Warning codes
Every scan warning SBOMFlow emits carries a stable code from a versioned catalog. Warnings are how SBOMFlow honours its core rule: malformed or recognized-but-unsupported input is surfaced, never silently ignored. A warning is an observation with an exact file path — it is not a failure, a vulnerability verdict, or a compliance conclusion.
Note
This page is generated from the product's warning catalog, so it always
matches the codes your installed version can emit.
How to work with warnings
- Every warning appears in
scan-warnings.json with the exact relative path of the input that triggered it and a human-readable reason.
- The CLI summary prints the warning count; open
scan-warnings.json for the details, or the HTML report for a readable view.
- Strict mode (
analyze --strict or --strict=code1,code2) re-runs your policy after all artifacts are written and exits with code 5 when matching warnings are present — so CI can fail on the codes you care about without losing the evidence pack. Codes passed to --strict are validated against this catalog. See Exit codes.
- Severity below is the default severity; it describes how much attention a warning usually deserves, not a security rating.
Severity levels
| Severity | Meaning |
|---|
| info | A recognized situation worth knowing about — for example, a recognized dependency manifest that is not parsed for components yet. |
| warning | Something was malformed, out of bounds, or could not be used as intended. The scan continued; the input was recorded. |
Codes by category
Analysis ingest
| Code | Default severity | Meaning |
|---|
sarif_ingest_malformed | warning | A SARIF file given for ingestion was missing/unreadable or not a SARIF log; it was skipped. |
sarif_ingest_unsupported_version | info | An ingested SARIF log declared a version other than 2.1.0; it was parsed conservatively. |
Analyzer adapter
| Code | Default severity | Meaning |
|---|
analyzer_executable_hash_mismatch | warning | A pinned external analyzer's executable SHA-256 did not match the expected hash; it was NOT executed (PATH substitution / swapped or tampered binary / version drift). |
analyzer_execution_failed | warning | An external analyzer adapter could not be executed (missing executable or run error); it was skipped. |
analyzer_invalid_output | warning | An external analyzer adapter emitted output that was not a valid protocol observation; the line was skipped. |
analyzer_nonzero_exit | warning | An external analyzer adapter exited with a non-zero status; any valid observations were still ingested. |
analyzer_output_truncated | warning | An external analyzer adapter exceeded the captured-output byte cap and its output was truncated. |
analyzer_timeout | warning | An external analyzer adapter exceeded its wall-clock timeout and was terminated. |
analyzer_unsupported_protocol | warning | An external analyzer adapter did not offer a protocol version SBOMFlow supports. |
cosign_missing_trust_material | warning | cosign verification was requested without a local key and offline bundle; skipped. |
cosign_not_available | info | The optional cosign tool is not installed; Sigstore verification was skipped (baseline never requires it). |
diffoscope_not_available | info | The optional diffoscope tool is not installed; the comparison was skipped (baseline never requires it). |
syft_not_available | info | The optional Syft tool is not installed; component discovery via Syft was skipped (baseline never requires it). |
Container
| Code | Default severity | Meaning |
|---|
malformed_container_image | warning | A local container image archive could not be parsed as supported Docker or OCI image metadata. |
malformed_container_package_db | warning | A local container/rootfs package database could not be parsed. |
missing_container_os_release | warning | Container/rootfs package metadata lacked os-release vendor context, so generic purls were emitted. |
unreadable_container_image | warning | A local container image archive could not be read. |
unreadable_container_os_release | warning | A container/rootfs os-release file could not be read. |
unreadable_container_package_db | warning | A container/rootfs package database could not be read. |
unrecognized_container_package_db | info | A container/rootfs package database shape was not recognized by supported parsers. |
unsupported_container_image | warning | A local archive looked like a container image but did not match a supported Docker or OCI image shape. |
unsupported_container_package_db | info | A container/rootfs package database shape was recognized but is not supported. |
Decision migration
| Code | Default severity | Meaning |
|---|
legacy_decision_ambiguous | warning | A legacy advisory-keyed reviewer decision or waiver matched more than one finding instance and was not applied; re-review per finding_key (finding-identity v2). |
legacy_decision_no_match | warning | A legacy reviewer decision or waiver matched no current finding (stale) and was not applied. |
Embedded build
| Code | Default severity | Meaning |
|---|
build_evidence_not_parsed | info | A recognized build-evidence output was retained and hashed but is not interpreted by the default scan; use its dedicated importer where available or review it manually. |
buildroot_license_files_without_license | info | A Buildroot package declared LICENSE FILES but no LICENSE value; surfaced for reviewer attention. |
cmake_malformed_reply | warning | A CMake File API reply file was missing or not valid JSON; it was skipped. |
cmake_path_traversal | warning | A CMake File API reply referenced an unsafe (absolute or traversing) path; it was refused. |
cmake_unsupported_object_version | warning | A CMake File API object used an unsupported version; it was not trusted/parsed. |
esp_idf_malformed | warning | An ESP-IDF build artifact was unreadable or malformed; it was skipped. |
esp_idf_project_not_found | warning | No ESP-IDF outputs (project_description.json / sdkconfig) were found under the given path. |
linker_map_malformed | warning | A linker map file was missing or unreadable; it was skipped. |
linker_map_truncated | warning | A linker map exceeded the size/line limits and was truncated before parsing. |
linker_map_unrecognized_format | warning | A linker map file matched no supported (GNU ld / LLVM lld) shape; it was not parsed. |
twister_results_malformed | warning | A Zephyr Twister twister.json was unreadable or not a recognized Twister result; it was skipped. |
twister_results_not_found | warning | No Zephyr Twister results (twister.json) were found under the given path. |
zephyr_spdx_malformed | warning | A Zephyr west SPDX document was missing/unreadable or not an SPDX document; it was skipped. |
zephyr_spdx_not_found | warning | No Zephyr west SPDX set was found under the given build directory. |
Enrichment
| Code | Default severity | Meaning |
|---|
missing_epss_snapshot | warning | A configured FIRST EPSS snapshot was missing. |
missing_kev_snapshot | warning | A configured CISA KEV snapshot was missing. |
missing_nvd_snapshot | warning | A configured NVD snapshot was missing. |
nvd_enrichment_error | warning | NVD enrichment failed or returned malformed data. |
External sbom
| Code | Default severity | Meaning |
|---|
external_sbom_component_missing_purl | warning | A supplier SBOM component did not include a package URL and could not be matched as a normalized component. |
external_sbom_dangling_dependency | warning | A supplier SBOM dependency referenced a component that was not present in the imported component set. |
invalid_external_sbom_purl | warning | A supplier SBOM component contained an invalid package URL. |
malformed_external_sbom | warning | A supplier SBOM file could not be parsed as JSON. |
malformed_external_sbom_component | warning | A supplier SBOM component entry did not match a supported component shape. |
malformed_external_sbom_dependencies | warning | A supplier SBOM dependency section did not match a supported dependency shape. |
missing_external_sbom | warning | A configured external supplier SBOM file was missing. |
unreadable_external_sbom | warning | A supplier SBOM file could not be read. |
unrecognized_external_sbom_format | warning | A supplier SBOM was neither supported CycloneDX JSON nor supported SPDX JSON. |
Firmware evidence
| Code | Default severity | Meaning |
|---|
firmware_extraction_failed | warning | An optional firmware extraction tool failed; partial regular-file observations may remain. |
firmware_extraction_unsafe_output | warning | Firmware extraction produced a symlink, device, deep path, or output outside the designated extraction root; it was rejected. |
firmware_extractor_not_available | info | The selected optional binwalk/unblob executable was unavailable; baseline analysis continued. |
mcuboot_bad_magic | warning | A file given to the MCUboot parser did not start with the MCUboot image magic. |
mcuboot_malformed_image | warning | An MCUboot image was unreadable or its TLV structure was out of bounds; parsing stopped safely. |
mcuboot_truncated | warning | An MCUboot image's declared sizes extend beyond the file; parsing was bounded to the available bytes. |
Manufacturer evidence
| Code | Default severity | Meaning |
|---|
ambiguous_annex_i_evidence_content | warning | Supplied Annex I evidence was present but deterministic content extraction found no useful routing fields. |
annex_i_evidence_type_requirement_mismatch | warning | An Annex I evidence input was routed to a requirement outside the supported evidence-type mapping. |
incomplete_annex_i_structured_evidence | warning | Structured Annex I metadata was present but omitted one or more expected fields for that evidence type. |
malformed_annex_i_evidence_input | warning | Annex I evidence input JSON did not match the supported local schema. |
malformed_annex_i_evidence_inputs | warning | Annex I evidence input JSON did not match the supported local schema. |
malformed_annex_i_evidence_type | warning | An Annex I evidence input used an unsupported evidence type shape. |
malformed_annex_i_requirement_input | warning | An Annex I requirement entry did not match the supported input schema. |
malformed_annex_i_supplied_files | warning | An Annex I supplied-files entry was not a supported list of local file paths. |
missing_annex_i_evidence_file | warning | A configured Annex I manufacturer evidence file was missing. |
missing_annex_i_evidence_input_file | warning | A configured Annex I manufacturer evidence file was missing. |
missing_annex_i_evidence_inputs | warning | A configured Annex I evidence input file was missing. |
oversize_annex_i_evidence_input_file | warning | A supplied Annex I evidence file exceeded the deterministic content-inspection size limit. |
unknown_annex_i_evidence_type | warning | An Annex I evidence input used an unknown evidence type. |
unknown_annex_i_requirement | warning | An Annex I evidence input referenced an unknown requirement id. |
unreadable_annex_i_evidence_input_file | warning | A supplied Annex I evidence file could not be read. |
Oci evidence
| Code | Default severity | Meaning |
|---|
oci_bad_digest_reference | warning | An OCI descriptor used a non-sha256/invalid digest reference; refused (path-traversal safe). |
oci_blob_digest_mismatch | warning | An OCI blob's content did not match its claimed digest. |
oci_layout_malformed | warning | An OCI layout index/manifest was unreadable or malformed; skipped. |
oci_layout_not_found | warning | The given path is not an OCI image layout (no oci-layout/index.json); skipped. |
| Code | Default severity | Meaning |
|---|
scan_cache_unreadable | warning | The optional scan cache could not be read or written and was ignored. |
Provenance
| Code | Default severity | Meaning |
|---|
build_provenance_subject_digest_mismatch | warning | A supplied build-provenance subject digest did not match the referenced local artifact hash. |
build_provenance_subject_invalid_sha256 | warning | A supplied build-provenance subject did not contain a valid SHA-256 digest. |
build_provenance_subject_missing_sha256 | warning | A supplied build-provenance subject omitted a SHA-256 digest. |
build_provenance_subject_unmatched | warning | A supplied build-provenance subject did not match a scanned local artifact. |
invalid_build_provenance_subject | warning | A supplied build-provenance subject digest was malformed or unsupported. |
malformed_build_provenance | warning | A supplied build-provenance file could not be parsed as supported JSON provenance. |
missing_build_provenance_file | warning | A configured build-provenance file was missing. |
Reachability
| Code | Default severity | Meaning |
|---|
malformed_reachability_evidence | warning | Reachability evidence input JSON did not match the supported local schema. |
malformed_reachability_evidence_inputs | warning | Reachability evidence input JSON did not match the supported local schema. |
missing_reachability_evidence_file | warning | A configured reachability evidence file was missing. |
missing_reachability_evidence_input_file | warning | A configured reachability evidence file was missing. |
missing_reachability_evidence_inputs | warning | A configured reachability evidence input file was missing. |
reachability_python_parse_error | warning | A Python source file could not be parsed during deterministic reachability inspection. |
reachability_tree_sitter_limit | warning | Optional Tree-sitter analysis hit a deterministic traversal or output limit. |
reachability_tree_sitter_parse_error | warning | Optional Tree-sitter parsing failed or recovered from malformed C/C++ source. |
reachability_tree_sitter_unavailable | warning | Optional Tree-sitter runtime or C/C++ grammar was unavailable; baseline scanning continued. |
reachability_unreadable_file | warning | A source file could not be read during deterministic reachability inspection. |
Release history
| Code | Default severity | Meaning |
|---|
invalid_support_period_release_metadata | warning | Release support-period metadata could not be parsed as a supported date/time value. |
missing_support_policy_file | warning | A configured support-policy evidence file was missing. |
previous_output_unavailable | warning | A previous output directory was unavailable for release-drift comparison. |
support_policy_declared_without_release_metadata | warning | A support policy was supplied but release support-period metadata was not declared. |
support_policy_missing_declared_support_period | warning | A supplied support policy did not contain a deterministic support-period date matching the release metadata shape. |
support_policy_multiple_support_period_dates | warning | A supplied support policy contained multiple support-period dates and needs reviewer interpretation. |
support_policy_support_period_mismatch | warning | A supplied support policy date did not match the declared release support period. |
unreadable_support_policy_file | warning | A supplied support-policy evidence file could not be read. |
Resource limits
| Code | Default severity | Meaning |
|---|
resource_limit_exceeded | warning | An untrusted input exceeded a configured resource budget (size/expanded-bytes/ratio/entries/depth/path/symlink) and was bounded. |
Review
| Code | Default severity | Meaning |
|---|
missing_approvals_file | warning | A configured approvals file was missing. |
missing_reviews_file | warning | A configured evidence reviews file was missing. |
missing_waivers_file | warning | A configured waivers file was missing. |
Scanner
| Code | Default severity | Meaning |
|---|
device_tree_not_parsed | info | A recognized device-tree source overlay was retained and hashed but is not parsed for components in the default scan; hardware-revision differences it encodes need human review. |
malformed_component_name | warning | A parsed component name was structurally invalid and could not form a valid component identity; the component was dropped with a warning. |
malformed_component_version | warning | A parsed component version was structurally invalid (contained table/JSON/line text); it was recorded without a version instead of emitting garbage. |
malformed_manifest | warning | A local manifest was malformed and could not be parsed for observed facts. |
oci_image_index_not_parsed | info | A recognized OCI image index/layout was found but is not parsed for components in the default scan; use the opt-in OCI evidence path. |
symlink_outside_root | warning | A path resolved outside the scan root (symlink escape) and was skipped to avoid reading files outside the analyzed product. |
unparseable_manifest | warning | A local manifest was detected but could not be parsed. |
unpinned_requirements | info | requirements.txt lines without exact '==' pins were not inventoried; pin them or supply a lockfile. |
unreadable_file | warning | A local file could not be read during scanning. |
unrecognized_manifest_format | info | A recognized manifest-like file did not match a supported deterministic parser shape. |
unsupported_lockfile | info | A lockfile was recognized but its format/version is not yet parsed. |
version_conflict | warning | The scan observed conflicting versions for the same normalized component identity. |
Signal
| Code | Default severity | Meaning |
|---|
missing_security_txt_field | warning | A security.txt file was present but lacked a required RFC 9116 field. |
security_txt_expired | warning | A security.txt file has an Expires value before the scan date. |
Ssvc
| Code | Default severity | Meaning |
|---|
invalid_ssvc_context_value | warning | SSVC context used a value outside the supported decision-point options. |
malformed_ssvc_context | warning | SSVC context JSON did not match the supported local schema. |
missing_ssvc_context | warning | A configured SSVC context file was missing. |
unknown_ssvc_context_key | warning | SSVC context contained an unknown decision-point key. |
Supplier vex
| Code | Default severity | Meaning |
|---|
malformed_supplier_vex | warning | Supplier VEX input was malformed or unsupported. |
malformed_supplier_vex_statement | warning | A supplier VEX statement could not be parsed into a supported advisory status. |
missing_supplier_vex | warning | A configured supplier VEX file was missing. |
supplier_vex_invalid_justification | warning | A supplier VEX not_affected statement used an unsupported justification. |
unreadable_supplier_vex | warning | A supplier VEX file could not be read. |
unrecognized_supplier_vex_format | warning | A supplier VEX file was neither supported OpenVEX JSON nor supported CSAF JSON. |
unsupported_supplier_vex_status | warning | A supplier VEX statement used a status outside the supported set. |
Technical documentation
| Code | Default severity | Meaning |
|---|
ambiguous_technical_documentation_content | warning | Supplied technical-documentation evidence was present but deterministic content extraction found no useful routing fields. |
incomplete_technical_documentation_structured_input | warning | Structured technical-documentation metadata was present but omitted one or more expected fields for that input type. |
malformed_technical_documentation_input | warning | Technical-documentation input JSON did not match the supported local schema. |
malformed_technical_documentation_input_type | warning | A technical-documentation input used an unsupported input-type shape. |
malformed_technical_documentation_inputs | warning | Technical-documentation input JSON did not match the supported local schema. |
malformed_technical_documentation_section | warning | A technical-documentation section entry did not match the supported input schema. |
malformed_technical_documentation_supplied_files | warning | A technical-documentation supplied-files entry was not a supported list of local file paths. |
missing_technical_documentation_file | warning | A configured technical-documentation evidence file was missing. |
missing_technical_documentation_input_file | warning | A configured technical-documentation evidence file was missing. |
missing_technical_documentation_inputs | warning | A configured technical-documentation input file was missing. |
oversize_technical_documentation_input_file | warning | A supplied technical-documentation evidence file exceeded the deterministic content-inspection size limit. |
technical_documentation_input_type_section_mismatch | warning | A technical-documentation input was routed to a section outside the supported input-type mapping. |
technical_documentation_metadata_content_mismatch | warning | Declared Annex VII metadata (support-period date, signed-DoC date, or standard reference) is inconsistent with the content parsed from the supplied document. Consistency signal only — not an adequacy or conformity judgement. |
unknown_technical_documentation_input_type | warning | A technical-documentation input used an unknown input type. |
unknown_technical_documentation_section | warning | A technical-documentation input referenced an unknown model section. |
unreadable_technical_documentation_input_file | warning | A supplied technical-documentation evidence file could not be read. |
Test results
| Code | Default severity | Meaning |
|---|
inconsistent_test_result_totals | warning | A supplied test-result summary had totals that did not reconcile deterministically. |
malformed_test_result | warning | A supplied test-result file could not be parsed as supported JUnit XML or TAP. |
missing_test_result | warning | A configured test-result file was missing. |
missing_test_result_file | warning | A configured test-result file was missing. |
unreadable_test_result | warning | A supplied test-result file could not be read. |
unrecognized_test_result_format | warning | A supplied test-result file was not recognized as supported JUnit XML or TAP. |
Update manifest
| Code | Default severity | Meaning |
|---|
suit_draft_format | info | A SUIT CBOR manifest was parsed against the pinned current Internet-Draft, not a final RFC serialization. |
update_manifest_expired | warning | Update metadata declared an expiry before the selected as-of time; no trust conclusion was made. |
update_manifest_malformed | warning | A TUF or SUIT update-manifest artifact was malformed, truncated, or exceeded a resource limit. |
update_manifest_missing_role | warning | A supplied TUF metadata set omitted one of root, targets, snapshot, or timestamp. |
Vendor update
| Code | Default severity | Meaning |
|---|
mender_artifact_malformed | warning | A Mender Artifact tar/header structure was malformed, unsafe, or exceeded a resource limit. |
mender_artifact_missing | warning | The requested Mender Artifact file was not found. |
rauc_bundle_container_unsupported | warning | A RAUC signed SquashFS/CMS bundle was supplied where the bounded stdlib adapter requires manifest.raucm. |
rauc_manifest_malformed | warning | A RAUC manifest.raucm file was malformed or exceeded a resource limit. |
rauc_manifest_missing | warning | A RAUC manifest.raucm file was not found at the requested path. |
rauc_unsafe_payload_path | warning | A RAUC manifest referenced an absolute or traversing payload path; it was rejected. |
swupdate_artifact_malformed | warning | An SWUpdate newc/crc cpio or sw-description artifact was malformed, unsafe, or exceeded a resource limit. |
swupdate_artifact_missing | warning | The requested SWUpdate .swu or sw-description artifact was not found. |
uptane_metadata_expired | warning | Uptane repository metadata declared an expiry before the selected as-of time. |
uptane_metadata_malformed | warning | Uptane Director/Image repository metadata was malformed or exceeded a resource limit. |
uptane_metadata_missing | warning | No Uptane/TUF JSON metadata was found at the requested path. |
Vulnerability
| Code | Default severity | Meaning |
|---|
vulnerability_enrichment_error | warning | A vulnerability data source or exploitation snapshot (OSV/NVD/KEV/EPSS) failed to load or enrich; results may be incomplete. |
Vulnerability source
| Code | Default severity | Meaning |
|---|
cross_source_severity_conflict | info | Vulnerability sources disagree on a finding's severity; surfaced for human review, never merged into a consensus. |
no_usable_vulnerability_intelligence | warning | No configured vulnerability source produced usable intelligence on this run (distinct from zero findings). |
stale_vulnerability_data | warning | A configured vulnerability source's data is older than the configured staleness window. |
West
| Code | Default severity | Meaning |
|---|
unsupported_west_import | warning | A Zephyr west import reference could not be resolved by the opt-in resolver. |
west_import_fetch_failed | warning | The opt-in Zephyr west import resolver could not fetch an imported manifest. |
west_import_unparseable | warning | The opt-in Zephyr west import resolver fetched a manifest that could not be parsed. |
west_import_unrecognized | warning | The opt-in Zephyr west import resolver fetched a manifest with an unrecognized shape. |
west_import_unresolved_remote | warning | The opt-in Zephyr west import resolver could not resolve a remote URL for an imported project. |
west_import_unsupported_forge | warning | The opt-in Zephyr west import resolver encountered a remote forge it does not support. |
If a warning looks wrong
A warning that appears incorrect — firing on a valid file, or naming the wrong reason — is a bug we want to know about. Include the warning code, the file's shape (never customer content), and your SBOMFlow version. See the FAQ for how to get support.