Skip to content

Add dependency SPDX VEX evidence gates#1146

Open
minorstep wants to merge 2 commits into
UnitOneAI:mainfrom
minorstep:codex/dependency-spdx-vex-reachability
Open

Add dependency SPDX VEX evidence gates#1146
minorstep wants to merge 2 commits into
UnitOneAI:mainfrom
minorstep:codex/dependency-spdx-vex-reachability

Conversation

@minorstep
Copy link
Copy Markdown

@minorstep minorstep commented Jun 5, 2026

/claim #1143

Summary

Updates dependency-scanning as an Improver-tier skill improvement for #1143. The change reduces false positives from substring license checks and raw CVSS escalation, while closing manifest and non-registry dependency coverage gaps.

What changed

  • Added manifest coverage gates for pyproject.toml, NuGet, Composer, Ruby, Dart, Elixir, and ecosystem lockfiles.
  • Added non-registry dependency evidence for git, URL, tarball, path, and direct archive dependencies, including resolved refs/digests and install-script extraction.
  • Added manifest/lockfile drift handling before trusting vulnerability and license scan output.
  • Reworked vulnerability triage to include EPSS probability plus percentile, CISA KEV guardrails, and VEX/reachability evidence before downgrading Critical/High findings.
  • Reworked license guidance to parse SPDX OR, AND, and WITH expressions, record selected branches/exceptions, and scope license risk by distributed/runtime/dev-only usage.
  • Corrected the PyPI hyphen/underscore typosquat false-positive by requiring PEP 503 name normalization before flagging.
  • Expanded the output template with manifest coverage, lockfile status, reachability/VEX, SPDX branch/exception, usage scope, non-registry dependency, and install-script fields.

Validation

  • git diff --check
  • Markdown fence-balance check
  • Targeted content assertions for SPDX expressions, VEX/reachability, EPSS percentile, manifest coverage, non-registry dependencies, lockfile drift, and PyPI normalization
  • Private payout/payment-string scan of the changed skill file
  • Live HTTP 200 checks for SPDX License Expressions, CycloneDX VEX, PEP 503, and OSV-Scanner references
  • Final pre-submit searches found no visible PR referencing [REVIEW] dependency-scanning: SPDX-expression license FPs, no reachability/VEX, missing manifests & git/URL deps #1143, SPDX/VEX/reachability/non-registry dependency-scanning, or pyproject/manifest lockfile drift dependency-scanning.

Bounty note

This is a public Improver-tier submission. Payment details can be provided privately after maintainer acceptance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@minorstep