Add receipt input JSON and SHA256 hash for CVSS policy scoring tests

- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring. - Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.
2025-12-04 07:30:42 +02:00
parent 2d079d61ed
commit e1262eb916
91 changed files with 19493 additions and 187 deletions
--- a/bench/reachability-benchmark/tools/package_offline_kit.sh
+++ b/bench/reachability-benchmark/tools/package_offline_kit.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+OUTPUT="${1:-${ROOT}/out/reachability-benchmark-kit.tar.gz}"
+SDE="${SOURCE_DATE_EPOCH:-1730000000}"
+
+mkdir -p "$(dirname "${OUTPUT}")"
+cd "${ROOT}"
+
+# Deterministic tarball containing schemas, manifest, truth, cases, tools, and docs.
+tar --sort=name --mtime="@${SDE}" --owner=0 --group=0 --numeric-owner \
+  -czf "${OUTPUT}" \
+  benchmark/manifest.sample.json \
+  benchmark/CHANGELOG.md \
+  benchmark/checklists \
+  benchmark/templates/determinism \
+  benchmark/schemas/benchmark-manifest.schema.json \
+  benchmark/truth \
+  schemas \
+  tools/verify_manifest.py tools/validate.py tools/requirements.txt \
+  cases \
+  baselines \
+  ci \
+  website \
+  docs \
+  README.md LICENSE NOTICE
+
+sha256sum "${OUTPUT}"