Skip to content

[codex] Add stable JSON run summary fields#26

Merged
stacknil merged 1 commit intomainfrom
codex/stable-json-run-summary
Apr 29, 2026
Merged

[codex] Add stable JSON run summary fields#26
stacknil merged 1 commit intomainfrom
codex/stable-json-run-summary

Conversation

@stacknil
Copy link
Copy Markdown
Owner

@stacknil stacknil commented Apr 29, 2026

Design

This PR extends the existing summary object in sbom-diff-and-risk JSON reports with stable machine-readable run fields.

The base summary remains compact and count-only: added, removed, changed, and risk_counts. unchanged is intentionally not added because the current diff model does not track unchanged components.

summary.policy is emitted only when a policy was applied. It contains policy status and violation counts: status, blocking, warning, and suppressed.

summary.enrichment is emitted only when PyPI provenance or OpenSSF Scorecard enrichment was used. It contains enrichment mode plus provider-specific component counts and status-count maps. This does not add CLI flags, network behavior, or CVE lookup.

Files Changed

  • tools/sbom-diff-and-risk/src/sbom_diff_risk/report_json.py
  • tools/sbom-diff-and-risk/tests/test_reports.py
  • tools/sbom-diff-and-risk/tests/test_provenance_reporting.py
  • tools/sbom-diff-and-risk/tests/test_scorecard_reporting.py
  • tools/sbom-diff-and-risk/examples/sample-policy-fail-report.json
  • tools/sbom-diff-and-risk/examples/sample-policy-warn-report.json
  • tools/sbom-diff-and-risk/examples/sample-provenance-report.json
  • tools/sbom-diff-and-risk/examples/sample-scorecard-report.json

Validation

Local validation completed:

python -m pytest tests/test_reports.py tests/test_provenance_reporting.py tests/test_scorecard_reporting.py
python -m pytest
git diff --check

Results:

  • focused JSON/reporting tests passed: 29 tests
  • full suite passed: 147 tests
  • JSON golden samples updated
  • summary.policy appears only when policy is applied
  • summary.enrichment appears only when PyPI or Scorecard enrichment is used

Out of Scope

  • No Markdown format changes
  • No CLI flag changes
  • No workflow changes
  • No package version changes
  • No new network behavior
  • No CVE lookup
  • No unchanged count because unchanged components are not tracked by the current diff model

stacknil
stacknil commented Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Owner Author

@stacknil stacknil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed. Scope is clean.

I’m treating this as the v0.6 baseline for machine-readable JSON consumption:

  • base summary remains count-only
  • summary.policy is conditional on policy usage
  • summary.enrichment is conditional on PyPI/Scorecard enrichment usage
  • unchanged is intentionally omitted because unchanged components are not modeled
  • no CLI, Markdown, workflow, version, network, or CVE behavior changes

Approved to merge after required review gate is satisfied.

@stacknil stacknil merged commit dc6317d into main Apr 29, 2026
9 checks passed
@stacknil stacknil deleted the codex/stable-json-run-summary branch April 29, 2026 14:01
This was referenced Apr 30, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stacknil