Skip to content

feat(sbom): canonicalize component identity#110

Merged
stacknil merged 1 commit into
mainfrom
codex/v1.1-canonical-component-identity
Jul 5, 2026
Merged

feat(sbom): canonicalize component identity#110
stacknil merged 1 commit into
mainfrom
codex/v1.1-canonical-component-identity

Conversation

@stacknil

@stacknil stacknil commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

  • add an immutable CanonicalComponentIdentity for ecosystem, package name, version, purl, and component key
  • parse purls with packageurl-python and apply explicit PyPI/PEP 503 normalization
  • distinguish duplicate_component from conflicting_metadata in both Python errors and CLI output
  • drive diff equality and version classification from canonical identity
  • cover CycloneDX-to-SPDX alignment, lexical variants, purl-only version changes, and conflict paths

Validation

  • python -m pytest (213 passed)
  • python -m ruff check on all changed Python files
  • python scripts/regenerate-example-artifacts.py --check
  • python scripts/validate-reviewer-routes.py
  • python -m pip check
  • wheel/sdist build plus wheel metadata inspection
  • git diff --check

Boundaries

  • no report schema expansion
  • no repository split
  • only PyPI name normalization is project-defined; other ecosystem names preserve case until test-backed rules exist

@stacknil stacknil merged commit eb27e15 into main Jul 5, 2026
11 checks passed
@stacknil stacknil deleted the codex/v1.1-canonical-component-identity branch July 5, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant