# SBOM & Advisory Sample List · Vulnerability Parity · 2025-12-09

Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts deterministic and freeze inputs once finalized.

## Advisory sample (10k advisories)
- Source selection: e.g., NVD 2025-08 snapshot, OSV 2025-09, vendor feeds.
- Selection method: deterministic (sorted by source + advisory key); document exact query.
- Export path: <populate>
- SHA256 of export: <populate>

## SBOM sample set
| # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes |
|---|-----------|-----------|------|---------------|-------|
| 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | <fill> | Deterministic compose sample used in sbom-vex proof. |
| 2 | <add> | go | <fill> | TODO: pick Go SBOM fixture; store under docs/db/reports/assets/vuln-parity-20251211/. |
| 3 | <add> | pypi | <fill> | TODO: pick Python SBOM fixture. |
| 4 | <add> | maven | <fill> | TODO: pick Java/Maven SBOM fixture. |
| 5 | <add> | rpm/deb | <fill> | TODO: pick OS package SBOM fixture (if available). |

## Determinism guardrails
- Do not change sample set after hashes recorded.
- Store exports under `docs/db/reports/assets/vuln-parity-20251211/` with hash manifest.