Capabilities

SBOMFlow is the offline-first system of record for connected-device cybersecurity release evidence. This page lists what the product does today, with an honest status for each capability. Nothing here is a roadmap item; planned work is not listed as available.

How to read the status column

StatusMeaning
DefaultRuns on every analyze/audit with no flags and no network.
Explicit inputRuns offline when you point SBOMFlow at a local file (for example a supplier SBOM or a vulnerability snapshot).
Opt-in flagOff until you pass the documented flag; still offline unless stated.
Opt-in networkContacts a service only under an explicit flag such as --use-osv. Never on by default.
Optional extraNeeds an optional Python extra (for example PyYAML or jsonschema). Baseline operation never requires it.
External toolUses a locally installed third-party tool when present; SBOMFlow works without it and says so.
Recognized, not parsedThe input is detected, hashed, and surfaced with a stable warning instead of being interpreted.

Important

Machine observations never become approvals. Reviewer status defaults to
unreviewed; VEX not_affected/fixed and evidence acceptance come only
from human review. See Observed vs reviewed.

Composition and identity

CapabilityStatusOutput
Source manifests — requirements.txt, package.json, Cargo.toml, go.mod, Dockerfiles, firmware manifestsDefaultcomponents in the evidence pack and SBOMs
Lockfiles — npm package-lock.json/shrinkwrap, pnpm, Yarn Classic, Cargo, Go modules, Pipenv, Poetry, Composer, BundlerDefaultcomponents with resolved versions, direct/transitive scope, and dependency edges
Recognized-but-unparsed dependency manifests — Gradle lockfiles, NuGet packages.lock.json, uv.lock, Swift Package.resolved, ESP-IDF dependencies.lock, vcpkg.json, Maven pom.xml, Conan lockfiles, dependency-declaring pyproject.tomlRecognized, not parsedstable unsupported_lockfile warning naming the exact file
Unpinned Python requirementsDefaultunpinned_requirements warning counting the declarations that could not be inventoried
Package URL identity — canonical purls with namespaces, qualifiers, version epochs, vendor/local suffixes, and container digests preservedDefaultpurls in CycloneDX/SPDX and stable component identity
Component-identity guard — structurally invalid names/versions from any parser are neutralized and warned, never emitted as inventoryDefaultmalformed_component_* warnings
Dependency graphs — deterministic edges, deduplication, workspace/git/file dependencies, legitimate cycles keptDefaultdependencies in CycloneDX, DEPENDS_ON in SPDX

Embedded and container builds

CapabilityStatusOutput
Yocto image manifests and license.manifest (including under build/tmp/deploy/…)Defaultcomponents with declared licenses and build provenance
Buildroot legal-info manifests, host/target separation preservedDefaultcomponents with source provenance
Zephyr west.yml (best-effort; unrecognized shapes warn)Defaultmodule components
Container image tarballs and extracted rootfs package databases — dpkg, Alpine apk, SQLite RPM — with observed os-release vendor contextDefaultOS-package components with distro/arch qualifiers
OCI image layout directories and image indexesRecognized, not parsedoci_image_index_not_parsed warning pointing to the opt-in OCI evidence path
OCI layout evidence import (manifests, platform variants, attached referrer artifacts)Opt-in flagOCI evidence records with verified blob digests
Device-tree source overlaysRecognized, not parseddevice_tree_not_parsed warning
Further build-evidence importers — CMake File API, linker maps, Zephyr SPDX/Twister, ESP-IDF metadata, MCUboot, update-system manifests (RAUC, SWUpdate, Mender, Uptane)Explicit inputdedicated evidence artifacts per importer

Vulnerability and exploitation context

CapabilityStatusOutput
Offline advisory matching against a bundled, clearly-labelled non-real sample feedDefaultfindings marked with their provenance
Local vulnerability-database snapshotsExplicit inputfindings with snapshot provenance and freshness
OSV and NVD enrichmentOpt-in networkfindings with source URLs and CVSS context
CISA KEV and FIRST EPSSExplicit input or opt-in networkknown-exploited flags and exploit-probability scores — inputs for human triage, never verdicts
CVSS v3.x base-score computation from vectorsDefaultderived severities (never invented)
Conservative reachability observations for Python, JavaScript/TypeScript, Go, Rust, C/C++Defaultreachability.json; not_observed never means safe
Reviewer-driven VEX (OpenVEX + CycloneDX VEX)Opt-in flagVEX statements; not_affected requires a valid justification or it is downgraded
Supplier VEX ingestion (OpenVEX or CSAF) as contextExplicit inputsupplier statements kept separate — they never set your status automatically
Suggested SSVC priority from the CISA decision tableOpt-in flagssvc.json — a suggestion for humans, never a gate or a status

CRA-oriented evidence

CapabilityStatusOutput
Versioned model of Regulation (EU) 2024/2847 Annex I with evidence mappingDefaultcra-coverage.json; manual-only areas are labelled, not failed
Structured manufacturer evidence inputs for still-manual areasExplicit inputhashed inputs surfaced in coverage — never marked adequate or accepted by the engine
Annex VII technical-documentation pack, including an UNSIGNED DRAFT declarationOpt-in flagtechdoc pack; the draft watermark is validator-enforced
Article 14 incident-report drafts (early warning, notification, final)Opt-in flagcra-article14-.DRAFT. with submitted: false — SBOMFlow never files, transmits, or contacts a CSIRT/ENISA

Limitation

SBOMFlow records engineering evidence and gaps. It does not determine legal
conformity, does not classify your product, and does not submit anything to
a regulator. See CRA orientation.

Release workflow

CapabilityStatusOutput
Release gate — informational by default, blocking only under explicit --fail-on-* policies, VEX-aware, with the exact reason recordedDefaultrelease-gate.json and a stable exit-code contract
Named, versioned policy profilesOpt-in flagrecorded policy source and hash in the gate output
Release records, release comparison, and drift (components, dependencies, findings, evidence, gates, support periods)Default / explicit previous outputrelease-record.json, release-drift.json, local release index
Review queue with tamper-evident decisionsDefault artifacts, human actionsreviews.json + append-only, hash-chained audit-log.jsonl
Multi-role approvals with separation of duties (self-approval rejected), expiry, and revocationOpt-in commandsapproval records tied to exact artifact digests
Time-boxed gap/finding waiversOpt-in commandswaiver records that keep waived items visible
Issue exportsDefault / opt-inissues.json, issues.md, CSV and SARIF exports
Tracker sync — GitHub Issues, Jira, ServiceNow, Dependency-TrackOpt-in; dry-run by default, network only with --apply and credentialsidempotent sync plans, then deduplicated updates
Notifications — Slack, Teams, webhook, emailOpt-in --applymessages carrying counts and links, never secrets
Evidence bundle and auditor handoffDefault with audit; ZIP opt-inevidence-bundle.json/html/zip — byte-reproducible ZIP
Importer/distributor sharing pack (redacted subset)Opt-in flagsharing pack with a documented allowlist
CI templates for GitHub Actions, GitLab CI, JenkinsDocumentedcopy-paste workflows using the stable exit codes

Provenance and integrity

CapabilityStatusOutput
SHA-256 for every scanned file, and source hashes on every contributing observationDefaultartifact-manifest.json
Symlink boundary — paths resolving outside the scan root are refused with a warningDefaultsymlink_outside_root warning
Resource bounds on untrusted input (size, depth, archive members, decompression)Defaultresource_limit_exceeded warnings instead of unbounded reads
Deterministic outputs under a fixed --as-ofDefaultbyte-identical artifacts across repeat runs
Structural validation of every output directory, including cross-artifact consistency and audit-chain verificationDefault commandsbomflow validate (exit 4 on failure)
Official JSON-Schema validation of generated SBOMsOptional extra (jsonschema) or external CycloneDX CLIvalidation notes/errors
Local build-attestation (DSSE) verificationOptional extraprovenance verification records
Optional local analyzers — syft, diffoscope, cosign, firmware extractionExternal tooladapter evidence with sanitized, bounded execution

What SBOMFlow deliberately does not do

  • It does not claim or certify legal conformity, and it never says "compliant".
  • It does not sign, file, transmit, or submit regulatory reports.
  • It does not turn machine observations, supplier statements, KEV/EPSS, or reachability into approvals, VEX statuses, or release decisions.
  • It does not upload your source, firmware, or evidence anywhere by default — there is no telemetry.
  • It does not guess: missing versions, licenses, or origins stay missing and are surfaced, not invented.
  • It does not parse every proprietary format; recognized-but-unsupported inputs are hashed and warned so you can route them to review.

Next: what a run produces, or how we test all of this.