Michael Lieberman mlieberman85

slsa-framework/slsa — Open Issue Audit

Date: April 14, 2026 Total open issues: 226 Audited by: Mike Lieberman SLSA versions: v1.0 (Apr 2023), v1.1 (Apr 2025), v1.2 (Nov 2025)

Every issue was individually reviewed: body, comments, and related PRs checked.

The Big Picture

SBOM Quality Report

Date: 2026-04-17 (updated) Framework: sbom-conformance v2.0.0 Methodology: 10 SBOM generators tested against 20 fixtures covering 10 ecosystems and 13 use-case scenarios. All data from actual tool output — no synthetic scores, no letter grades, only measured counts.

Tools: syft 1.27.0, trivy 0.69.3, trivy 0.55.0 (container), cdxgen 12.1.5, sbom-tool 4.1.5, bom 0.7.1, cyclonedx-gomod 1.9.0,

	package schema

	import (
	"time"
	)

	#Subject: {
	name: string
	digest: #DigestSet
	}

	TypeSpace {
	next_id: 23,
	definitions: {
	"BuildDefinition": Object(
	SchemaObject {
	metadata: Some(
	Metadata {
	id: None,
	title: None,
	description: Some(

	{
	"title": "InTotoStatementV1_for_SLSAProvenanceV1Predicate",
	"description": "Represents an In-Toto v1 statement.",
	"type": "object",
	"required": [
	"_type",
	"predicate",
	"predicateType",
	"subject"
	],

	let language = "javascript" in
	let JavascriptContract = std.contract.from_predicate (fun x => std.string.contains "npm" x) in
	let RustContract = std.contract.from_predicate(fun x => std.string.contains "cargo" x) in
	let CommonContract = std.contract.from_predicate(fun x => std.string.contains "artifact" x) in
	let contract_array = if language == "javascript" then [CommonContract, JavascriptContract] else [CommonContract, RustContract] in
	let ContractSequence = std.contract.Sequence contract_array in
	let data = "npm run artifact" in
	data \| ContractSequence

	Querying domain: whiskey.foundation
	Querying TXT record for: _chainsights.whiskey.foundation
	Traversing from root URI: https://raw.githubusercontent.com/whiskeytastingfoundation/chainsights/refs/heads/main/chainsights.jsonl with expected identity: mlieberman85@gmail.com
	Parsed essential bundle data.
	Decoded payload (839 bytes).
	Constructed PAE data (882 bytes).
	Prepared PEM certificate string.
	Calling Client::verify_blob with PAE data...
	Cryptographic signature verified successfully!
	Inspecting certificate identity...

	# SPDX-License-Identifier: Apache-2.0

	mappings:
	- id: "openssf-baseline-remediation"
	reason: "Apply OpenSSF Baseline security best practices based on Privateer findings"
	condition: "true" # Base condition always true, but individual steps have specific conditions
	steps:
	- id: "create-security-branch"
	action: "create-branch"
	parameters:

	{
	"project_name": "Test OpenSSF Baseline",
	"repository": "https://github.com/mlieberman85/test-baseline",
	"steps": [
	{
	"id": "create-security-branch",
	"action_name": "create-branch",
	"params": {
	"branch_name": "add-security-baseline-docs"
	},

	# OpenSSF Baseline Framework Definition
	# Declarative configuration for OSPS v2025.10.10 compliance controls
	#
	# This file defines all 62 controls across 3 maturity levels.
	# Users can override settings via .baseline.toml in their repository.

	[metadata]
	name = "openssf-baseline"
	display_name = "OpenSSF Baseline"
	version = "0.1.0"