Skip to content

docs: comparison page — what bomdrift catches that others miss (closes #33)#59

Merged
Metbcy merged 2 commits into
mainfrom
docs/comparison-table-v1
Jun 1, 2026
Merged

docs: comparison page — what bomdrift catches that others miss (closes #33)#59
Metbcy merged 2 commits into
mainfrom
docs/comparison-table-v1

Conversation

@Metbcy
Copy link
Copy Markdown
Owner

@Metbcy Metbcy commented Jun 1, 2026

Closes #33.

Adds docs/src/comparison.md walking five published supply-chain incidents and calling out, per signal, which would have fired pre-disclosure on the PR that pulled in the compromised release:

  • xz-utils (CVE-2024-3094) — maintainer-age fires; nothing else honest.
  • event-stream / flatmap-stream — added-dep + recently-published + maintainer-handover combination fires.
  • ua-parser-js — multi-major version jump + recently-published fire.
  • colors.js — honest miss pre-advisory; post-advisory like every other scanner.
  • node-ipc — same honest miss pattern.

Tone follows the issue's ask: where bomdrift would not have caught an incident, the page says so explicitly. The credibility of this page matters more than its length.

What's NOT in this PR

The issue calls for fixture SBOMs under tests/fixtures/comparison/ so the CLI invocations are reproducible. That requires capturing historical npm / OSV / registry responses frozen at the incident date, which is a separate piece of work — flagged as a follow-up in the page's "Follow-ups" section and not blocking the v1.0 cut on this PR. Happy to scope a follow-on if you want it before tag.

Verification

  • docs/src/comparison.md parses; 5 case studies + signal-summary table + methodology.
  • Linked from SUMMARY.md under "Project" and from README.md under the comparison table.
  • All enricher module paths cited in Methodology exist on main.
  • No fabricated CVE/GHSA IDs — every advisory referenced is publicly published.

Repo-policy reminder: main requires verified signatures. This branch is unsigned; "Merge" or "Squash" via the GitHub UI will auto-sign the resulting commit.

@Metbcy
docs: add comparison page with five real supply-chain incidents
fac65be 
Closes #33. Walks five published incidents (xz-utils, event-stream,
ua-parser-js, colors.js, node-ipc) and calls out for each which
bomdrift signals would have fired pre-disclosure and which would not.

Honest about the misses: colors.js and node-ipc are post-advisory
catches only, since the malicious payloads were patch-level changes
by long-tenured maintainers. Methodology section names the enricher
modules backing each judgement and flags reproducible fixture SBOMs
as follow-up work (not yet committed).

- docs/src/comparison.md (new)
- docs/src/SUMMARY.md (link under Project)
- README.md (cross-reference under comparison table)
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 1, 2026
edited
Loading

Coverage report

Line coverage: 84.6% (10029 / 11851 lines)

Full lcov report available as workflow artifact coverage-lcov: download from this run.

v0.9.8 introduces this report; --fail-under-lines will be added once coverage is visible across 2–3 releases.

@Metbcy Metbcy merged commit 5ebcd05 into main Jun 1, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add a 'What bomdrift catches that other tools miss' comparison page

1 participant

@Metbcy