aranw · February 13, 2026 22:27
diff --git a/ham-salad-sandwich-no-onion.json b/ham-salad-sandwich-no-onion.json
 {
  "sbom_version": "1.0",
  "sandwich": {
    "name": "Ham Salad Sandwich (No Onion)",
    "version": "2026.02.13",
    "assembler": "claude@anthropic",
    "build_timestamp": "2026-02-13T12:30:00Z",
    "reproducible": false,
    "non_determinism_notes": "Salad cream distribution described as 'a good squirt'. Lettuce leaf count unspecified. Assembler was hungry at time of build.",
    "lockfile": "sandwich.lock",
    "excluded_dependencies": [
      {
        "surl": "surl:produce/red-onion@2026-02-10",
        "reason": "Explicitly excluded by consumer. Marked as wontfix.",
        "cve_avoided": "CVE-2024-ONION: Causes social distancing for up to 4 hours post-consumption"
      }
    ]
  },
  "components": [
    {
      "surl": "surl:grain/white-bread@3.2.0",
      "name": "White Bread",
      "version": "3.2.0",
      "role": "structural-framework",
      "quantity": "2 slices",
      "supplier": "supermarket://tesco/kingsmill",
      "integrity": "sha256:a1b2c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef01",
      "license": "BSD (Bread, Sauce, Distributed)",
      "notes": "MAJOR 3 indicates white wheat. MINOR 2 is 62% hydration. PATCH 0 would indicate fresh, but this is .0 so it's straight from the bag. Crusts included; removal is a consumer-side concern and out of scope.",
      "dependencies": [
        {
          "surl": "surl:grain/wheat-flour@milling-2026-01",
          "name": "Wheat Flour",
          "supplier": "farm://uk/east-anglia",
          "license": "Public Domain",
          "vulnerabilities": ["CVE-2023-GLUTEN"]
        },
        {
          "surl": "surl:leavening/yeast@saccharomyces-cerevisiae",
          "name": "Yeast",
          "supplier": "lab://fermentation-sciences",
          "license": "MIT (Mustard Is Transferable)",
          "notes": "Single-celled maintainer with excellent uptime."
        },
        {
          "surl": "surl:mineral/salt@public-domain",
          "name": "Salt",
          "supplier": "supermarket://generic",
          "license": "Public Domain",
          "notes": "Licensed since the Jurassic. Several relicensing attempts have failed."
        },
        {
          "surl": "surl:liquid/water@h2o",
          "name": "Water",
          "supplier": "utility://severn-trent",
          "license": "Public Domain"
        }
      ]
    },
    {
      "surl": "surl:protein/sliced-ham@thick-cut-2026-02",
      "name": "Sliced Ham",
      "version": "thick-cut-2026-02",
      "role": "primary-payload",
      "quantity": "3 slices",
      "supplier": "supermarket://tesco/deli-counter",
      "integrity": "sha256:b2c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef0123",
      "license": "Proprietary",
      "license_notes": "Exact curing process undisclosed. Reverse-engineering prohibited by EULA printed on the back of the packet in 4pt font.",
      "dependencies": [
        {
          "surl": "surl:animal/pig@british-outdoor-bred",
          "name": "Pig",
          "supplier": "farm://uk/yorkshire",
          "license": "Proprietary",
          "notes": "Attestation chain extends to pig but no further. Pig's own dependency tree (feed corn, water, field, farmer) is declared but unaudited.",
          "dependencies": [
            {
              "surl": "surl:feed/grain-mix@standard",
              "name": "Feed Mix",
              "supplier": "farm://uk/cooperative",
              "license": "Public Domain",
              "notes": "Circular dependency detected: pig eats grain, grain grows in field fertilised by pig. Resolver emitted warning but continued."
            },
            {
              "surl": "surl:liquid/water@h2o",
              "name": "Water",
              "supplier": "utility://yorkshire-water",
              "license": "Public Domain"
            }
          ]
        },
        {
          "surl": "surl:mineral/salt@curing-grade",
          "name": "Curing Salt",
          "supplier": "supermarket://specialist",
          "license": "Public Domain"
        },
        {
          "surl": "surl:preservative/sodium-nitrite@e250",
          "name": "Sodium Nitrite",
          "supplier": "chemical://food-grade",
          "license": "MIT (Mustard Is Transferable)",
          "notes": "Keeps ham pink. Without it, ham would be an honest grey colour and nobody would buy it."
        }
      ]
    },
    {
      "surl": "surl:produce/lettuce@iceberg-2026-02-12",
      "name": "Iceberg Lettuce",
      "version": "2026-02-12",
      "role": "structural-filler",
      "quantity": "2 leaves",
      "supplier": "supermarket://tesco/produce-aisle",
      "integrity": "sha256:c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef012345",
      "license": "Public Domain",
      "notes": "Calendar versioned by harvest date. Nutritional content approximately equivalent to crunchy water. Structural role only: provides barrier layer between bread and tomato to prevent moisture ingress.",
      "dependencies": [
        {
          "surl": "surl:liquid/water@h2o",
          "name": "Water",
          "supplier": "utility://spanish-irrigation",
          "license": "Public Domain",
          "notes": "Comprises 96% of this dependency by weight. Arguably the lettuce is a transitive dependency of water, not the other way round."
        }
      ]
    },
    {
      "surl": "surl:produce/tomato@2026-02-11",
      "name": "Tomato",
      "version": "2026-02-11",
      "role": "moisture-layer",
      "quantity": "3 slices from 1 medium tomato",
      "supplier": "supermarket://tesco/produce-aisle",
      "integrity": "sha256:d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef01234567",
      "license": "Public Domain",
      "notes": "Calendar versioned. February tomato sourced from Spain, as British tomatoes are out of season and the specification does not cover disappointment. Slice thickness is a source of non-determinism; see lockfile.",
      "vulnerabilities": [
        {
          "id": "CVE-2026-SOGGY",
          "description": "Tomato moisture migrates into adjacent bread layer within 45 minutes of assembly. No patch available. Mitigation: lettuce barrier layer (see iceberg-lettuce component). Alternatively, consume sandwich promptly.",
          "severity": "Medium"
        }
      ]
    },
    {
      "surl": "surl:produce/cucumber@2026-02-10",
      "name": "Cucumber",
      "version": "2026-02-10",
      "role": "crunch-provider",
      "quantity": "4 slices",
      "supplier": "supermarket://tesco/produce-aisle",
      "integrity": "sha256:e5f6789012345678abcdef0123456789abcdef0123456789abcdef0123456789",
      "license": "Public Domain",
      "notes": "97% water by weight. Exists primarily as a textural dependency. Removal would not affect flavour profile but would trigger a failing assertion in the 'is it actually a salad sandwich' check."
    },
    {
      "surl": "surl:condiment/salad-cream@heinz-2.1.0",
      "name": "Salad Cream",
      "version": "2.1.0",
      "role": "binding-agent",
      "quantity": "1 generous squirt",
      "supplier": "supermarket://tesco/condiment-aisle",
      "integrity": "sha256:f6789012345678abcdef0123456789abcdef0123456789abcdef012345678901",
      "license": "Proprietary",
      "license_notes": "Heinz recipe undisclosed. Do not confuse with mayonnaise; this is a distinct project with an overlapping but legally separate contributor base. The two communities do not get along.",
      "notes": "Quantity specified as 'generous squirt' which is a known source of non-determinism. The SBOM working group considered standardising condiment quantities but the resulting flame war in the issue tracker has been deferred to v2.0.",
      "dependencies": [
        {
          "surl": "surl:liquid/vinegar@spirit",
          "name": "Spirit Vinegar",
          "supplier": "supermarket://generic",
          "license": "Public Domain"
        },
        {
          "surl": "surl:liquid/vegetable-oil@rapeseed",
          "name": "Rapeseed Oil",
          "supplier": "farm://uk/lincolnshire",
          "license": "MIT (Mustard Is Transferable)"
        },
        {
          "surl": "surl:liquid/water@h2o",
          "name": "Water",
          "supplier": "utility://generic",
          "license": "Public Domain"
        },
        {
          "surl": "surl:dairy/egg-yolk@free-range",
          "name": "Egg Yolk",
          "supplier": "farm://uk/free-range",
          "license": "MIT (Mustard Is Transferable)",
          "vulnerabilities": ["CVE-2024-MAYO"],
          "notes": "Egg provenance attestation generated by a chicken whose own attestation chain remains unresolved. See: chicken-or-egg ordering (deferred to SBOM 2.0)."
        },
        {
          "surl": "surl:condiment/mustard-flour@english",
          "name": "Mustard Flour",
          "supplier": "supermarket://colmans",
          "license": "MIT (Mustard Is Transferable)",
          "notes": "Appropriately licensed."
        },
        {
          "surl": "surl:sweetener/sugar@granulated",
          "name": "Sugar",
          "supplier": "supermarket://generic",
          "license": "Public Domain"
        }
      ]
    },
    {
      "surl": "surl:condiment/butter@salted-2026-02",
      "name": "Butter",
      "version": "2026-02",
      "role": "moisture-barrier",
      "quantity": "thin spread across both slices",
      "supplier": "supermarket://tesco/dairy-aisle",
      "integrity": "sha256:07890123456789abcdef0123456789abcdef0123456789abcdef0123456789ab",
      "license": "BSD (Bread, Sauce, Distributed)",
      "notes": "Optional but recommended. Acts as a hydrophobic barrier between bread and wet ingredients. Must be at room temperature for spreadability; cold butter causes bread structural failures (tearing). This is a known issue with no upstream fix.",
      "dependencies": [
        {
          "surl": "surl:dairy/cream@pasteurised",
          "name": "Cream",
          "supplier": "farm://uk/dairy",
          "license": "BSD (Bread, Sauce, Distributed)",
          "dependencies": [
            {
              "surl": "surl:animal/cow@british-dairy",
              "name": "Cow",
              "supplier": "farm://uk/dairy",
              "license": "Proprietary",
              "notes": "Cow's dependency tree includes grass, water, and a field in Cheshire. Full attestation chain available on request but is quite long."
            }
          ]
        },
        {
          "surl": "surl:mineral/salt@public-domain",
          "name": "Salt",
          "supplier": "supermarket://generic",
          "license": "Public Domain"
        }
      ]
    }
  ],
  "dependency_summary": {
    "direct_dependencies": 7,
    "transitive_dependencies": 22,
    "total_unique_ingredients": 29,
    "water_appearances": 6,
    "water_note": "Water is the left-pad of sandwiches. Everything depends on it and nobody thinks about it until it's gone.",
    "circular_dependencies": 1,
    "circular_dependency_detail": "pig -> feed grain -> field -> fertiliser -> pig. Resolver accepted with warning.",
    "excluded_dependencies": 1,
    "excluded_dependency_detail": "Red onion. Consumer override. No appeal."
  },
  "vulnerability_report": {
    "critical": 1,
    "high": 0,
    "medium": 1,
    "low": 0,
    "detail": [
      {
        "id": "CVE-2024-MAYO",
        "affected_component": "surl:dairy/egg-yolk@free-range (transitive, via salad cream)",
        "severity": "Critical",
        "status": "Mitigated",
        "mitigation": "Salad cream is a compiled binary; egg yolk is not directly exposed. Refrigerate after opening. The specification cannot enforce this but is making a pointed suggestion."
      },
      {
        "id": "CVE-2026-SOGGY",
        "affected_component": "surl:produce/tomato@2026-02-11",
        "severity": "Medium",
        "status": "Mitigated",
        "mitigation": "Lettuce barrier layer deployed between tomato and bread. Effectiveness degrades over time. Consume within 2 hours of assembly or accept the consequences."
      }
    ]
  },
  "build_environment": {
    "surface": "kitchen counter, wiped down (probably)",
    "ambient_temperature_c": 19,
    "knife_sharpness": "adequate",
    "bread_board": true,
    "cutting_technique": "diagonal cut, as God intended",
    "notes": "Straight-cut sandwiches are technically valid but will emit a style warning during linting."
  },
  "compliance": {
    "eu_sandwich_resilience_act": "Compliant (pending Q3 2027 enforcement)",
    "us_eo_14028_5": "Compliant. This is a Sandwich Bill of Materials. The executive order did not specify which kind, so we are submitting it anyway.",
    "sandwich_heritage_foundation": "Archive submission pending. Previous attempt rejected because the tomato's checksum changed during transit."
  }
 }
	{
	"sbom_version": "1.0",
	"sandwich": {
	"name": "Ham Salad Sandwich (No Onion)",
	"version": "2026.02.13",
	"assembler": "claude@anthropic",
	"build_timestamp": "2026-02-13T12:30:00Z",
	"reproducible": false,
	"non_determinism_notes": "Salad cream distribution described as 'a good squirt'. Lettuce leaf count unspecified. Assembler was hungry at time of build.",
	"lockfile": "sandwich.lock",
	"excluded_dependencies": [
	{
	"surl": "surl:produce/red-onion@2026-02-10",
	"reason": "Explicitly excluded by consumer. Marked as wontfix.",
	"cve_avoided": "CVE-2024-ONION: Causes social distancing for up to 4 hours post-consumption"
	}
	]
	},
	"components": [
	{
	"surl": "surl:grain/white-bread@3.2.0",
	"name": "White Bread",
	"version": "3.2.0",
	"role": "structural-framework",
	"quantity": "2 slices",
	"supplier": "supermarket://tesco/kingsmill",
	"integrity": "sha256:a1b2c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef01",
	"license": "BSD (Bread, Sauce, Distributed)",
	"notes": "MAJOR 3 indicates white wheat. MINOR 2 is 62% hydration. PATCH 0 would indicate fresh, but this is .0 so it's straight from the bag. Crusts included; removal is a consumer-side concern and out of scope.",
	"dependencies": [
	{
	"surl": "surl:grain/wheat-flour@milling-2026-01",
	"name": "Wheat Flour",
	"supplier": "farm://uk/east-anglia",
	"license": "Public Domain",
	"vulnerabilities": ["CVE-2023-GLUTEN"]
	},
	{
	"surl": "surl:leavening/yeast@saccharomyces-cerevisiae",
	"name": "Yeast",
	"supplier": "lab://fermentation-sciences",
	"license": "MIT (Mustard Is Transferable)",
	"notes": "Single-celled maintainer with excellent uptime."
	},
	{
	"surl": "surl:mineral/salt@public-domain",
	"name": "Salt",
	"supplier": "supermarket://generic",
	"license": "Public Domain",
	"notes": "Licensed since the Jurassic. Several relicensing attempts have failed."
	},
	{
	"surl": "surl:liquid/water@h2o",
	"name": "Water",
	"supplier": "utility://severn-trent",
	"license": "Public Domain"
	}
	]
	},
	{
	"surl": "surl:protein/sliced-ham@thick-cut-2026-02",
	"name": "Sliced Ham",
	"version": "thick-cut-2026-02",
	"role": "primary-payload",
	"quantity": "3 slices",
	"supplier": "supermarket://tesco/deli-counter",
	"integrity": "sha256:b2c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef0123",
	"license": "Proprietary",
	"license_notes": "Exact curing process undisclosed. Reverse-engineering prohibited by EULA printed on the back of the packet in 4pt font.",
	"dependencies": [
	{
	"surl": "surl:animal/pig@british-outdoor-bred",
	"name": "Pig",
	"supplier": "farm://uk/yorkshire",
	"license": "Proprietary",
	"notes": "Attestation chain extends to pig but no further. Pig's own dependency tree (feed corn, water, field, farmer) is declared but unaudited.",
	"dependencies": [
	{
	"surl": "surl:feed/grain-mix@standard",
	"name": "Feed Mix",
	"supplier": "farm://uk/cooperative",
	"license": "Public Domain",
	"notes": "Circular dependency detected: pig eats grain, grain grows in field fertilised by pig. Resolver emitted warning but continued."
	},
	{
	"surl": "surl:liquid/water@h2o",
	"name": "Water",
	"supplier": "utility://yorkshire-water",
	"license": "Public Domain"
	}
	]
	},
	{
	"surl": "surl:mineral/salt@curing-grade",
	"name": "Curing Salt",
	"supplier": "supermarket://specialist",
	"license": "Public Domain"
	},
	{
	"surl": "surl:preservative/sodium-nitrite@e250",
	"name": "Sodium Nitrite",
	"supplier": "chemical://food-grade",
	"license": "MIT (Mustard Is Transferable)",
	"notes": "Keeps ham pink. Without it, ham would be an honest grey colour and nobody would buy it."
	}
	]
	},
	{
	"surl": "surl:produce/lettuce@iceberg-2026-02-12",
	"name": "Iceberg Lettuce",
	"version": "2026-02-12",
	"role": "structural-filler",
	"quantity": "2 leaves",
	"supplier": "supermarket://tesco/produce-aisle",
	"integrity": "sha256:c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef012345",
	"license": "Public Domain",
	"notes": "Calendar versioned by harvest date. Nutritional content approximately equivalent to crunchy water. Structural role only: provides barrier layer between bread and tomato to prevent moisture ingress.",
	"dependencies": [
	{
	"surl": "surl:liquid/water@h2o",
	"name": "Water",
	"supplier": "utility://spanish-irrigation",
	"license": "Public Domain",
	"notes": "Comprises 96% of this dependency by weight. Arguably the lettuce is a transitive dependency of water, not the other way round."
	}
	]
	},
	{
	"surl": "surl:produce/tomato@2026-02-11",
	"name": "Tomato",
	"version": "2026-02-11",
	"role": "moisture-layer",
	"quantity": "3 slices from 1 medium tomato",
	"supplier": "supermarket://tesco/produce-aisle",
	"integrity": "sha256:d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef01234567",
	"license": "Public Domain",
	"notes": "Calendar versioned. February tomato sourced from Spain, as British tomatoes are out of season and the specification does not cover disappointment. Slice thickness is a source of non-determinism; see lockfile.",
	"vulnerabilities": [
	{
	"id": "CVE-2026-SOGGY",
	"description": "Tomato moisture migrates into adjacent bread layer within 45 minutes of assembly. No patch available. Mitigation: lettuce barrier layer (see iceberg-lettuce component). Alternatively, consume sandwich promptly.",
	"severity": "Medium"
	}
	]
	},
	{
	"surl": "surl:produce/cucumber@2026-02-10",
	"name": "Cucumber",
	"version": "2026-02-10",
	"role": "crunch-provider",
	"quantity": "4 slices",
	"supplier": "supermarket://tesco/produce-aisle",
	"integrity": "sha256:e5f6789012345678abcdef0123456789abcdef0123456789abcdef0123456789",
	"license": "Public Domain",
	"notes": "97% water by weight. Exists primarily as a textural dependency. Removal would not affect flavour profile but would trigger a failing assertion in the 'is it actually a salad sandwich' check."
	},
	{
	"surl": "surl:condiment/salad-cream@heinz-2.1.0",
	"name": "Salad Cream",
	"version": "2.1.0",
	"role": "binding-agent",
	"quantity": "1 generous squirt",
	"supplier": "supermarket://tesco/condiment-aisle",
	"integrity": "sha256:f6789012345678abcdef0123456789abcdef0123456789abcdef012345678901",
	"license": "Proprietary",
	"license_notes": "Heinz recipe undisclosed. Do not confuse with mayonnaise; this is a distinct project with an overlapping but legally separate contributor base. The two communities do not get along.",
	"notes": "Quantity specified as 'generous squirt' which is a known source of non-determinism. The SBOM working group considered standardising condiment quantities but the resulting flame war in the issue tracker has been deferred to v2.0.",
	"dependencies": [
	{
	"surl": "surl:liquid/vinegar@spirit",
	"name": "Spirit Vinegar",
	"supplier": "supermarket://generic",
	"license": "Public Domain"
	},
	{
	"surl": "surl:liquid/vegetable-oil@rapeseed",
	"name": "Rapeseed Oil",
	"supplier": "farm://uk/lincolnshire",
	"license": "MIT (Mustard Is Transferable)"
	},
	{
	"surl": "surl:liquid/water@h2o",
	"name": "Water",
	"supplier": "utility://generic",
	"license": "Public Domain"
	},
	{
	"surl": "surl:dairy/egg-yolk@free-range",
	"name": "Egg Yolk",
	"supplier": "farm://uk/free-range",
	"license": "MIT (Mustard Is Transferable)",
	"vulnerabilities": ["CVE-2024-MAYO"],
	"notes": "Egg provenance attestation generated by a chicken whose own attestation chain remains unresolved. See: chicken-or-egg ordering (deferred to SBOM 2.0)."
	},
	{
	"surl": "surl:condiment/mustard-flour@english",
	"name": "Mustard Flour",
	"supplier": "supermarket://colmans",
	"license": "MIT (Mustard Is Transferable)",
	"notes": "Appropriately licensed."
	},
	{
	"surl": "surl:sweetener/sugar@granulated",
	"name": "Sugar",
	"supplier": "supermarket://generic",
	"license": "Public Domain"
	}
	]
	},
	{
	"surl": "surl:condiment/butter@salted-2026-02",
	"name": "Butter",
	"version": "2026-02",
	"role": "moisture-barrier",
	"quantity": "thin spread across both slices",
	"supplier": "supermarket://tesco/dairy-aisle",
	"integrity": "sha256:07890123456789abcdef0123456789abcdef0123456789abcdef0123456789ab",
	"license": "BSD (Bread, Sauce, Distributed)",
	"notes": "Optional but recommended. Acts as a hydrophobic barrier between bread and wet ingredients. Must be at room temperature for spreadability; cold butter causes bread structural failures (tearing). This is a known issue with no upstream fix.",
	"dependencies": [
	{
	"surl": "surl:dairy/cream@pasteurised",
	"name": "Cream",
	"supplier": "farm://uk/dairy",
	"license": "BSD (Bread, Sauce, Distributed)",
	"dependencies": [
	{
	"surl": "surl:animal/cow@british-dairy",
	"name": "Cow",
	"supplier": "farm://uk/dairy",
	"license": "Proprietary",
	"notes": "Cow's dependency tree includes grass, water, and a field in Cheshire. Full attestation chain available on request but is quite long."
	}
	]
	},
	{
	"surl": "surl:mineral/salt@public-domain",
	"name": "Salt",
	"supplier": "supermarket://generic",
	"license": "Public Domain"
	}
	]
	}
	],
	"dependency_summary": {
	"direct_dependencies": 7,
	"transitive_dependencies": 22,
	"total_unique_ingredients": 29,
	"water_appearances": 6,
	"water_note": "Water is the left-pad of sandwiches. Everything depends on it and nobody thinks about it until it's gone.",
	"circular_dependencies": 1,
	"circular_dependency_detail": "pig -> feed grain -> field -> fertiliser -> pig. Resolver accepted with warning.",
	"excluded_dependencies": 1,
	"excluded_dependency_detail": "Red onion. Consumer override. No appeal."
	},
	"vulnerability_report": {
	"critical": 1,
	"high": 0,
	"medium": 1,
	"low": 0,
	"detail": [
	{
	"id": "CVE-2024-MAYO",
	"affected_component": "surl:dairy/egg-yolk@free-range (transitive, via salad cream)",
	"severity": "Critical",
	"status": "Mitigated",
	"mitigation": "Salad cream is a compiled binary; egg yolk is not directly exposed. Refrigerate after opening. The specification cannot enforce this but is making a pointed suggestion."
	},
	{
	"id": "CVE-2026-SOGGY",
	"affected_component": "surl:produce/tomato@2026-02-11",
	"severity": "Medium",
	"status": "Mitigated",
	"mitigation": "Lettuce barrier layer deployed between tomato and bread. Effectiveness degrades over time. Consume within 2 hours of assembly or accept the consequences."
	}
	]
	},
	"build_environment": {
	"surface": "kitchen counter, wiped down (probably)",
	"ambient_temperature_c": 19,
	"knife_sharpness": "adequate",
	"bread_board": true,
	"cutting_technique": "diagonal cut, as God intended",
	"notes": "Straight-cut sandwiches are technically valid but will emit a style warning during linting."
	},
	"compliance": {
	"eu_sandwich_resilience_act": "Compliant (pending Q3 2027 enforcement)",
	"us_eo_14028_5": "Compliant. This is a Sandwich Bill of Materials. The executive order did not specify which kind, so we are submitting it anyway.",
	"sandwich_heritage_foundation": "Archive submission pending. Previous attempt rejected because the tomato's checksum changed during transit."
	}
	}
No results found