Artifact schemas

SBOMFlow writes plain JSON files into a directory you choose — those files are the system of record. This page is the field-level reference for each documented artifact: its filename, its schema identifier, and the top-level keys it carries. For a plain-English overview of what each file is for and who reads it, see evidence outputs.

Note

This page is generated from the product's artifact schema registry, so it
always matches the artifacts your installed version writes. Explain any schema
offline with sbomflow schema (the whole registry) or `sbomflow schema show
<family>` (one artifact, with its exact top-level keys).

Every artifact here is an engineering record. A schema documents structure, never a compliance conclusion: an artifact's presence or shape is not a claim of CRA conformity or legal sufficiency, and observed fields are never a substitute for human review.

How to read the table

  • Artifact — the filename written into the output directory.
  • Schema — the stable schema identifier. Some artifacts are structural (validated by shape rather than an embedded schema string); that is stated verbatim.
  • Shape — whether the top level is a JSON object or an array (for an array, the keys listed are the keys of each element).
  • Top-level keys — the keys present at the top level of the artifact.

Documented artifacts

ArtifactSchemaShapeTop-level keys
advisory-reconciliation.jsonsbomflow-advisory-reconciliation-v1objectfinding_count, findings, generated_at, reviewer_boundary_note, schema, severity_conflict_count, watchlist_sources
artifact-manifest.jsonstructural (no embedded schema string)objectartifact_count, artifacts, generated_at, hash_algorithm, product_name, product_version, tool_version
cra-coverage.jsonstructural (carries graph_version)objectdeclared_product_class, generated_at, graph_retrieved, graph_source_urls, graph_version, regulation, regulation_title, requirements, route_info, summary
decision-migration.jsonsbomflow-decision-migration-v1objectgenerated_at, identity_version, reviewer_boundary_note, reviews, schema, summary, waivers
evidence-pack.jsonv2 (structural; no embedded schema string; upgrade with sbomflow upgrade)objectannex_i_evidence_inputs, artifacts, build_provenance, components, dependency_edges, evidence_gaps, evidence_items, evidence_signals, generated_at, graph, license_evidence, product_class, product_identity, product_name, product_version, purl_normalization_version, reachability, reachability_evidence_inputs, release_drift, release_metadata, requirement_assessments, requirement_graph, route_info, scan_warnings, support_policy_evidence, target_path, technical_documentation_inputs, test_results, tool_version, vulnerabilities, vulnerability_scan
issues.jsonstructural (array of issue objects; see the CSV column contract)arraycurrent_release_id, drift_source, epss_score, evidence_needed, finding_key, gap_id, introduced_in_release, issue_key, issue_type, known_exploited, last_seen_release, lifecycle_status, missing_signal, previous_release_id, product_name, product_version, reachability_evidence_refs, reachability_status, recommendation, requirement_id, severity, ssvc_outcome, ssvc_outcome_label, suggested_owner, title, vulnerability_id
reachability.jsonsbomflow-reachability-v1objectcomponents, generated_at, reviewer_boundary_note, schema_version, status_vocabulary, summary, target_path, tier_vocabulary, vulnerabilities
release-gate.jsonstructural (no embedded schema string)objectapproval_status, blocking_epss_ids, blocking_gap_ids, blocking_kev_ids, blocking_license_ids, blocking_reachable_vulnerability_ids, blocking_vulnerability_ids, drift_violation_ids, drift_violations, enforced, epss_threshold, evidence_regression_ids, exit_code, gap_ids, known_exploited_ids, license_policy_matches, license_policy_note, license_policy_unevaluated, manual_evidence_supplied_vulnerability_ids, needs_review_reachability_vulnerability_ids, new_critical_or_high_ids, new_known_exploited_ids, new_source_referenced_vulnerability_ids, new_vulnerability_ids, not_observed_vulnerability_ids, passed, policy_hash, policy_name, policy_outcomes, policy_source, policy_version, reason, release_drift_available, severity_threshold, source_referenced_vulnerability_ids, support_period_missing_ids, suppressed_vulnerabilities, unknown_reachability_vulnerability_ids, unreviewed_evidence_ids, violations, vulnerability_ids, waived_gap_ids, waived_license_ids, waived_vulnerability_ids, waiver_status
release-record.jsonsbomflow-release-record-v1objectartifact_refs, build_provenance_ref, disclaimers, evidence_pack_ref, gate_ref, generated_at, incident_report_ref, product, reachability_ref, release, sbom_refs, schema_version, support_policy_evidence_ref, technical_documentation_ref, tool_version
scan-warnings.jsonstructural (no embedded schema string)objectwarning_count, warnings
vuln-source-health.jsonsbomflow-vuln-source-health-v1objectfindings, generated_at, reviewer_boundary_note, schema, sources, usable_intelligence

Every artifact above is produced by analyze / audit unless its sbomflow schema show detail says otherwise.

External SBOM formats

SBOMFlow also emits standard SBOM documents that follow their own published schemas rather than an SBOMFlow one:

  • cyclonedx-sbom.json — CycloneDX 1.6 (owasp.org/cyclonedx)
  • spdx-sbom.json — SPDX 2.3 (spdx.dev)

These are validated structurally against the upstream specification.

If the page looks wrong

This reference is generated from the running product, so a mismatch between it and an artifact your version wrote is a bug we want to know about. Include the artifact name and your SBOMFlow version. See the FAQ for how to get support.