25 lines
1.6 KiB
Markdown
25 lines
1.6 KiB
Markdown
# SBOM & Advisory Sample List · Vulnerability Parity · 2025-12-09
|
||
|
||
Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts deterministic and freeze inputs once finalized.
|
||
|
||
## Advisory sample (10k advisories)
|
||
- Source selection: e.g., NVD 2025-08 snapshot, OSV 2025-09, vendor feeds.
|
||
- Selection method: deterministic (sorted by source + advisory key); document exact query.
|
||
- Export path: <populate>
|
||
- SHA256 of export: <populate>
|
||
|
||
## SBOM sample set
|
||
| # | SBOM path | Ecosystem | Size | Hash (SHA256) | Notes |
|
||
|---|-----------|-----------|------|---------------|-------|
|
||
| 1 | docs/scripts/sbom-vex/sbom.json | npm | ~95 KB | <fill> | Deterministic compose sample used in sbom-vex proof. |
|
||
| 2 | docs/examples/policies/sample-sbom.json | npm | small | <fill> | Tiny npm sample for quick parity sanity. |
|
||
| 3 | tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/sbom-snapshot.json | mixed | <fill> | Graph indexer SBOM snapshot used in tests. |
|
||
| 4 | docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json | go | <fill> | To be generated or copied from Go fixture. |
|
||
| 5 | docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json | pypi | <fill> | To be generated or copied from Python fixture. |
|
||
| 6 | docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json | maven | <fill> | To be generated or copied from Maven/Java fixture. |
|
||
| 7 | docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json | rpm/deb | <fill> | Optional OS package SBOM for coverage. |
|
||
|
||
## Determinism guardrails
|
||
- Do not change sample set after hashes recorded.
|
||
- Store exports under `docs/db/reports/assets/vuln-parity-20251211/` with hash manifest.
|