# Product Advisory Index This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates. ## Canonical Advisories (Active) These are the authoritative advisories to reference for implementation: ### CVSS v4.0 - **Canonical:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` - **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md - **Status:** New sprint created ### SBOM/VEX Pipeline - **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` - **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f) - **Supersedes:** - `24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md` → archive - `25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md` → archive - `26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md` → archive ### Rekor/DSSE Batch Sizing - **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks) - **Supersedes:** - `27-Nov-2025 - Rekor Envelope Size Heuristic.md` → archive (duplicate) - `27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md` → archive (duplicate) - `27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md` → archive (duplicate) ### Graph Revision IDs - **Canonical:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks) - **Supersedes:** - `25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md` → archive (earlier version) ### Reachability Benchmark (Public) - **Canonical:** `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md` - **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md - **Related:** - `26-Nov-2025 - Opening Up a Reachability Dataset.md` → complementary (dataset focus) ### Unknowns Registry - **Canonical:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md` - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (existing implementation) - **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md` - **Status:** Already implemented in Signals module; advisory validates design ### Explainability - **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md` - **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks) - **Status:** Complementary advisories - graphs cover edge reasons, verdicts cover audit trails ### VEX Proofs - **Canonical:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks) ### Binary Reachability - **Canonical:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md` - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks) ### Scanner Roadmap - **Canonical:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` - **Sprint:** Multiple sprints (0186, 0401, 0512) - **Status:** High-level roadmap document ## Files to Archive The following files should be moved to `archived/` as they are superseded: ``` # Duplicates/superseded 24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md 25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md 25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md 26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md 27-Nov-2025 - Rekor Envelope Size Heuristic.md 27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md 27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md # Junk/malformed files 24-Nov-2025 - 1 copy 2.md 24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd (missing dot) 25-Nov-2025 - Half‑Life Confidence Decay for Unknownsmd (missing dot) ``` ## Sprint Cross-Reference | Advisory Topic | Sprint ID | Status | |---------------|-----------|--------| | CVSS v4.0 | SPRINT_0190_0001_0001 | NEW | | SPDX 3.0.1 / SBOM | SPRINT_0186_0001_0001 | AUGMENTED | | Reachability Benchmark | SPRINT_0513_0001_0001 | NEW | | Reachability Evidence | SPRINT_0401_0001_0001 | EXISTING | | Unknowns Registry | SPRINT_0140_0001_0001 | EXISTING (implemented) | | Graph Revision IDs | SPRINT_0401_0001_0001 | EXISTING | | DSSE/Rekor Batching | SPRINT_0401_0001_0001 | EXISTING | ## Implementation Priority Based on gap analysis: 1. **P0 - CVSS v4.0** (Sprint 0190) - Industry moving to v4.0, genuine gap 2. **P1 - SPDX 3.0.1** (Sprint 0186 tasks 15a-15f) - Standards compliance 3. **P1 - Public Benchmark** (Sprint 0513) - Differentiation/marketing value 4. **P2 - Explainability** (Sprint 0401) - UX enhancement, existing tasks 5. **P3 - Already Implemented** - Unknowns, Graph IDs, DSSE batching ## Implementer Quick Reference For each topic, the implementer should read: 1. **Sprint file** - Contains task definitions, dependencies, working directories 2. **Documentation Prerequisites** - Listed in each sprint file 3. **Canonical advisory** - Full product context and rationale 4. **Module AGENTS.md** - If exists, contains module-specific coding guidance ### Key Module Docs to Read Before Implementation | Module | Architecture Doc | AGENTS.md | |--------|-----------------|-----------| | Policy | `docs/modules/policy/architecture.md` | `src/Policy/*/AGENTS.md` | | Scanner | `docs/modules/scanner/architecture.md` | `src/Scanner/*/AGENTS.md` | | Sbomer | `docs/modules/sbomer/architecture.md` | `src/Sbomer/*/AGENTS.md` | | Signals | `docs/modules/signals/architecture.md` | `src/Signals/*/AGENTS.md` | | Attestor | `docs/modules/attestor/architecture.md` | `src/Attestor/*/AGENTS.md` | --- *Index created: 2025-11-27* *Last updated: 2025-11-27*