diff --git a/tools/sbom-diff-and-risk/PYPI_DESCRIPTION.md b/tools/sbom-diff-and-risk/PYPI_DESCRIPTION.md new file mode 100644 index 0000000..1c3aff8 --- /dev/null +++ b/tools/sbom-diff-and-risk/PYPI_DESCRIPTION.md @@ -0,0 +1,61 @@ +# sbom-diff-and-risk + +`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing review-friendly reports. + +It is designed for conservative supply-chain review workflows: + +- compare `before` and `after` dependency inventories +- identify added, removed, and changed components +- apply heuristic risk buckets to new and changed dependencies +- emit JSON, Markdown, and SARIF outputs +- keep default runs local-file based and deterministic + +## Supported inputs + +- CycloneDX JSON +- SPDX JSON +- `requirements.txt` +- `pyproject.toml` via PEP 621 `[project]` metadata +- `pyproject.toml` dependency groups via PEP 735 `[dependency-groups]` + +## Output formats + +- `report.json` +- `report.md` +- `report.sarif` + +## Install + +```bash +python -m pip install sbom-diff-and-risk +``` + +## Quick start + +```bash +sbom-diff-risk compare \ + --before before.sbom.json \ + --after after.sbom.json \ + --format auto \ + --out-json report.json \ + --out-md report.md +``` + +## Defaults and scope + +- default operation is local and deterministic +- no hidden network access occurs unless enrichment is enabled explicitly +- no CVE or vulnerability database integration is performed +- risk buckets are heuristic review signals, not security verdicts + +Optional enrichment can be enabled explicitly for: + +- PyPI provenance and integrity signals +- OpenSSF Scorecard signals + +## Typical use cases + +- compare two release SBOMs during code review +- review dependency manifest changes in CI +- produce machine-readable and reviewer-readable change reports +- add conservative policy gates around dependency changes diff --git a/tools/sbom-diff-and-risk/pyproject.toml b/tools/sbom-diff-and-risk/pyproject.toml index a6c42ee..35cf223 100644 --- a/tools/sbom-diff-and-risk/pyproject.toml +++ b/tools/sbom-diff-and-risk/pyproject.toml @@ -5,18 +5,36 @@ build-backend = "setuptools.build_meta" [project] name = "sbom-diff-and-risk" version = "0.4.1" -description = "Local, deterministic SBOM diff and heuristic risk reporting." -readme = "README.md" +description = "Deterministic SBOM diff CLI with heuristic risk reporting." +readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" } requires-python = ">=3.11" license = "MIT" authors = [ { name = "OpenAI Codex" } ] +keywords = ["sbom", "supply-chain", "cyclonedx", "spdx", "dependencies"] +classifiers = [ + "Development Status :: 3 - Alpha", + "Environment :: Console", + "Intended Audience :: Developers", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3 :: Only", + "Programming Language :: Python :: 3.11", + "Topic :: Security", + "Topic :: Software Development :: Libraries :: Python Modules", +] dependencies = [ "packaging>=24.0", "PyYAML>=6.0", ] +[project.urls] +Homepage = "https://github.com/stacknil/scientific-computing-toolkit" +Repository = "https://github.com/stacknil/scientific-computing-toolkit" +Issues = "https://github.com/stacknil/scientific-computing-toolkit/issues" +Releases = "https://github.com/stacknil/scientific-computing-toolkit/releases" + [project.optional-dependencies] dev = [ "pytest>=8.0",