Add sbom-diff-and-risk v0.1.0 release surface

Author: stacknil

.github/workflows/sbom-diff-and-risk-ci.yml

@@ -0,0 +1,51 @@
+name: sbom-diff-and-risk-ci
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - ".github/workflows/sbom-diff-and-risk-ci.yml"
+      - "tools/sbom-diff-and-risk/**"
+  pull_request:
+    paths:
+      - ".github/workflows/sbom-diff-and-risk-ci.yml"
+      - "tools/sbom-diff-and-risk/**"
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: tools/sbom-diff-and-risk
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Upgrade pip
+        run: python -m pip install --upgrade pip
+
+      - name: Install project
+        run: python -m pip install -e .[dev]
+
+      - name: Run test suite
+        run: python -m pytest
+
+      - name: CLI smoke test
+        shell: bash
+        run: |
+          tmpdir="$(mktemp -d)"
+          python -m sbom_diff_risk.cli compare \
+            --before examples/cdx_before.json \
+            --after examples/cdx_after.json \
+            --format auto \
+            --out-json "$tmpdir/report.json" \
+            --out-md "$tmpdir/report.md"
+          test -f "$tmpdir/report.json"
+          test -f "$tmpdir/report.md"
+          diff -u examples/sample-report.json "$tmpdir/report.json"
+          diff -u examples/sample-report.md "$tmpdir/report.md"

tools/sbom-diff-and-risk/.gitignore

@@ -0,0 +1,8 @@
+.pytest_cache/
+outputs/
+src/*.egg-info/
+src/**/*.egg-info/
+*.pyc
+*.pyo
+*.pyd
+__pycache__/

tools/sbom-diff-and-risk/README.md

@@ -0,0 +1,164 @@
+# sbom-diff-and-risk
+
+`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
+
+It uses conservative heuristics for change intelligence. By default it does not resolve CVEs, does not act as a reputation oracle, and does not perform hidden network enrichment.
+
+## Scope
+
+- Normalize two local inputs into a shared component schema.
+- Diff components as `added`, `removed`, and `changed`.
+- Apply conservative, heuristic risk buckets to newly added and changed components.
+- Produce machine-friendly JSON and reviewer-friendly Markdown reports.
+- Stay fully local-file based by default.
+
+## v0.1 Internal Component Model
+
+The normalized schema is the core design choice for the project:
+
+- `name: str`
+- `version: str | None`
+- `ecosystem: str`
+- `purl: str | None`
+- `license_id: str | None`
+- `supplier: str | None`
+- `source_url: str | None`
+- `bom_ref: str | None`
+- `raw_type: str | None`
+- `evidence: dict`
+
+Diff identity is intentionally conservative and uses this precedence:
+
+1. `purl`
+2. `bom_ref`
+3. `(ecosystem, name)`
+
+When a `purl` includes a version, the tool keeps the full value in `Component.purl` for auditability but uses the versionless package coordinate for identity so upgrades still diff as `changed`.
+
+## Non-goals
+
+- No vulnerability database integration in v0.1.
+- No CVE, advisory, or exploit resolution in v0.1.
+- No reputation scoring or malware verdicts.
+- No hidden enrichment or implicit network access.
+- No web UI.
+
+## Supported Formats
+
+- CycloneDX JSON
+- SPDX JSON
+- `requirements.txt`
+- `pyproject.toml`
+
+## Risk Bucket Semantics
+
+The current heuristic buckets are:
+
+- `new_package`
+- `major_upgrade`
+- `version_change_unclassified`
+- `unknown_license`
+- `stale_package`
+- `suspicious_source`
+- `not_evaluated`
+
+Offline `stale_package` evaluation is intentionally deferred. When enrichment is disabled, the tool emits `not_evaluated` findings instead of guessing.
+
+## Output Formats
+
+- `report.json`
+- `report.md`
+
+## Install
+
+```bash
+python -m pip install -e .[dev]
+```
+
+## Usage
+
+Generate reports from the bundled CycloneDX example inputs:
+
+```bash
+sbom-diff-risk compare \
+  --before examples/cdx_before.json \
+  --after examples/cdx_after.json \
+  --format auto \
+  --out-json outputs/report.json \
+  --out-md outputs/report.md
+```
+
+Generate reports from the `requirements.txt` examples:
+
+```bash
+sbom-diff-risk compare \
+  --before examples/requirements_before.txt \
+  --after examples/requirements_after.txt \
+  --format auto \
+  --out-json outputs/requirements-report.json \
+  --out-md outputs/requirements-report.md
+```
+
+Use explicit format flags when you do not want auto-detection:
+
+```bash
+sbom-diff-risk compare \
+  --before examples/spdx_before.json \
+  --after examples/spdx_after.json \
+  --before-format spdx-json \
+  --after-format spdx-json \
+  --out-json outputs/spdx-report.json \
+  --out-md outputs/spdx-report.md
+```
+
+Generate reports from PEP 621 `pyproject.toml` examples:
+
+```bash
+sbom-diff-risk compare \
+  --before examples/pyproject_before.toml \
+  --after examples/pyproject_after.toml \
+  --format auto \
+  --out-json outputs/pyproject-report.json \
+  --out-md outputs/pyproject-report.md
+```
+
+## CLI Flags
+
+- `--before path`
+- `--after path`
+- `--format auto|cyclonedx-json|spdx-json|requirements-txt|pyproject-toml`
+- `--before-format cyclonedx-json|spdx-json|requirements-txt|pyproject-toml`
+- `--after-format cyclonedx-json|spdx-json|requirements-txt|pyproject-toml`
+- `--out-json path`
+- `--out-md path`
+- `--strict`
+- `--enrich-pypi`
+- `--source-allowlist pypi.org,files.pythonhosted.org,github.com`
+
+`--enrich-pypi` is reserved for future work and currently returns a clear error.
+
+## Examples
+
+The [`examples/`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples) directory includes:
+
+- before/after inputs for CycloneDX JSON, SPDX JSON, `requirements.txt`, and `pyproject.toml`
+- a sample CycloneDX-based JSON report at [`sample-report.json`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-report.json)
+- a sample CycloneDX-based Markdown report at [`sample-report.md`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-report.md)
+- requirements-based sample reports at [`sample-requirements-report.json`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-requirements-report.json) and [`sample-requirements-report.md`](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/examples/sample-requirements-report.md)
+
+## Limitations
+
+- v0.1 is local-file based only.
+- `generated_at` remains `null` to preserve deterministic report output.
+- `stale_package` is not resolved offline. The report emits `not_evaluated` instead.
+- No vulnerability database integration, CVE matching, or advisory enrichment.
+- `requirements.txt` support intentionally covers a conservative subset: plain PEP 508 requirement entries, comments, direct URL requirements, and line continuations.
+- `requirements.txt` intentionally does not support pip include/constraint directives such as `-r`, `-c`, or arbitrary install flags in v0.1.
+- `pyproject.toml` support intentionally covers a conservative subset: PEP 621 `[project.dependencies]` and `[project.optional-dependencies]`.
+- `pyproject.toml` intentionally does not support tool-specific layouts such as Poetry, Hatch, or PDM sections in v0.1.
+- Risk buckets are heuristics, not security verdicts.
+- Runtime-generated `outputs/` artifacts are ignored; tracked examples live in `examples/`.
+
+## Current Status
+
+The project now normalizes local CycloneDX JSON, SPDX JSON, `requirements.txt`, and PEP 621 `pyproject.toml` inputs into the shared component model, diffs them deterministically, and generates stable JSON/Markdown reports with golden tests.

tools/sbom-diff-and-risk/RELEASE_NOTES_v0.1.0.md

@@ -0,0 +1,6 @@
+# v0.1.0
+
+- Added deterministic diffing for CycloneDX JSON, SPDX JSON, requirements.txt, and pyproject.toml
+- Added conservative risk buckets for new packages, major upgrades, unknown licenses, suspicious sources, and opt-in future stale evaluation
+- Added stable JSON/Markdown reporting with golden tests
+- Clarified scope: no CVE matching, no hidden enrichment, no reputation scoring by default

tools/sbom-diff-and-risk/docs/dependency-risk-heuristics.md

@@ -0,0 +1,30 @@
+# Dependency risk heuristics
+
+`sbom-diff-and-risk` classifies change-related heuristics. It does not claim vulnerability truth.
+
+## Implemented buckets
+
+The current rules are intentionally conservative:
+
+- `new_package`: a component appears only in the after input.
+- `major_upgrade`: strict SemVer `x.y.z` major version increase.
+- `version_change_unclassified`: version changed, but not a clear SemVer major bump.
+- `unknown_license`: license metadata is missing or explicitly unknown.
+- `suspicious_source`: provenance fields are missing or use suspicious schemes or hosts.
+- `stale_package`: reserved for future enrichment work. When enrichment is disabled, the tool emits `not_evaluated` instead of guessing.
+
+## Conservative rule notes
+
+- `new_package` is a change signal, not a vulnerability claim.
+- `major_upgrade` fires only when both versions look reliably parseable as strict SemVer.
+- uncertain version changes fall back to `version_change_unclassified`.
+- suspicious source is a provenance-quality heuristic, not a malware verdict.
+- missing metadata is reported as unknown rather than silently treated as safe.
+- `not_evaluated` means the stale-package question was intentionally left unanswered offline.
+
+## Deferred work
+
+- real `stale_package` evaluation behind explicit enrichment
+- ecosystem-specific trust rules
+- advisory and CVE enrichment
+- configurable risk policy profiles

tools/sbom-diff-and-risk/docs/sbom-basics.md

@@ -0,0 +1,57 @@
+# SBOM basics
+
+This project treats SBOMs as one possible source of dependency inventory data.
+
+For v0.1, the tool is intentionally limited to local-file parsing, normalization, diffing, and heuristic reporting.
+
+## Supported local inputs
+
+- CycloneDX JSON
+- SPDX JSON
+- `requirements.txt`
+- `pyproject.toml`
+
+## Intentional parser boundaries
+
+`requirements.txt` support is intentionally conservative in v0.1:
+
+- supported: plain PEP 508 requirement entries
+- supported: comments and blank lines
+- supported: direct URL requirements
+- supported: line continuations
+- not supported: `-r`, `--requirement`, `-c`, `--constraint`, or arbitrary pip install flags
+
+`pyproject.toml` support is intentionally conservative in v0.1:
+
+- supported: PEP 621 `[project.dependencies]`
+- supported: PEP 621 `[project.optional-dependencies]`
+- not supported: Poetry, Hatch, PDM, or other tool-specific dependency sections
+
+These boundaries are deliberate so the tool can stay deterministic and explicit about what it does and does not parse.
+
+## Normalization goals
+
+- keep one internal `Component` model
+- preserve source evidence for auditability
+- prefer purl identity when available
+- stay deterministic and local-file based
+
+## Diff identity precedence
+
+1. `purl`
+2. `bom_ref`
+3. `(ecosystem, name)`
+
+When a purl includes a version, the full purl is retained for auditability, but the diff identity uses the versionless package coordinate so upgrades still classify as `changed`.
+
+## Outputs
+
+- `report.json` for machine consumption
+- `report.md` for human review
+
+## What this tool is not
+
+- not a vulnerability scanner
+- not a package resolver
+- not a provenance verifier
+- not a web service

tools/sbom-diff-and-risk/examples/cdx_after.json

@@ -0,0 +1,50 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "components": [
+    {
+      "bom-ref": "pkg:pypi/requests@2.32.0",
+      "type": "library",
+      "name": "requests",
+      "version": "2.32.0",
+      "purl": "pkg:pypi/requests@2.32.0",
+      "supplier": {
+        "name": "Python Software Foundation"
+      },
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "website",
+          "url": "https://pypi.org/project/requests/"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:pypi/urllib3@2.2.1",
+      "type": "library",
+      "name": "urllib3",
+      "version": "2.2.1",
+      "purl": "pkg:pypi/urllib3@2.2.1",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "website",
+          "url": "https://pypi.org/project/urllib3/"
+        }
+      ]
+    }
+  ]
+}