Artifact schemas
SBOMFlow writes plain JSON files into a directory you choose — those files are the system of record. This page is the field-level reference for each documented artifact: its filename, its schema identifier, and the top-level keys it carries. For a plain-English overview of what each file is for and who reads it, see evidence outputs.
Note
This page is generated from the product's artifact schema registry, so it
always matches the artifacts your installed version writes. Explain any schema
offline with sbomflow schema (the whole registry) or `sbomflow schema show
<family>` (one artifact, with its exact top-level keys).
Every artifact here is an engineering record. A schema documents structure, never a compliance conclusion: an artifact's presence or shape is not a claim of CRA conformity or legal sufficiency, and observed fields are never a substitute for human review.
How to read the table
- Artifact — the filename written into the output directory.
- Schema — the stable schema identifier. Some artifacts are structural (validated by shape rather than an embedded schema string); that is stated verbatim.
- Shape — whether the top level is a JSON
objector anarray(for an array, the keys listed are the keys of each element). - Top-level keys — the keys present at the top level of the artifact.
Documented artifacts
| Artifact | Schema | Shape | Top-level keys |
|---|---|---|---|
advisory-reconciliation.json | sbomflow-advisory-reconciliation-v1 | object | finding_count, findings, generated_at, reviewer_boundary_note, schema, severity_conflict_count, watchlist_sources |
artifact-manifest.json | structural (no embedded schema string) | object | artifact_count, artifacts, generated_at, hash_algorithm, product_name, product_version, tool_version |
cra-coverage.json | structural (carries graph_version) | object | declared_product_class, generated_at, graph_retrieved, graph_source_urls, graph_version, regulation, regulation_title, requirements, route_info, summary |
decision-migration.json | sbomflow-decision-migration-v1 | object | generated_at, identity_version, reviewer_boundary_note, reviews, schema, summary, waivers |
evidence-pack.json | v2 (structural; no embedded schema string; upgrade with sbomflow upgrade) | object | annex_i_evidence_inputs, artifacts, build_provenance, components, dependency_edges, evidence_gaps, evidence_items, evidence_signals, generated_at, graph, license_evidence, product_class, product_identity, product_name, product_version, purl_normalization_version, reachability, reachability_evidence_inputs, release_drift, release_metadata, requirement_assessments, requirement_graph, route_info, scan_warnings, support_policy_evidence, target_path, technical_documentation_inputs, test_results, tool_version, vulnerabilities, vulnerability_scan |
issues.json | structural (array of issue objects; see the CSV column contract) | array | current_release_id, drift_source, epss_score, evidence_needed, finding_key, gap_id, introduced_in_release, issue_key, issue_type, known_exploited, last_seen_release, lifecycle_status, missing_signal, previous_release_id, product_name, product_version, reachability_evidence_refs, reachability_status, recommendation, requirement_id, severity, ssvc_outcome, ssvc_outcome_label, suggested_owner, title, vulnerability_id |
reachability.json | sbomflow-reachability-v1 | object | components, generated_at, reviewer_boundary_note, schema_version, status_vocabulary, summary, target_path, tier_vocabulary, vulnerabilities |
release-gate.json | structural (no embedded schema string) | object | approval_status, blocking_epss_ids, blocking_gap_ids, blocking_kev_ids, blocking_license_ids, blocking_reachable_vulnerability_ids, blocking_vulnerability_ids, drift_violation_ids, drift_violations, enforced, epss_threshold, evidence_regression_ids, exit_code, gap_ids, known_exploited_ids, license_policy_matches, license_policy_note, license_policy_unevaluated, manual_evidence_supplied_vulnerability_ids, needs_review_reachability_vulnerability_ids, new_critical_or_high_ids, new_known_exploited_ids, new_source_referenced_vulnerability_ids, new_vulnerability_ids, not_observed_vulnerability_ids, passed, policy_hash, policy_name, policy_outcomes, policy_source, policy_version, reason, release_drift_available, severity_threshold, source_referenced_vulnerability_ids, support_period_missing_ids, suppressed_vulnerabilities, unknown_reachability_vulnerability_ids, unreviewed_evidence_ids, violations, vulnerability_ids, waived_gap_ids, waived_license_ids, waived_vulnerability_ids, waiver_status |
release-record.json | sbomflow-release-record-v1 | object | artifact_refs, build_provenance_ref, disclaimers, evidence_pack_ref, gate_ref, generated_at, incident_report_ref, product, reachability_ref, release, sbom_refs, schema_version, support_policy_evidence_ref, technical_documentation_ref, tool_version |
scan-warnings.json | structural (no embedded schema string) | object | warning_count, warnings |
vuln-source-health.json | sbomflow-vuln-source-health-v1 | object | findings, generated_at, reviewer_boundary_note, schema, sources, usable_intelligence |
Every artifact above is produced by analyze / audit unless its sbomflow schema show detail says otherwise.
External SBOM formats
SBOMFlow also emits standard SBOM documents that follow their own published schemas rather than an SBOMFlow one:
cyclonedx-sbom.json — CycloneDX 1.6 (owasp.org/cyclonedx)spdx-sbom.json — SPDX 2.3 (spdx.dev)
These are validated structurally against the upstream specification.
If the page looks wrong
This reference is generated from the running product, so a mismatch between it and an artifact your version wrote is a bug we want to know about. Include the artifact name and your SBOMFlow version. See the FAQ for how to get support.