e1262eb916
- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring. - Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.
1.4 KiB
1.4 KiB
Dataset Safety & Provenance Checklist (RD1–RD10)
Version: 1.0.1 · Date: 2025-12-03
- PII/secret scrub: no tokens/URLs; build/test logs redacted. Attested by DSSE when signing manifest.
- License compatibility: all cases authored in-repo under Apache-2.0; third-party snippets none. NOTICE up to date.
- Feed/tool lockfile: manifest.sample.json pins hashes for schemas, scorer, builder, and baseline submissions (when present).
- Published schemas/validators: truth/submission/coverage/trace + manifest schemas; validated via
tools/validate.pyandtools/verify_manifest.py. - Evidence bundles: coverage + traces + attestation + sbom recorded per case (sample manifest).
- Binary case recipe:
cases/**/build/build.shpinnedSOURCE_DATE_EPOCHand env templates underbenchmark/templates/determinism/. - Determinism CI:
ci/run-ci.sh+tools/verify_manifest.pyrun twice to compare hashes; Java track still blocked on JDK availability. - Signed baselines: baseline submissions may include DSSE path in manifest (not required for sample kit); rulepack hashes recorded separately.
- Submission policy: CLA/DSSE optional in sample; production kits require DSSE envelope recorded in
signatures. - Semantic versioning & changelog: see
benchmark/CHANGELOG.md; manifestversionmirrors dataset release. - Offline kit packaging:
tools/package_offline_kit.shproduces deterministic tarball with manifest + schemas + tools.