1.6 KiB
1.6 KiB
SBOM & Advisory Sample List · Vulnerability Parity · 2025-12-09
Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts deterministic and freeze inputs once finalized.
Advisory sample (10k advisories)
- Source selection: e.g., NVD 2025-08 snapshot, OSV 2025-09, vendor feeds.
- Selection method: deterministic (sorted by source + advisory key); document exact query.
- Export path:
- SHA256 of export:
SBOM sample set
| # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes |
|---|---|---|---|---|---|
| 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | Deterministic compose sample used in sbom-vex proof. | |
| 2 | docs/examples/policies/sample-sbom.json | npm | small | Tiny npm sample for quick parity sanity. | |
| 3 | tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/sbom-snapshot.json | mixed | Graph indexer SBOM snapshot used in tests. | ||
| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | To be generated or copied from Go fixture. | ||
| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | To be generated or copied from Python fixture. | ||
| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | To be generated or copied from Maven/Java fixture. | ||
| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | Optional OS package SBOM for coverage. |
Determinism guardrails
- Do not change sample set after hashes recorded.
- Store exports under
docs/db/reports/assets/vuln-parity-20251211/with hash manifest.