Skip to content

Trace the requirements diff through local risk buckets #103

Description

@stacknil

Review scope

Trace the checked-in requirements example through the generated SBOM diff/risk report and confirm the local risk buckets stay bounded.

Sample input

tools/sbom-diff-and-risk/examples/requirements_before.txt:

requests==2.33.0

tools/sbom-diff-and-risk/examples/requirements_after.txt:

requests==2.34.2
urllib3==2.7.0

Expected output

In tools/sbom-diff-and-risk/examples/sample-requirements-report.json and .md:

  • summary has added: 1, removed: 0, and changed: 1
  • urllib3 is an added pypi component with new_package
  • requests is a changed component with version_change_unclassified
  • both components can carry unknown_license because requirements input has no license metadata
  • stale_package remains not_evaluated because no network enrichment is performed
  • evidence_confidence stays local_manifest_only

Acceptance criteria

  • Name the before/after input files and generated report files.
  • Confirm the expected buckets above without turning them into CVE, malware, exploitability, or package safety claims.
  • Note any unclear report wording with the smallest docs or artifact correction.
  • Keep the review no-network unless a separate enrichment task explicitly opts in.

Boundaries

Use only checked-in examples. Do not use private SBOMs, live package reputation claims, credentials, or production publishing changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationgood first issueGood for newcomershelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions