sbom-diff-and-risk v0.8.0

sbom-diff-and-risk v0.8.0

v0.8.0 is the policy decision explainability release.

Theme

Policy decision explainability for machine-readable JSON reports.

v0.8.0 focuses on making local policy outcomes easier to inspect from JSON
reports and reviewer documentation. It keeps the dependency diff model,
existing CLI flags, Markdown output behavior, SARIF output behavior, workflows,
release tags, and publishing status unchanged.

Highlights

• Added stable policy decision explanation fields to JSON policy findings.
• Documented those fields in
  docs/report-schema.md.
• Added reviewer-facing interpretation guidance in
  docs/policy-decision-explainability.md.
• Kept summary.policy unchanged as the compact policy count/status surface.
• Kept production PyPI intentionally deferred.

Machine-readable policy explainability

Policy findings in JSON reports can now include additive explanation fields:

• decision_reason
• policy_rule
• severity_source
• matched_threshold
• observed_value

These fields explain why a local policy rule produced a block, warning, or
suppression. They are policy-decision metadata only; they are not dependency
safety verdicts, CVE results, or proof that a package is safe or unsafe.

The fields appear only on policy finding objects, such as:

• policy_evaluation.blocking_violations
• policy_evaluation.warning_violations
• policy_evaluation.suppressed_violations
• blocking_findings
• warning_findings
• suppressed_findings
• provenance policy impact sections

Risk findings in risks remain local heuristic findings. They do not receive
policy-decision metadata unless policy evaluation maps them into policy
findings.

JSON schema / compatibility notes

• The JSON report schema remains conservative and additive where possible.
• Existing summary.policy behavior is unchanged.
• Existing --out-json behavior remains the full JSON report output.
• Existing --summary-json PATH behavior remains summary-only output.
• Existing policy pass, warn, and fail behavior is unchanged.
• Existing CLI flags are unchanged.
• Consumers should treat unrecognized future fields as additive report data.

Documentation and evidence surfaces

• JSON report schema:
  docs/report-schema.md
• Policy schema:
  docs/policy-schema.md
• Policy decision explainability:
  docs/policy-decision-explainability.md
• Reviewer evidence pack:
  docs/reviewer-evidence-pack.md
• GitHub Actions consumer example:
  docs/github-actions-consumer-example.md
• Production PyPI decision gate:
  docs/pypi-production-publishing-decision.md

The v0.8 documentation keeps the release/distribution evidence surfaces
separate from tool behavior. GitHub workflow artifact attestations, GitHub
Release asset verification, TestPyPI Trusted Publishing validation, and future
production PyPI Trusted Publishing provenance answer different trust questions.

Distribution status

• The v0.8.0 GitHub Release is expected to be created from the tag-gated
  release workflow.
• Release assets are expected to include the wheel, source distribution, and
  sbom-diff-and-risk-SHA256SUMS.txt.
• This release does not publish to TestPyPI.
• This release does not publish to production PyPI.
• Production PyPI publishing remains intentionally deferred.
• No production PyPI workflow is added.

Not in this release

• No new CLI flags.
• No Markdown output behavior changes.
• No SARIF output behavior changes.
• No workflow changes.
• No PyPI/TestPyPI publishing.
• No production PyPI workflow.
• No hidden network behavior.
• No CVE lookup or CVE resolution.
• No dependency safety verdicts.

sbom-diff-and-risk v0.7.0

Release assets for v0.7.0. See docs/release-provenance.md for provenance verification guidance.

sbom-diff-and-risk v0.6.0

Release assets for v0.6.0. See docs/release-provenance.md for provenance verification guidance.

sbom-diff-and-risk v0.5.1

sbom-diff-and-risk v0.5.1

Release-only maintenance update.

• Adds sbom-diff-and-risk-SHA256SUMS.txt to GitHub Release assets.
• Keeps CLI behavior unchanged.
• Keeps production PyPI deferred.

sbom-diff-and-risk v0.5.0

v0.5.0

Theme: production PyPI decision gate

Highlights

• Added the production PyPI publishing decision gate for sbom-diff-and-risk.
• Confirmed the intended production package name remains sbom-diff-and-risk.
• Documented the future production publisher identity and workflow shape without enabling a production upload path.
• Clarified that TestPyPI, GitHub workflow artifact attestations, GitHub Release asset verification, and PyPI Trusted Publishing provenance are separate trust surfaces.

Distribution status

• TestPyPI dry-run completed; production PyPI intentionally deferred.
• The TestPyPI package exists for version 0.4.1.
• The v0.5.0 release is a GitHub Release and package version bump only.
• No production PyPI workflow is added in this release.
• No production PyPI upload is performed by this release.

Packaging and release alignment

• Bumped the package version to 0.5.0.
• Synced sbom_diff_risk.__version__ with the package metadata.
• Updated sample SARIF metadata to report 0.5.0.
• Updated the README top-level release narrative for the v0.5.0 gate.

Not in this release

• No analyzer features were added.
• No SARIF behavior changes were added beyond sample metadata version alignment.
• No policy behavior changes were added.
• No hidden network behavior was added.
• No production PyPI publishing path was enabled.

sbom-diff-and-risk v0.4.1

v0.4.1

• release asset automation fix
• tag-path release publishing validation
• no CLI analysis changes

sbom-diff-and-risk v0.4.0

v0.4.0

Theme: release/distribution provenance hardening

Highlights

• Clarified the GitHub-hosted provenance story for sbom-diff-and-risk workflow-built artifacts and GitHub Release assets.
• Kept workflow artifact attestation and GitHub Release verification as explicit, separate consumer verification surfaces.
• Documented PyPI Trusted Publishing readiness and sequencing, while intentionally not enabling PyPI publishing yet.

Verification story

• Workflow-built wheel and source distribution artifacts remain verifiable through gh attestation verify.
• Version-tag releases can publish those same built files as GitHub Release assets, with consumer guidance for gh release verify and gh release verify-asset.
• Verification docs now point users more directly to the right path depending on whether they want to verify the tool itself or analyze third-party dependency provenance with the tool.

Packaging and release alignment

• Bumped the package version to 0.4.0.
• Synced the README top-level version narrative with the v0.4.0 release hardening theme.
• Updated example SARIF outputs and PyPI readiness notes to reference the 0.4.0 package line consistently.

Not in this release

• No PyPI publishing is enabled yet.
• No new CLI analysis features were added.
• Default CLI behavior remains local and deterministic, with no hidden network access.

sbom-diff-and-risk v0.3.0

• opt-in PyPI provenance enrichment
• provenance-aware policy
• provenance-aware report/SARIF behavior
• self-provenance verification for workflow-built artifacts

sbom-diff-and-risk v0.2.0

Highlights

• policy-aware reporting and enforcement-oriented CLI behavior
• GitHub-compatible SARIF export with code scanning validation on main
• conservative parser tightening for deterministic local mode
• sbom-diff-and-risk package version bumped to 0.2.0

Verification

• local python -m pytest passed before release
• GitHub code scanning analysis on main now reports tool version 0.2.0

v0.1.0

v0.1.0

• Added deterministic diffing for CycloneDX JSON, SPDX JSON, requirements.txt, and pyproject.toml
• Added conservative risk buckets for new packages, major upgrades, unknown licenses, suspicious sources, and opt-in future stale evaluation
• Added stable JSON/Markdown reporting with golden tests
• Clarified scope: no CVE matching, no hidden enrichment, no reputation scoring by default