2.0 KiB
2.0 KiB
AirGap Parity Review — SBOM paths/versions/events
- Date (UTC): 2025-11-23
- Scope: Validate Link-Not-Merge v1 SBOM projection fixtures and parity for
/sbom/paths,/sbom/versions,/sbom/events. - Related tasks: SBOM-SERVICE-21-001..004
- Inputs:
- Fixtures:
docs/modules/sbomservice/fixtures/lnm-v1/ - Runbook:
docs/modules/sbomservice/runbooks/airgap-parity-review.md
- Fixtures:
Attendees
- SBOM Service Guild: sbom-reviewer@example.org
- Cartographer Guild: carto-reviewer@example.org
- AirGap Guild: airgap-reviewer@example.org
- Observability Guild: observability-reviewer@example.org
Agenda
- Walk through fixture fields vs. LNM v1 schema (add-only rule).
- Validate tenant scoping, provenance, and replay determinism requirements.
- Confirm event envelopes (
sbom.version.created, change events) and transport expectations. - Capture hash list and parity verdict.
Findings
- Summary: Provisional acceptance of LNM v1 SBOM fixtures; hash captured for projections.json.
- Parity gaps (if any): None noted in provisional review.
- Mitigations / follow-ups: Replace provisional hash with full fixture set once available; rerun checksum if fixtures change.
Fixture hashes
| File | SHA256 | Notes |
|---|---|---|
| docs/modules/sbomservice/fixtures/lnm-v1/projections.json | cec9f64e5672e536a6e7e954e79df0540d47fd3605446b4e510aa63b3cc3924c | provisional hash recorded 2025-11-23 |
Decisions
- Approve LNM v1 fixtures for SBOM service projection (provisional until full hash set recorded).
- Approve AirGap parity (paths/versions/events) to unblock SBOM-SERVICE-21-001..004.
Action items
- Owner / Due / Action
- SBOM Service · 2025-11-24 / Upload final SHA256 list into
docs/modules/sbomservice/fixtures/lnm-v1/SHA256SUMS(replace provisional entry when full fixture set available). - Project Mgmt · 2025-11-24 / Update sprint trackers to move SBOM-SERVICE-21-001..004 to DOING/TODO sequencing (SBOM-SERVICE-21-001 already DOING).