From d69934d7e7e0f76ebf06258d1411f60712d28b44 Mon Sep 17 00:00:00 2001 From: stacknil Date: Tue, 30 Jun 2026 11:36:10 +0800 Subject: [PATCH] docs(sbom): clarify risk model non-claims --- docs/risk-model-boundary.md | 11 +++++++++++ scripts/validate-reviewer-routes.py | 3 +++ .../tests/test_risk_model_boundary_docs.py | 3 +++ 3 files changed, 17 insertions(+) diff --git a/docs/risk-model-boundary.md b/docs/risk-model-boundary.md index 245987c..f8a2c78 100644 --- a/docs/risk-model-boundary.md +++ b/docs/risk-model-boundary.md @@ -8,6 +8,17 @@ conclusions the tool must never infer. The model is a deterministic local heuristic layer. It is not a vulnerability scanner, not a CVE resolver, and not a dependency safety verdict. +## Explicit non-claims + +The risk model has three deliberate product boundaries: + +- **Not a CVE scanner.** It does not query vulnerability databases, resolve + advisories against affected version ranges, or determine exploitability. +- **Not a malware scanner.** It does not inspect package contents, source code, + signatures, or runtime behavior for malicious payloads. +- **Not a package safety verdict engine.** Risk buckets and policy decisions + identify evidence for review; they do not certify a package as safe or unsafe. + Implementation references: - [`risk.py`](../tools/sbom-diff-and-risk/src/sbom_diff_risk/risk.py) diff --git a/scripts/validate-reviewer-routes.py b/scripts/validate-reviewer-routes.py index 1ad12b7..2c7cc46 100644 --- a/scripts/validate-reviewer-routes.py +++ b/scripts/validate-reviewer-routes.py @@ -195,6 +195,9 @@ "not a vulnerability scanner", "not a CVE resolver", "not a dependency safety verdict", + "Not a CVE scanner", + "Not a malware scanner", + "Not a package safety verdict engine", "new_package", "major_upgrade", "version_change_unclassified", diff --git a/tools/sbom-diff-and-risk/tests/test_risk_model_boundary_docs.py b/tools/sbom-diff-and-risk/tests/test_risk_model_boundary_docs.py index 7115b79..ef026c6 100644 --- a/tools/sbom-diff-and-risk/tests/test_risk_model_boundary_docs.py +++ b/tools/sbom-diff-and-risk/tests/test_risk_model_boundary_docs.py @@ -38,6 +38,9 @@ def test_risk_model_boundary_names_inputs_and_nonclaims() -> None: "not a vulnerability scanner", "not a CVE resolver", "not a dependency safety verdict", + "Not a CVE scanner", + "Not a malware scanner", + "Not a package safety verdict engine", "hidden network enrichment", ): assert phrase in text or _normalized_text(phrase) in normalized