git.stella-ops.org/docs/db/reports/vuln-parity-sbom-sample-20251209.md

SBOM & Advisory Sample List · Vulnerability Parity · 2025-12-09

Use this list for PG-T5b.3–5b.4 parity runs (Mongo vs Postgres). Keep counts deterministic and freeze inputs once finalized.

Advisory sample (10k advisories)

• Source selection: e.g., NVD 2025-08 snapshot, OSV 2025-09, vendor feeds.
• Selection method: deterministic (sorted by source + advisory key); document exact query.
• Export path:
• SHA256 of export:

SBOM sample set

#	SBOM path	Ecosystem	Size	Hash (SHA256)	Notes
1	docs/db/reports/assets/vuln-parity-20251211/sbom.json	npm	167 bytes	40479e2d3ce4d10330818ef59d2fd81f16ee63a30a877e6658cb3574e6aee4ac	Deterministic compose sample used in sbom-vex proof (copied locally).
2	docs/db/reports/assets/vuln-parity-20251211/sample-sbom.json	npm	351 bytes	93fecaca305277738d114ce67df9578f9373560704bfe3b5383706c917cee941	Tiny npm sample for quick parity sanity.
3	docs/db/reports/assets/vuln-parity-20251211/sbom-snapshot.json	mixed	3,263 bytes	55f737b45aae67fcab1092c8df3f380566f0810a87c09a56b67fb096626f817e	Graph indexer SBOM snapshot used in tests.
4	docs/db/reports/assets/vuln-parity-20251211/sbom-go-sample.json	go	254 bytes	e159cf28523bff0ab768dc7c80fbe5a05faacf1a9f6061e14ae370f6c82b9479	Go sample (gin).
5	docs/db/reports/assets/vuln-parity-20251211/sbom-pypi-sample.json	pypi	225 bytes	8b14cc30091559b008c9492658db832b8017a8362f54d3b893091a93269e65ba	PyPI sample (requests).
6	docs/db/reports/assets/vuln-parity-20251211/sbom-maven-sample.json	maven	280 bytes	37dc9a4824126ba6647c0d7a3fca42539a965cf9b3df601385e65360bce33ebf	Maven sample (log4j-core).
7	docs/db/reports/assets/vuln-parity-20251211/sbom-os-sample.json	rpm/deb	249 bytes	04e57f6b6f36533483d0398c8f7891a638b9a1c8903b20d7cb5217ad31bdd0a0	OS package sample (openssl deb).

Determinism guardrails

• Do not change sample set after hashes recorded.
• Store exports under docs/db/reports/assets/vuln-parity-20251211/ with hash manifest.