feat(diff): order report deterministically by risk (severity-first CVEs, stable component listing)#25
Open
dmchaledev wants to merge 1 commit into
Open
feat(diff): order report deterministically by risk (severity-first CVEs, stable component listing)#25dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
SBOM scanners emit components and vulnerabilities in arbitrary order, so today's reports are unstable run-to-run. For the headline use cases — committed audit trails and PR-comment diffs — that produces noisy diffs even when nothing actually changed, and a `critical` CVE can be listed below several `low` ones. Sort the report before returning from diff() so all three render formats and direct JSON consumers benefit: - added/removed components: by name, then version - upgraded: major bumps first (highest risk), then by name - new/fixed CVEs: by severity (most severe first), then by id Purely a reordering — the ChangeReport shape is unchanged and the change is fully backward compatible. Adds tests covering stable ordering and severity/major-bump prioritisation. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01GT9LrpLo5a1XkHqrUKtCaY
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
diff()currently returns components and vulnerabilities in whatever order the source SBOM happened to list them. SBOM scanners do not guarantee a stable emit order, so today the report is non-deterministic run-to-run and not prioritised by risk. That directly undercuts the two headline use cases in the README — "perfect for CI/CD gates and audit trails" and "great for PR comments":criticalCVE (e.g. Log4Shell) can be listed below severallowones, and a major version bump can sit beneath a pile of patch bumps. The most important signal isn't at the top where a reviewer looks first.This PR sorts the report once, in
diff(), so all three render formats (text/json/markdown) and direct programmatic consumers (report.newCVEs,report.added, …) benefit from the same stable, risk-first ordering.Ordering rules
added/removedupgradednewCVEs/fixedCVEscritical→none→ unset), then by CVE idWhy this is the right layer
Sorting lives in
diff.ts(not the reporter) so the ordering is consistent everywhere theChangeReportis consumed — the JSON output used in CI and the objects accessed in the documented programmatic API are ordered identically to the rendered text/markdown.Compatibility
Purely a reordering. The
ChangeReportshape, field names, and counts are unchanged, so this is fully backward compatible — no behaviour change beyond the order of existing array elements.Distinct from in-flight work
This touches only the ordering of the result and conflicts with none of the open PRs/issues in scope (which concern the
--fail-ongate, CVSS extraction, markdown cell escaping, downgrade/purl matching, and license/validation/hash detection).Tests
Adds 4 tests covering:
All checks green locally: 33 tests pass,
eslint srcclean,tscbuild clean.🤖 Generated with Claude Code
Generated by Claude Code