43 lines
1.5 KiB
Markdown
43 lines
1.5 KiB
Markdown
# Portable Audit Pack Parquet Profile (Optional)
|
|
|
|
Status: Optional profile contract for implementation handoff (2026-02-10).
|
|
|
|
## Positioning
|
|
`components.parquet` is optional and must not be required for baseline pack verification.
|
|
|
|
## Manifest integration
|
|
When present, `manifest.files["components.parquet"]` must include:
|
|
- `sha256`
|
|
- `size`
|
|
- `content_type` = `application/x-parquet`
|
|
- `compression` = `snappy`
|
|
- `schema_fingerprint`
|
|
|
|
## Recommended schema columns
|
|
- `package_name` (STRING)
|
|
- `package_version` (STRING)
|
|
- `purl` (STRING)
|
|
- `license` (STRING)
|
|
- `component_hash_sha256` (STRING)
|
|
- `artifact_digest_sha256` (STRING)
|
|
- `cve_id` (STRING, nullable)
|
|
- `vex_status` (STRING, nullable)
|
|
- `introduced_range` (STRING, nullable)
|
|
- `fixed_version` (STRING, nullable)
|
|
- `source_bom_sha256` (STRING)
|
|
|
|
## Determinism rules
|
|
- Stable row ordering: `(artifact_digest_sha256, package_name, package_version, purl)`.
|
|
- Stable column ordering exactly as listed above.
|
|
- Stable Parquet writer settings pinned by version and compression codec.
|
|
- `schema_fingerprint` must be reproducible from logical schema definition.
|
|
|
|
## Feature gating
|
|
- Default profile: disabled.
|
|
- Enable only with explicit profile flag.
|
|
- Verification ignores Parquet content when absent.
|
|
- Verification fails with `ERR_PARQUET_FINGERPRINT_MISMATCH` when present but invalid.
|
|
|
|
## Operator guidance
|
|
- Use Parquet profile for fleet-level offline analytics.
|
|
- Keep analytics ingestion separate from baseline release gate verification. |