diff --git a/tools/sbom-diff-and-risk/README.md b/tools/sbom-diff-and-risk/README.md index 175fb18..0269d00 100644 --- a/tools/sbom-diff-and-risk/README.md +++ b/tools/sbom-diff-and-risk/README.md @@ -1,6 +1,11 @@ # sbom-diff-and-risk -v0.7.0 is the consumer integration usability release. It adds CI-facing documentation and checked-in examples for consuming `summary.json`, using local thresholds, and running `sbom-diff-risk` from a consumer GitHub Actions workflow. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred. +v0.8.0 is the policy decision explainability release. It adds stable +machine-readable explanation fields for JSON policy findings and reviewer +documentation for interpreting local policy decisions. It keeps CLI analysis +behavior unchanged, keeps dependency analysis local and deterministic by +default, preserves the completed TestPyPI dry-run story, and keeps production +PyPI publishing intentionally deferred. `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports. diff --git a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md index c2137a0..b57568c 100644 --- a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md +++ b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md @@ -11,10 +11,6 @@ reports and reviewer documentation. It keeps the dependency diff model, existing CLI flags, Markdown output behavior, SARIF output behavior, workflows, release tags, and publishing status unchanged. -This file is a draft release note. Drafting this file does not bump the package -version, create a tag, create a GitHub Release, publish to TestPyPI, or publish -to production PyPI. - ## Highlights - Added stable policy decision explanation fields to JSON policy findings. @@ -85,10 +81,12 @@ production PyPI Trusted Publishing provenance answer different trust questions. ## Distribution status -- The latest published GitHub Release remains `v0.7.0` until `v0.8.0` is - intentionally tagged and released. -- This draft does not publish to TestPyPI. -- This draft does not publish to production PyPI. +- The `v0.8.0` GitHub Release is expected to be created from the tag-gated + release workflow. +- Release assets are expected to include the wheel, source distribution, and + `sbom-diff-and-risk-SHA256SUMS.txt`. +- This release does not publish to TestPyPI. +- This release does not publish to production PyPI. - Production PyPI publishing remains intentionally deferred. - No production PyPI workflow is added. @@ -98,8 +96,6 @@ production PyPI Trusted Publishing provenance answer different trust questions. - No Markdown output behavior changes. - No SARIF output behavior changes. - No workflow changes. -- No package version bump in this draft PR. -- No tag or GitHub Release in this draft PR. - No PyPI/TestPyPI publishing. - No production PyPI workflow. - No hidden network behavior. diff --git a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif index fed303c..b33fdf1 100644 --- a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.7.0", - "semanticVersion": "0.7.0", + "version": "0.8.0", + "semanticVersion": "0.8.0", "rules": [ { "id": "sdr.policy_violation.provenance_required", diff --git a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif index 7b05db1..8024cdf 100644 --- a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.7.0", - "semanticVersion": "0.7.0", + "version": "0.8.0", + "semanticVersion": "0.8.0", "rules": [ { "id": "sdr.major_upgrade", diff --git a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif index 20de686..4c3f460 100644 --- a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.7.0", - "semanticVersion": "0.7.0", + "version": "0.8.0", + "semanticVersion": "0.8.0", "rules": [ { "id": "sdr.policy_violation.scorecard_below_threshold", diff --git a/tools/sbom-diff-and-risk/pyproject.toml b/tools/sbom-diff-and-risk/pyproject.toml index bc0ca25..4dcac7e 100644 --- a/tools/sbom-diff-and-risk/pyproject.toml +++ b/tools/sbom-diff-and-risk/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "sbom-diff-and-risk" -version = "0.7.0" +version = "0.8.0" description = "Deterministic SBOM diff CLI with heuristic risk reporting." readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" } requires-python = ">=3.11" diff --git a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py index 7154c3a..2415db0 100644 --- a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py +++ b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py @@ -2,4 +2,4 @@ __all__ = ["__version__"] -__version__ = "0.7.0" +__version__ = "0.8.0"