release: v0.8.0 — supply-chain hardening

.github/ISSUE_TEMPLATE/action-broke.md

@@ -36,6 +36,6 @@ failure is usually obvious if you expand all groups. -->
 
 ## Environment
 
-- **bomdrift version pin**: `@v1` / `@v0.7.0` / `@<sha>`
+- **bomdrift version pin**: `@v1` / `@v0.8.0` / `@<sha>`
 - **Runner**: <ubuntu-latest / self-hosted / etc.>
 - **Trigger event**: <pull_request / push / workflow_dispatch / etc.>

CHANGELOG.md

@@ -7,6 +7,105 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.8.0] - 2026-04-29
+
+The "supply-chain hardening" milestone. v0.8 finishes SARIF for GitHub
+Code Scanning, lights up exploit-prediction (EPSS) and
+known-exploited-in-the-wild (CISA KEV) signals on every advisory,
+introduces an explicit license allow/deny policy with fail-closed
+compound-expression handling, and adds time-boxed risk-acceptance to
+the suppression baseline.
+
+### Added
+
+- **SARIF + GitHub Code Scanning end-to-end.** Every result now carries
+  a stable `partialFingerprints.primaryHash/v1` hash so Code Scanning's
+  alert dedup threads correctly across runs. New action input
+  `upload-to-code-scanning: true` wires
+  `github/codeql-action/upload-sarif@v3` for one-line opt-in. New
+  `--output-file <PATH>` CLI flag avoids YAML `>`-redirection
+  quirks. Per-rule fingerprint identity tuples documented at
+  [docs/src/sarif.md](docs/src/sarif.md).
+
+- **EPSS scoring (FIRST.org).** Every CVE-aliased advisory surfaces an
+  exploitation-probability badge in markdown / terminal / SARIF /
+  JSON. `--fail-on-epss <FLOAT>` trips exit 2 when any advisory exceeds
+  the threshold. `--no-epss` opt-out + 24h disk cache at
+  `<XDG_CACHE>/bomdrift/epss/`. Best-effort: network failure logs at
+  `BOMDRIFT_DEBUG=1`, diff still renders.
+  [docs/src/enrichers/epss.md](docs/src/enrichers/epss.md)
+
+- **CISA KEV (Known Exploited Vulnerabilities).** A `KEV` flag flips
+  on every advisory whose primary id or CVE alias appears in CISA's
+  catalog. `--fail-on kev` + `--no-kev` flags. Once-daily catalog
+  cache at `<XDG_CACHE>/bomdrift/kev/catalog.json`.
+  [docs/src/enrichers/kev.md](docs/src/enrichers/kev.md)
+
+- **License allow/deny policy.** New `[license]` block in
+  `.bomdrift.toml` (or `--allow-licenses`/`--deny-licenses` CLI flags
+  matching Dependency Review Action names). Atomic exact match +
+  `*`-suffix glob (`AGPL-*`); compound expressions like
+  `(MIT OR GPL-3.0)` fail closed by default unless
+  `allow_ambiguous=true`. Distinct from same-version license drift:
+  this is a policy gate. New SARIF rule
+  `bomdrift.license-violation`. `--fail-on license-violation` trips
+  exit 2. [docs/src/license-policy.md](docs/src/license-policy.md)
+
+- **Suppression expiry + reason.** Each `suppressed_advisories` entry
+  may now be the v0.8 object form
+  `{id, expires?: "YYYY-MM-DD", reason?: "free text"}`. Expired
+  entries surface a stderr warning and stop suppressing; bomdrift
+  refuses to load malformed dates. `bomdrift baseline add --expires
+  --reason` records the metadata; the `comment-suppress` companion
+  action picks up an optional `reason: <text>` line in the trigger
+  comment body.
+  [docs/src/baseline.md](docs/src/baseline.md#time-boxed-suppressions-expires--reason)
+
+- **OSV CVE aliases threaded through `VulnRef`.** OSV `/v1/vulns/{id}`
+  responses now feed CVE aliases into `VulnRef.aliases` (sorted,
+  byte-deterministic). EPSS / KEV / future VEX consumption all read
+  from `VulnRef::cves()`.
+
+- **`time` crate adoption + `clock` module.** New `src/clock.rs` is
+  the single source of truth for date/time across the codebase.
+  Honors `SOURCE_DATE_EPOCH` (read per call so test fixtures can vary
+  it). All v0.8 features that emit dates / compare dates go through
+  this module — reproducible-build contexts stay deterministic.
+
+- **`--debug-calibration-format <pipe|jsonl>`.** New JSONL alternative
+  to the v0.7 pipe-delimited calibration tap. Numeric scores stay
+  numeric in JSON; severity buckets stay strings. Adding a new
+  finding kind is one call to a dispatch helper, not a fork.
+
+### Changed
+
+- `--fail-on any` now also includes KEV-flagged advisories and
+  license-violation findings.
+- SARIF rule list grew from 5 to 6 (added `bomdrift.license-violation`).
+
+### Scope notes
+
+The following items were deliberately **deferred to v0.9** rather than
+half-shipped:
+
+- **GitLab comment-driven suppress.** The `/bomdrift suppress` flow
+  works on GitHub via the `comment-suppress` companion action. Porting
+  to GitLab needs a webhook bridge with five distinct security guards
+  (token verification, event-type filter, project allowlist,
+  commenter-permission check, MR-context guard). Shipping the bridge
+  without those is a vulnerability — moved to v0.9 with a security
+  review milestone.
+- **Multi-SCM (Bitbucket + Azure DevOps).** Templates and footer
+  shapes need per-platform comment-API exploration; deferred to v0.9.
+- **VEX consume + emit.** Both depend on the `time` crate
+  foundation that lands here. Consume in v0.9-G; emit in v0.9-H. The
+  baseline-expiry + reason fields added in v0.8 feed directly into
+  the VEX `status_notes` field when emit lands.
+- **SPDX expression evaluator.** v0.8 fails closed on compound
+  expressions; v0.9 adopts the `spdx` crate (~30kb) for proper
+  evaluation. The `allow_ambiguous` flag becomes redundant at that
+  point.
+
 ## [0.7.0] - 2026-04-30
 
 The "broaden the platform, polish the edges" milestone. v0.7 takes the

Cargo.toml

@@ -1,8 +1,8 @@
 [package]
 name = "bomdrift"
-version = "0.7.0"
+version = "0.8.0"
 edition = "2024"
-rust-version = "1.85"
+rust-version = "1.88"
 description = "SBOM diff with supply-chain risk signals (CVEs, typosquats, maintainer-age)."
 license = "Apache-2.0"
 repository = "https://github.com/Metbcy/bomdrift"
@@ -31,6 +31,8 @@ owo-colors = { version = "4", features = ["supports-colors"] }
 supports-color = "3"
 directories = "6"
 toml = "0.8"
+time = { version = "0.3", default-features = false, features = ["serde", "parsing", "formatting", "macros", "std"] }
+sha2 = { version = "0.10", default-features = false }
 
 [dev-dependencies]
 criterion = { version = "0.5", default-features = false, features = ["html_reports"] }

README.md

@@ -81,7 +81,7 @@ jobs:
         #   verify-signatures: true   (set false on trusted mirrors)
 ```
 
-Pin to `@v1` for the latest v0.x; pin to `@v0.7.0` for reproducible builds. Run `bomdrift init` if you want a checked-in `.bomdrift.toml` policy and both workflows scaffolded locally. See the [Action reference](https://metbcy.github.io/bomdrift/github-action.html) for every input.
+Pin to `@v1` for the latest v0.x; pin to `@v0.8.0` for reproducible builds. Run `bomdrift init` if you want a checked-in `.bomdrift.toml` policy and both workflows scaffolded locally. See the [Action reference](https://metbcy.github.io/bomdrift/github-action.html) for every input.
 
 #### Optional: in-comment suppression (v0.5+)
 
@@ -112,7 +112,7 @@ Comment `/bomdrift suppress GHSA-xxxx` on any PR; the sub-action appends to `.bo
 Pre-built binaries cover Linux x86_64 + aarch64, macOS aarch64, and Windows x86_64. Each archive is cosign-signed via Sigstore + GitHub OIDC.
 
 ```bash
-VERSION=v0.7.0
+VERSION=v0.8.0
 TARGET=x86_64-unknown-linux-gnu
 curl -sSL -o bomdrift.tar.gz \
   "https://github.com/Metbcy/bomdrift/releases/download/${VERSION}/bomdrift-${VERSION}-${TARGET}.tar.gz"
@@ -128,7 +128,7 @@ Verify the archive's signature before you trust the binary — see [Release sign
 ### From source
 
 ```bash
-cargo install --locked --git https://github.com/Metbcy/bomdrift --tag v0.7.0 bomdrift
+cargo install --locked --git https://github.com/Metbcy/bomdrift --tag v0.8.0 bomdrift
 ```
 
 Requires Rust 1.85+ (the project uses edition 2024).
@@ -230,7 +230,7 @@ Every release archive is signed with cosign keyless via Sigstore (GitHub OIDC).
 
 ```bash
 # Replace VERSION + TARGET with your downloaded archive's pair
-VERSION=v0.7.0
+VERSION=v0.8.0
 TARGET=x86_64-unknown-linux-gnu
 ARCHIVE=bomdrift-${VERSION}-${TARGET}.tar.gz
 

STATUS.md

@@ -12,9 +12,15 @@ keeping the project OSS-first: no hosted dashboard, no account, no telemetry.
 | Local CLI | Supported on Linux x86_64/aarch64, macOS aarch64, Windows x86_64 |
 | SBOM formats | CycloneDX JSON, SPDX JSON, Syft JSON |
 | In-comment suppression (GitHub) | Supported through `Metbcy/bomdrift/comment-suppress@v1` |
-| GitLab CI merge requests | Supported through the `examples/gitlab-ci/` template (v0.7+); in-comment suppression deferred to v0.8 |
+| GitHub Code Scanning (SARIF upload) | Supported (v0.8+) — set `upload-to-code-scanning: 'true'` |
+| EPSS exploit-prediction scoring | Supported (v0.8+) — auto, opt-out via `--no-epss` |
+| CISA KEV (known-exploited) flagging | Supported (v0.8+) — auto, opt-out via `--no-kev` |
+| License allow/deny policy | Supported (v0.8+) — `[license]` block / CLI flags |
+| Suppression expiry (`expires` + `reason`) | Supported (v0.8+) — time-boxed risk acceptance |
+| GitLab CI merge requests | Supported through the `examples/gitlab-ci/` template (v0.7+); in-comment suppression deferred to v0.9 |
 | GitHub Enterprise / self-hosted runners | Expected to work, not broadly tested yet |
-| Bitbucket | Not supported |
+| Bitbucket / Azure DevOps | Planned for v0.9 |
+| VEX consume / emit | Planned for v0.9 |
 | Hosted dashboard / SaaS | Not planned |
 
 ## Known limitations