SBOM差异增量审计治理（增量-变更-阈值）最佳实践

实现示例type Component = { name: string; version: string } function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) } function diff(oldList: Component[], newList: Component[]): { added: string[]; removed: string[]; changed: string[] } { const o = new Map<string,string>() for (const c of oldList) if (c.name && semverLike(c.version)) o.set(c.name, c.version) const n = new Map<string,string>() for (const c of newList) if (c.name && semverLike(c.version)) n.set(c.name, c.version) const added: string[] = [] const removed: string[] = [] const changed: string[] = [] for (const [k,v] of n.entries()) { const ov = o.get(k); if (!ov) added.push(k); else if (ov !== v) changed.push(k) } for (const k of o.keys()) if (!n.has(k)) removed.push(k) return { added, removed, changed } } function gate(oldList: Component[], newList: Component[], thresholds: { added: number; removed: number; changed: number }): { ok: boolean; errors: string[] } { const d = diff(oldList, newList) const errors: string[] = [] if (d.added.length > thresholds.added) errors.push('added') if (d.removed.length > thresholds.removed) errors.push('removed') if (d.changed.length > thresholds.changed) errors.push('changed') return { ok: errors.length === 0, errors } } 审计与发布治理审计增量变更并与阈值策略对齐；异常阻断并输出修复清单。SBOM变更需审批与归档。