Skip to content

Good first review: trace one SBOM change through diff, risk, and policy artifacts #103

Description

@stacknil

Review target

Choose one component change from the checked-in SBOM examples and trace it through:

  • component diff output,
  • heuristic risk findings,
  • optional policy findings,
  • summary or policy sidecar output.

Start with the bounded policy review case study.

Done when

A review comment names the input component, emitted fields, policy explanation, and any unclear boundary. A pull request is optional.

Boundaries

Do not reinterpret local risk buckets as CVE, malware, exploitability, or package safety verdicts. Use checked-in no-network examples only.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationgood first issueGood for newcomershelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions