched, 1 vanilla
+Added: 0, Removed: 0
+Verdicts: unknown: 3, vanilla: 153
 ```

 ## Using Digest References
@@ -132,9 +135,8 @@ Output includes:

 | Verdict | Meaning | Action |
 |---------|---------|--------|
-| `patched` | High confidence that a security patch was applied | Review changelog, consider safe to upgrade |
-| `vanilla` | Standard code change, no backport evidence | Normal release update |
-| `unknown` | Cannot determine patch status | Manual review recommended |
+| `vanilla` | Unchanged binary | No action required |
+| `unknown` | Diff detected but classifier is not yet applied | Manual review recommended |

 ## Next Steps