SBOM差异增量审计治理（增量-变更-阈值）最佳实践

实现示例type Component = { name: string; version: string }

function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) }

function diff(oldList: Component[], newList: Component[]): { added: string[]; removed: string[]; changed: string[] } {

const o = new Map<string,string>()

for (const c of oldList) if (c.name && semverLike(c.version)) o.set(c.name, c.version)

const n = new Map<string,string>()

for (const c of newList) if (c.name && semverLike(c.version)) n.set(c.name, c.version)

const added: string[] = []

const removed: string[] = []

const changed: string[] = []

for (const [k,v] of n.entries()) { const ov = o.get(k); if (!ov) added.push(k); else if (ov !== v) changed.push(k) }

for (const k of o.keys()) if (!n.has(k)) removed.push(k)

return { added, removed, changed }

}

function gate(oldList: Component[], newList: Component[], thresholds: { added: number; removed: number; changed: number }): { ok: boolean; errors: string[] } {

const d = diff(oldList, newList)

const errors: string[] = []

if (d.added.length > thresholds.added) errors.push('added')

if (d.removed.length > thresholds.removed) errors.push('removed')

if (d.changed.length > thresholds.changed) errors.push('changed')

return { ok: errors.length === 0, errors }

}

审计与发布治理审计增量变更并与阈值策略对齐；异常阻断并输出修复清单。SBOM变更需审批与归档。