# Vulnerability Parity Report · 2025-12-11

## Scope
- Dual-import parity between MongoDB and PostgreSQL for Concelier vulnerability index (Sprint 3405 · PG-T5b.3–5b.6).
- Sample size: 10k advisories + associated affected records; SBOM set: TBD (list below).

## Inputs
- Mongo source: <connection / dump path>
- Postgres target: <connection>
- Dual-import mode: enabled/disabled (state)
- SBOM sample set:
  - TODO: populate paths (e.g., tests/fixtures/sbom/...)

## Methods
- Importers used: NVD, OSV, GHSA, vendor.
- Comparison queries:
  - Advisory count by source
  - Affected count by PURL and version range
  - CVSS vectors/score deltas
  - KEV flags count
  - Full-text search sample (top 20 queries)
- Matching check:
  - Run matching against SBOM set with Mongo backend
  - Run matching against SBOM set with Postgres backend
  - Diff findings: <path>

## Results
- Counts:
  - Advisories Mongo: <n>
  - Advisories Postgres: <n>
  - Affected Mongo: <n>
  - Affected Postgres: <n>
  - CVSS rows Mongo/Postgres: <n>/<n>
  - KEV rows Mongo/Postgres: <n>/<n>
- Findings parity on SBOM set:
  - Total findings Mongo/Postgres: <n>/<n>
  - Deltas: <n> (list top examples)
- Performance snapshot:
  - Import time (Postgres): <>
  - Match time per SBOM (avg/p95): <>

## Verdict
- Parity status: PASS / FAIL
- Required fixes: <list or "none">
- Blocking issues: <list>

## Next Actions
- If PASS: proceed to PG-T5b.5 (perf tuning) and schedule PG-T5b.6 cutover window.
- If FAIL: capture defects and owners; rerun parity after fixes.