Operating scenarios
This page is generated from a checked-in data file and drift-tested: every command below resolves against the real CLI and build targets, every linked page exists, and every test module behind a row is imported and counted. A scenario that is not yet covered says so and names the work that will cover it — the table can be incomplete, but it cannot be wrong.
11 covered · 3 partial · 0 planned
| Scenario | Status | How you run it | Documentation | Proof |
|---|---|---|---|---|
| Fresh install on a developer or build machine | Covered | make install-check | Installation | 2 test modules |
| Continuous integration (GitHub Actions, GitLab CI, Jenkins) | Covered | sbomflow audit, sbomflow analyze | Operator CI runbook | 2 test modules |
| Air-gapped machine with no package-index egress | Covered | sbomflow analyze, sbomflow vulndb, make offline-installer | Security & privacy, Installation | 3 test modules |
| Corporate proxy with a custom certificate authority (opt-in network paths only) | Covered | sbomflow analyze | Security & privacy | 1 test module |
| SBOMFlow distributed and run as a container image | Partial | make image | Installation, Operator CI runbook | 1 test module |
| Windows, via WSL | Partial | sbomflow analyze | Installation | 2 test modules |
| Several reviewers deciding findings concurrently | Covered | sbomflow review, sbomflow approve | Observed vs reviewed | 3 test modules |
| Upgrading SBOMFlow in place over an existing evidence store | Covered | sbomflow validate, sbomflow store | Artifact schemas | 2 test modules |
| Disaster recovery: verifying a restored evidence store | Covered | sbomflow store verify, sbomflow validate | Evidence outputs | 3 test modules |
| A run interrupted part-way through writing its output | Covered | sbomflow doctor, sbomflow validate | Troubleshooting | 2 test modules |
| Evaluation converting to a licensed customer | Partial | sbomflow license status, sbomflow license verify | — | 2 test modules |
| Re-evaluating a shipped release against newer advisories | Covered | sbomflow recheck | Evidence outputs | 2 test modules |
| Handing evidence to a customer, supplier, or auditor | Covered | sbomflow auditor-pack, sbomflow bundle | Read an evidence bundle, Redaction contract | 2 test modules |
| Preparing a regulator-facing CRA Article 14 UNSIGNED draft | Covered | make incident-report | CRA-oriented evidence | 1 test module |
Status meanings
- Covered — Commands, documentation, and tests all exist and prove the scenario end to end.
- Partial — The scenario runs today, but part of it is not yet built or not yet proven. The note says which part.
- Planned — Not built yet. It is on the roadmap and is deliberately not claimed here.
Notes
- Air-gapped machine with no package-index egress — The engine is offline by default and needs no egress to run.
make offline-installernow builds a wheelhouse bundle (wheel, sdist, SHA256SUMS, INSTALL.txt) for machines that cannot reach a package index at install time, and a CI lane installs from it withpip install --no-index. Optional-extra wheels are included only from an operator-populated wheelhouse (EXTRAS_DIR=); the bundle builder never downloads. - Corporate proxy with a custom certificate authority (opt-in network paths only) — The shared HTTP transport honours
http_proxy/https_proxyandSSL_CERT_FILE/SSL_CERT_DIR, proven against real loopback proxy and TLS fixtures. It only matters on the opt-in network paths; the default run makes no requests at all. - SBOMFlow distributed and run as a container image — Decision: BUILD. A digest-pinned, non-root Dockerfile and
make imageexist and are structurally verified (base-image pinning, no source-tree leak, entrypoint, OCI labels). What is not yet proven in this environment is a live end-to-end build-and-run, which needs a local Docker daemon; the same test executes for real on any CI runner that has one. - Windows, via WSL — Windows-shaped input is hardened and tested, but no Windows runner is in the CI matrix, so native Windows is never claimed as tested. WSL matches the tested Linux rows.
- Several reviewers deciding findings concurrently — Concurrent decision writes are safe (compare-and-swap plus key-wise merge);
review --start/--forcelets reviewers claim an item so they stop silently duplicating work (item 113);review --bulkrecords many per-finding decisions from a worksheet, each validated and audited independently, with no blanket 'accept all' (item 238). - A run interrupted part-way through writing its output — An interrupted output directory is detected and diagnosed rather than silently reused. Re-running is the supported recovery: a warm scan cache makes an unchanged tree cost about a third of a cold run, so a resume mode was measured and deliberately not added.
- Evaluation converting to a licensed customer — Issuance (scripts/issue_entitlement.py --eval) and verification (sbomflow license status|verify) are built and tested end to end, and never gate any engine functionality. The prospect-facing description of the flow lives in the outreach kit (a sales-motion artifact, not an operator howto), so no public doc is cited here.
- Preparing a regulator-facing CRA Article 14 UNSIGNED draft — SBOMFlow never files, transmits, or signs the report. The draft always carries submitted: false.