FAQ & glossary
FAQ
Does SBOMFlow make my product CRA-compliant? No. SBOMFlow produces engineering release-readiness evidence and reports gaps. It never claims compliance or conformity and is not legal advice.
Does anything leave my machine? Not by default. A default audit makes zero network requests. Network actions are explicit, named, and opt-in, and send identifiers (not source or firmware). See Security & privacy.
Is there vendor telemetry? No. There is no vendor telemetry. metrics.json is local, opt-in, and yours.
Can I use it fully air-gapped? Yes. Run offline and use snapshot files for enrichment.
Which build inputs are supported? Common lockfiles/manifests, container/firmware inputs, and imported CycloneDX/SPDX SBOMs, plus specialist importers. "Supported" means tested — run sbomflow --help to see what is available in your version.
Is it released on PyPI/Homebrew yet? Not yet. Install from a clone today.
Glossary
- SBOM — Software Bill of Materials; the inventory of components in a build.
- VEX — Vulnerability Exploitability eXchange; a statement (e.g.
not_affected) about whether a vulnerability affects a product. In SBOMFlow, VEX status comes only from human review. - Evidence gap — a requirement area where evidence was not observed. It is not a statement that the requirement is unmet.
- Release gate — an engineering pass/fail control based on manufacturer policy.
- Provenance — the recorded origin (including SHA-256 hashes) of every input.
- Drift — the difference in engineering artifacts between two releases.
- Observed vs reviewed — machine observation is never human review; see Observed vs reviewed.
Getting help & disclosure
- Read any error offline:
sbomflow help error <code>. - Report a security issue responsibly via the project's security policy.