Michael Lieberman mlieberman85

## sbom-quality-report.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                mlieberman85
                / sbom-quality-report.md
            
            
              Last active
              April 14, 2026 21:35
            
              
                SBOM Quality Report: 9 Tools × 9 Criteria × 20 Fixtures — Fraction-based evaluation of SBOM generator conformance, completeness, accuracy, and transparency
              
          
    SBOM Quality Report

Date: 2026-04-14
Framework: sbom-conformance v2.0.0
Methodology: 9 SBOM generators tested against 20 fixtures covering
10 ecosystems and 13 use-case scenarios. All data from actual tool
output — no synthetic scores, no letter grades, only measured counts.
Tools: syft 1.27.0, trivy 0.69.3, trivy 0.55.0 (container),
cdxgen 12.1.5, sbom-tool 4.1.5, bom 0.7.1, cyclonedx-gomod 1.9.0,

  
## slsa-issue-audit-report.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                mlieberman85
                / slsa-issue-audit-report.md
            
            
              Last active
              April 14, 2026 21:17
            
              
                slsa-framework/slsa open issue audit — April 2026
              
          
    slsa-framework/slsa — Open Issue Audit

Date: April 14, 2026
Total open issues: 226
Audited by: Mike Lieberman
SLSA versions: v1.0 (Apr 2023), v1.1 (Apr 2025), v1.2 (Nov 2025)
Every issue was individually reviewed: body, comments, and related PRs checked.
The Big Picture


## baseline.toml
# OpenSSF Baseline Framework Definition
# Declarative configuration for OSPS v2025.10.10 compliance controls
#
# This file defines all 62 controls across 3 maturity levels.
# Users can override settings via .baseline.toml in their repository.

[metadata]
name = "openssf-baseline"
display_name = "OpenSSF Baseline"
version = "0.1.0"

## example_plan.json
{
  "project_name": "Test OpenSSF Baseline",
  "repository": "https://github.com/mlieberman85/test-baseline",
  "steps": [
    {
      "id": "create-security-branch",
      "action_name": "create-branch",
      "params": {
        "branch_name": "add-security-baseline-docs"
      },

## example_mapping.yaml
# SPDX-License-Identifier: Apache-2.0

mappings:
  - id: "openssf-baseline-remediation"
    reason: "Apply OpenSSF Baseline security best practices based on Privateer findings"
    condition: "true" # Base condition always true, but individual steps have specific conditions
    steps:
      - id: "create-security-branch"
        action: "create-branch"
        parameters:

## output
Querying domain: whiskey.foundation
  Querying TXT record for: _chainsights.whiskey.foundation
Traversing from root URI: https://raw.githubusercontent.com/whiskeytastingfoundation/chainsights/refs/heads/main/chainsights.jsonl with expected identity: mlieberman85@gmail.com
  Parsed essential bundle data.
  Decoded payload (839 bytes).
  Constructed PAE data (882 bytes).
  Prepared PEM certificate string.
  Calling Client::verify_blob with PAE data...
  Cryptographic signature verified successfully!
  Inspecting certificate identity...

## test.ncl
let language = "javascript" in
let JavascriptContract = std.contract.from_predicate (fun x => std.string.contains "npm" x) in
let RustContract = std.contract.from_predicate(fun x => std.string.contains "cargo" x) in
let CommonContract = std.contract.from_predicate(fun x => std.string.contains "artifact" x) in
let contract_array = if language == "javascript" then [CommonContract, JavascriptContract]  else [CommonContract, RustContract] in
let ContractSequence = std.contract.Sequence contract_array in
let data = "npm run artifact" in
data | ContractSequence

## slsa_provenance_v01_oapi.json
{
  "title": "InTotoStatementV1_for_SLSAProvenanceV1Predicate",
  "description": "Represents an In-Toto v1 statement.",
  "type": "object",
  "required": [
    "_type",
    "predicate",
    "predicateType",
    "subject"
  ],

## typify_debug.rs
TypeSpace {
    next_id: 23,
    definitions: {
        "BuildDefinition": Object(
            SchemaObject {
                metadata: Some(
                    Metadata {
                        id: None,
                        title: None,
                        description: Some(

## slsa.cue
package schema

import (
	"time"
)

#Subject: {
	name:   string
	digest: #DigestSet
}
	# OpenSSF Baseline Framework Definition
	# Declarative configuration for OSPS v2025.10.10 compliance controls
	#
	# This file defines all 62 controls across 3 maturity levels.
	# Users can override settings via .baseline.toml in their repository.

	[metadata]
	name = "openssf-baseline"
	display_name = "OpenSSF Baseline"
	version = "0.1.0"
	{
	"project_name": "Test OpenSSF Baseline",
	"repository": "https://github.com/mlieberman85/test-baseline",
	"steps": [
	{
	"id": "create-security-branch",
	"action_name": "create-branch",
	"params": {
	"branch_name": "add-security-baseline-docs"
	},
	# SPDX-License-Identifier: Apache-2.0

	mappings:
	- id: "openssf-baseline-remediation"
	reason: "Apply OpenSSF Baseline security best practices based on Privateer findings"
	condition: "true" # Base condition always true, but individual steps have specific conditions
	steps:
	- id: "create-security-branch"
	action: "create-branch"
	parameters:
	Querying domain: whiskey.foundation
	Querying TXT record for: _chainsights.whiskey.foundation
	Traversing from root URI: https://raw.githubusercontent.com/whiskeytastingfoundation/chainsights/refs/heads/main/chainsights.jsonl with expected identity: mlieberman85@gmail.com
	Parsed essential bundle data.
	Decoded payload (839 bytes).
	Constructed PAE data (882 bytes).
	Prepared PEM certificate string.
	Calling Client::verify_blob with PAE data...
	Cryptographic signature verified successfully!
	Inspecting certificate identity...
	let language = "javascript" in
	let JavascriptContract = std.contract.from_predicate (fun x => std.string.contains "npm" x) in
	let RustContract = std.contract.from_predicate(fun x => std.string.contains "cargo" x) in
	let CommonContract = std.contract.from_predicate(fun x => std.string.contains "artifact" x) in
	let contract_array = if language == "javascript" then [CommonContract, JavascriptContract] else [CommonContract, RustContract] in
	let ContractSequence = std.contract.Sequence contract_array in
	let data = "npm run artifact" in
	data \| ContractSequence
	{
	"title": "InTotoStatementV1_for_SLSAProvenanceV1Predicate",
	"description": "Represents an In-Toto v1 statement.",
	"type": "object",
	"required": [
	"_type",
	"predicate",
	"predicateType",
	"subject"
	],
	TypeSpace {
	next_id: 23,
	definitions: {
	"BuildDefinition": Object(
	SchemaObject {
	metadata: Some(
	Metadata {
	id: None,
	title: None,
	description: Some(
	package schema

	import (
	"time"
	)

	#Subject: {
	name: string
	digest: #DigestSet
	}