Review scope
Trace the checked-in requirements example through the generated SBOM diff/risk report and confirm the local risk buckets stay bounded.
Sample input
tools/sbom-diff-and-risk/examples/requirements_before.txt:
tools/sbom-diff-and-risk/examples/requirements_after.txt:
requests==2.34.2
urllib3==2.7.0
Expected output
In tools/sbom-diff-and-risk/examples/sample-requirements-report.json and .md:
- summary has
added: 1, removed: 0, and changed: 1
urllib3 is an added pypi component with new_package
requests is a changed component with version_change_unclassified
- both components can carry
unknown_license because requirements input has no license metadata
stale_package remains not_evaluated because no network enrichment is performed
evidence_confidence stays local_manifest_only
Acceptance criteria
- Name the before/after input files and generated report files.
- Confirm the expected buckets above without turning them into CVE, malware, exploitability, or package safety claims.
- Note any unclear report wording with the smallest docs or artifact correction.
- Keep the review no-network unless a separate enrichment task explicitly opts in.
Boundaries
Use only checked-in examples. Do not use private SBOMs, live package reputation claims, credentials, or production publishing changes.
Review scope
Trace the checked-in requirements example through the generated SBOM diff/risk report and confirm the local risk buckets stay bounded.
Sample input
tools/sbom-diff-and-risk/examples/requirements_before.txt:tools/sbom-diff-and-risk/examples/requirements_after.txt:Expected output
In
tools/sbom-diff-and-risk/examples/sample-requirements-report.jsonand.md:added: 1,removed: 0, andchanged: 1urllib3is an addedpypicomponent withnew_packagerequestsis a changed component withversion_change_unclassifiedunknown_licensebecause requirements input has no license metadatastale_packageremainsnot_evaluatedbecause no network enrichment is performedevidence_confidencestayslocal_manifest_onlyAcceptance criteria
Boundaries
Use only checked-in examples. Do not use private SBOMs, live package reputation claims, credentials, or production publishing changes.