Skip to content

feat: implement SBOM diff engine with vulnerability delta calculation#8

Merged
PrasanthYT merged 1 commit intomainfrom
feature/sbom-diff-engine-
Mar 2, 2026
Merged

feat: implement SBOM diff engine with vulnerability delta calculation#8
PrasanthYT merged 1 commit intomainfrom
feature/sbom-diff-engine-

Conversation

@PrasanthYT
Copy link
Contributor

@PrasanthYT PrasanthYT commented Mar 2, 2026

Overview

This PR introduces SBOM comparison functionality to Scanr.

It enables comparison of two CycloneDX SBOM files to detect dependency changes and compute vulnerability deltas between versions.

This adds change intelligence and release risk visibility.

Scope

SBOM Loading

  • Load and parse two CycloneDX JSON files
  • Extract components into internal model

Dependency Comparison

Detect:

  • Added dependencies
  • Removed dependencies
  • Version changes

Efficient comparison implemented using indexed lookup for scalability.

Vulnerability Delta

  • Re-run vulnerability matching for newly added or upgraded components

  • Compute:

    • New vulnerabilities introduced
    • Resolved vulnerabilities
    • Severity breakdown

CLI Command

scanr sbom diff old.json new.json

Example Output

Added: axios@1.2.0
Removed: lodash@4.17.19
Updated: react 17.0.1 → 18.2.0

New Vulnerabilities: 1 HIGH
Resolved Vulnerabilities: 2 MODERATE

Validation

  • Correct delta calculation verified on test SBOMs
  • Vulnerability re-evaluation accurate
  • Handles large SBOMs efficiently
  • cargo build --workspace --release passes
  • CLI executes without panic

Impact

  • Enables release comparison analysis
  • Supports CI gating on dependency changes
  • Enhances supply chain visibility over time
  • Improves practical security monitoring

No breaking changes.

🎯 Why This Milestone Matters

Most tools show current vulnerabilities.

Scanr now answers:

What changed between releases?
Did we introduce new risk?

This makes it suitable for:

  • Release validation
  • CI enforcement
  • Security auditing
  • Supply chain tracking

@PrasanthYT PrasanthYT merged commit 2efe557 into main Mar 2, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PrasanthYT