diff --git a/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 b/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 index c014c718b..5d6e6a74f 100644 --- a/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 +++ b/docs/db/reports/assets/vuln-parity-20251211/hashes.sha256 @@ -1 +1,4 @@ -# populate after files are added +# filename sha256 +sbom.json 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac +sample-sbom.json 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941 +sbom-snapshot.json 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e diff --git a/docs/db/reports/vuln-parity-sbom-sample-20251209.md b/docs/db/reports/vuln-parity-sbom-sample-20251209.md index 60d899bdf..d2792f396 100644 --- a/docs/db/reports/vuln-parity-sbom-sample-20251209.md +++ b/docs/db/reports/vuln-parity-sbom-sample-20251209.md @@ -11,13 +11,13 @@ Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts d ## SBOM sample set | # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes | |---|-----------|-----------|------|---------------|-------| -| 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | | Deterministic compose sample used in sbom-vex proof. | -| 2 | docs/examples/policies/sample-sbom.json | npm | small | | Tiny npm sample for quick parity sanity. | -| 3 | tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/sbom-snapshot.json | mixed | | Graph indexer SBOM snapshot used in tests. | -| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | | To be generated or copied from Go fixture. | -| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | | To be generated or copied from Python fixture. | -| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | | To be generated or copied from Maven/Java fixture. | -| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | | Optional OS package SBOM for coverage. | +| 1 | docs/db/reports/assets/vuln-parity-20251211/sbom.json | npm | ~95 KB | 40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac | Deterministic compose sample used in sbom-vex proof (copied locally). | +| 2 | docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json | npm | small | 93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941 | Tiny npm sample for quick parity sanity. | +| 3 | docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json | mixed | | 55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e | Graph indexer SBOM snapshot used in tests. | +| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | | | Placeholder to add Go SBOM. | +| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | | | Placeholder to add PyPI SBOM. | +| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | | | Placeholder to add Maven/Java SBOM. | +| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | | | Optional OS package SBOM for coverage. | ## Determinism guardrails - Do not change sample set after hashes recorded.