|
| 1 | +# sbom-diff-and-risk v0.8.0 |
| 2 | + |
| 3 | +`v0.8.0` is the policy decision explainability release. |
| 4 | + |
| 5 | +## Theme |
| 6 | + |
| 7 | +Policy decision explainability for machine-readable JSON reports. |
| 8 | + |
| 9 | +`v0.8.0` focuses on making local policy outcomes easier to inspect from JSON |
| 10 | +reports and reviewer documentation. It keeps the dependency diff model, |
| 11 | +existing CLI flags, Markdown output behavior, SARIF output behavior, workflows, |
| 12 | +release tags, and publishing status unchanged. |
| 13 | + |
| 14 | +This file is a draft release note. Drafting this file does not bump the package |
| 15 | +version, create a tag, create a GitHub Release, publish to TestPyPI, or publish |
| 16 | +to production PyPI. |
| 17 | + |
| 18 | +## Highlights |
| 19 | + |
| 20 | +- Added stable policy decision explanation fields to JSON policy findings. |
| 21 | +- Documented those fields in |
| 22 | + [docs/report-schema.md](docs/report-schema.md). |
| 23 | +- Added reviewer-facing interpretation guidance in |
| 24 | + [docs/policy-decision-explainability.md](docs/policy-decision-explainability.md). |
| 25 | +- Kept `summary.policy` unchanged as the compact policy count/status surface. |
| 26 | +- Kept production PyPI intentionally deferred. |
| 27 | + |
| 28 | +## Machine-readable policy explainability |
| 29 | + |
| 30 | +Policy findings in JSON reports can now include additive explanation fields: |
| 31 | + |
| 32 | +- `decision_reason` |
| 33 | +- `policy_rule` |
| 34 | +- `severity_source` |
| 35 | +- `matched_threshold` |
| 36 | +- `observed_value` |
| 37 | + |
| 38 | +These fields explain why a local policy rule produced a block, warning, or |
| 39 | +suppression. They are policy-decision metadata only; they are not dependency |
| 40 | +safety verdicts, CVE results, or proof that a package is safe or unsafe. |
| 41 | + |
| 42 | +The fields appear only on policy finding objects, such as: |
| 43 | + |
| 44 | +- `policy_evaluation.blocking_violations` |
| 45 | +- `policy_evaluation.warning_violations` |
| 46 | +- `policy_evaluation.suppressed_violations` |
| 47 | +- `blocking_findings` |
| 48 | +- `warning_findings` |
| 49 | +- `suppressed_findings` |
| 50 | +- provenance policy impact sections |
| 51 | + |
| 52 | +Risk findings in `risks` remain local heuristic findings. They do not receive |
| 53 | +policy-decision metadata unless policy evaluation maps them into policy |
| 54 | +findings. |
| 55 | + |
| 56 | +## JSON schema / compatibility notes |
| 57 | + |
| 58 | +- The JSON report schema remains conservative and additive where possible. |
| 59 | +- Existing `summary.policy` behavior is unchanged. |
| 60 | +- Existing `--out-json` behavior remains the full JSON report output. |
| 61 | +- Existing `--summary-json PATH` behavior remains summary-only output. |
| 62 | +- Existing policy pass, warn, and fail behavior is unchanged. |
| 63 | +- Existing CLI flags are unchanged. |
| 64 | +- Consumers should treat unrecognized future fields as additive report data. |
| 65 | + |
| 66 | +## Documentation and evidence surfaces |
| 67 | + |
| 68 | +- JSON report schema: |
| 69 | + [docs/report-schema.md](docs/report-schema.md) |
| 70 | +- Policy schema: |
| 71 | + [docs/policy-schema.md](docs/policy-schema.md) |
| 72 | +- Policy decision explainability: |
| 73 | + [docs/policy-decision-explainability.md](docs/policy-decision-explainability.md) |
| 74 | +- Reviewer evidence pack: |
| 75 | + [docs/reviewer-evidence-pack.md](docs/reviewer-evidence-pack.md) |
| 76 | +- GitHub Actions consumer example: |
| 77 | + [docs/github-actions-consumer-example.md](docs/github-actions-consumer-example.md) |
| 78 | +- Production PyPI decision gate: |
| 79 | + [docs/pypi-production-publishing-decision.md](docs/pypi-production-publishing-decision.md) |
| 80 | + |
| 81 | +The v0.8 documentation keeps the release/distribution evidence surfaces |
| 82 | +separate from tool behavior. GitHub workflow artifact attestations, GitHub |
| 83 | +Release asset verification, TestPyPI Trusted Publishing validation, and future |
| 84 | +production PyPI Trusted Publishing provenance answer different trust questions. |
| 85 | + |
| 86 | +## Distribution status |
| 87 | + |
| 88 | +- The latest published GitHub Release remains `v0.7.0` until `v0.8.0` is |
| 89 | + intentionally tagged and released. |
| 90 | +- This draft does not publish to TestPyPI. |
| 91 | +- This draft does not publish to production PyPI. |
| 92 | +- Production PyPI publishing remains intentionally deferred. |
| 93 | +- No production PyPI workflow is added. |
| 94 | + |
| 95 | +## Not in this release |
| 96 | + |
| 97 | +- No new CLI flags. |
| 98 | +- No Markdown output behavior changes. |
| 99 | +- No SARIF output behavior changes. |
| 100 | +- No workflow changes. |
| 101 | +- No package version bump in this draft PR. |
| 102 | +- No tag or GitHub Release in this draft PR. |
| 103 | +- No PyPI/TestPyPI publishing. |
| 104 | +- No production PyPI workflow. |
| 105 | +- No hidden network behavior. |
| 106 | +- No CVE lookup or CVE resolution. |
| 107 | +- No dependency safety verdicts. |
0 commit comments