Warning codes

Every scan warning SBOMFlow emits carries a stable code from a versioned catalog. Warnings are how SBOMFlow honours its core rule: malformed or recognized-but-unsupported input is surfaced, never silently ignored. A warning is an observation with an exact file path — it is not a failure, a vulnerability verdict, or a compliance conclusion.

Note

This page is generated from the product's warning catalog, so it always
matches the codes your installed version can emit.

How to work with warnings

  • Every warning appears in scan-warnings.json with the exact relative path of the input that triggered it and a human-readable reason.
  • The CLI summary prints the warning count; open scan-warnings.json for the details, or the HTML report for a readable view.
  • Strict mode (analyze --strict or --strict=code1,code2) re-runs your policy after all artifacts are written and exits with code 5 when matching warnings are present — so CI can fail on the codes you care about without losing the evidence pack. Codes passed to --strict are validated against this catalog. See Exit codes.
  • Severity below is the default severity; it describes how much attention a warning usually deserves, not a security rating.

Severity levels

SeverityMeaning
infoA recognized situation worth knowing about — for example, a recognized dependency manifest that is not parsed for components yet.
warningSomething was malformed, out of bounds, or could not be used as intended. The scan continued; the input was recorded.

Codes by category

Analysis ingest

CodeDefault severityMeaning
sarif_ingest_malformedwarningA SARIF file given for ingestion was missing/unreadable or not a SARIF log; it was skipped.
sarif_ingest_unsupported_versioninfoAn ingested SARIF log declared a version other than 2.1.0; it was parsed conservatively.

Analyzer adapter

CodeDefault severityMeaning
analyzer_executable_hash_mismatchwarningA pinned external analyzer's executable SHA-256 did not match the expected hash; it was NOT executed (PATH substitution / swapped or tampered binary / version drift).
analyzer_execution_failedwarningAn external analyzer adapter could not be executed (missing executable or run error); it was skipped.
analyzer_invalid_outputwarningAn external analyzer adapter emitted output that was not a valid protocol observation; the line was skipped.
analyzer_nonzero_exitwarningAn external analyzer adapter exited with a non-zero status; any valid observations were still ingested.
analyzer_output_truncatedwarningAn external analyzer adapter exceeded the captured-output byte cap and its output was truncated.
analyzer_timeoutwarningAn external analyzer adapter exceeded its wall-clock timeout and was terminated.
analyzer_unsupported_protocolwarningAn external analyzer adapter did not offer a protocol version SBOMFlow supports.
cosign_missing_trust_materialwarningcosign verification was requested without a local key and offline bundle; skipped.
cosign_not_availableinfoThe optional cosign tool is not installed; Sigstore verification was skipped (baseline never requires it).
diffoscope_not_availableinfoThe optional diffoscope tool is not installed; the comparison was skipped (baseline never requires it).
syft_not_availableinfoThe optional Syft tool is not installed; component discovery via Syft was skipped (baseline never requires it).

Container

CodeDefault severityMeaning
malformed_container_imagewarningA local container image archive could not be parsed as supported Docker or OCI image metadata.
malformed_container_package_dbwarningA local container/rootfs package database could not be parsed.
missing_container_os_releasewarningContainer/rootfs package metadata lacked os-release vendor context, so generic purls were emitted.
unreadable_container_imagewarningA local container image archive could not be read.
unreadable_container_os_releasewarningA container/rootfs os-release file could not be read.
unreadable_container_package_dbwarningA container/rootfs package database could not be read.
unrecognized_container_package_dbinfoA container/rootfs package database shape was not recognized by supported parsers.
unsupported_container_imagewarningA local archive looked like a container image but did not match a supported Docker or OCI image shape.
unsupported_container_package_dbinfoA container/rootfs package database shape was recognized but is not supported.

Decision migration

CodeDefault severityMeaning
legacy_decision_ambiguouswarningA legacy advisory-keyed reviewer decision or waiver matched more than one finding instance and was not applied; re-review per finding_key (finding-identity v2).
legacy_decision_no_matchwarningA legacy reviewer decision or waiver matched no current finding (stale) and was not applied.

Embedded build

CodeDefault severityMeaning
build_evidence_not_parsedinfoA recognized build-evidence output was retained and hashed but is not interpreted by the default scan; use its dedicated importer where available or review it manually.
buildroot_license_files_without_licenseinfoA Buildroot package declared LICENSE FILES but no LICENSE value; surfaced for reviewer attention.
cmake_malformed_replywarningA CMake File API reply file was missing or not valid JSON; it was skipped.
cmake_path_traversalwarningA CMake File API reply referenced an unsafe (absolute or traversing) path; it was refused.
cmake_unsupported_object_versionwarningA CMake File API object used an unsupported version; it was not trusted/parsed.
esp_idf_malformedwarningAn ESP-IDF build artifact was unreadable or malformed; it was skipped.
esp_idf_project_not_foundwarningNo ESP-IDF outputs (project_description.json / sdkconfig) were found under the given path.
linker_map_malformedwarningA linker map file was missing or unreadable; it was skipped.
linker_map_truncatedwarningA linker map exceeded the size/line limits and was truncated before parsing.
linker_map_unrecognized_formatwarningA linker map file matched no supported (GNU ld / LLVM lld) shape; it was not parsed.
twister_results_malformedwarningA Zephyr Twister twister.json was unreadable or not a recognized Twister result; it was skipped.
twister_results_not_foundwarningNo Zephyr Twister results (twister.json) were found under the given path.
zephyr_spdx_malformedwarningA Zephyr west SPDX document was missing/unreadable or not an SPDX document; it was skipped.
zephyr_spdx_not_foundwarningNo Zephyr west SPDX set was found under the given build directory.

Enrichment

CodeDefault severityMeaning
missing_epss_snapshotwarningA configured FIRST EPSS snapshot was missing.
missing_kev_snapshotwarningA configured CISA KEV snapshot was missing.
missing_nvd_snapshotwarningA configured NVD snapshot was missing.
nvd_enrichment_errorwarningNVD enrichment failed or returned malformed data.

External sbom

CodeDefault severityMeaning
external_sbom_component_missing_purlwarningA supplier SBOM component did not include a package URL and could not be matched as a normalized component.
external_sbom_dangling_dependencywarningA supplier SBOM dependency referenced a component that was not present in the imported component set.
invalid_external_sbom_purlwarningA supplier SBOM component contained an invalid package URL.
malformed_external_sbomwarningA supplier SBOM file could not be parsed as JSON.
malformed_external_sbom_componentwarningA supplier SBOM component entry did not match a supported component shape.
malformed_external_sbom_dependencieswarningA supplier SBOM dependency section did not match a supported dependency shape.
missing_external_sbomwarningA configured external supplier SBOM file was missing.
unreadable_external_sbomwarningA supplier SBOM file could not be read.
unrecognized_external_sbom_formatwarningA supplier SBOM was neither supported CycloneDX JSON nor supported SPDX JSON.

Firmware evidence

CodeDefault severityMeaning
firmware_extraction_failedwarningAn optional firmware extraction tool failed; partial regular-file observations may remain.
firmware_extraction_unsafe_outputwarningFirmware extraction produced a symlink, device, deep path, or output outside the designated extraction root; it was rejected.
firmware_extractor_not_availableinfoThe selected optional binwalk/unblob executable was unavailable; baseline analysis continued.
mcuboot_bad_magicwarningA file given to the MCUboot parser did not start with the MCUboot image magic.
mcuboot_malformed_imagewarningAn MCUboot image was unreadable or its TLV structure was out of bounds; parsing stopped safely.
mcuboot_truncatedwarningAn MCUboot image's declared sizes extend beyond the file; parsing was bounded to the available bytes.

Manufacturer evidence

CodeDefault severityMeaning
ambiguous_annex_i_evidence_contentwarningSupplied Annex I evidence was present but deterministic content extraction found no useful routing fields.
annex_i_evidence_type_requirement_mismatchwarningAn Annex I evidence input was routed to a requirement outside the supported evidence-type mapping.
incomplete_annex_i_structured_evidencewarningStructured Annex I metadata was present but omitted one or more expected fields for that evidence type.
malformed_annex_i_evidence_inputwarningAnnex I evidence input JSON did not match the supported local schema.
malformed_annex_i_evidence_inputswarningAnnex I evidence input JSON did not match the supported local schema.
malformed_annex_i_evidence_typewarningAn Annex I evidence input used an unsupported evidence type shape.
malformed_annex_i_requirement_inputwarningAn Annex I requirement entry did not match the supported input schema.
malformed_annex_i_supplied_fileswarningAn Annex I supplied-files entry was not a supported list of local file paths.
missing_annex_i_evidence_filewarningA configured Annex I manufacturer evidence file was missing.
missing_annex_i_evidence_input_filewarningA configured Annex I manufacturer evidence file was missing.
missing_annex_i_evidence_inputswarningA configured Annex I evidence input file was missing.
oversize_annex_i_evidence_input_filewarningA supplied Annex I evidence file exceeded the deterministic content-inspection size limit.
unknown_annex_i_evidence_typewarningAn Annex I evidence input used an unknown evidence type.
unknown_annex_i_requirementwarningAn Annex I evidence input referenced an unknown requirement id.
unreadable_annex_i_evidence_input_filewarningA supplied Annex I evidence file could not be read.

Oci evidence

CodeDefault severityMeaning
oci_bad_digest_referencewarningAn OCI descriptor used a non-sha256/invalid digest reference; refused (path-traversal safe).
oci_blob_digest_mismatchwarningAn OCI blob's content did not match its claimed digest.
oci_layout_malformedwarningAn OCI layout index/manifest was unreadable or malformed; skipped.
oci_layout_not_foundwarningThe given path is not an OCI image layout (no oci-layout/index.json); skipped.

Performance

CodeDefault severityMeaning
scan_cache_unreadablewarningThe optional scan cache could not be read or written and was ignored.

Provenance

CodeDefault severityMeaning
build_provenance_subject_digest_mismatchwarningA supplied build-provenance subject digest did not match the referenced local artifact hash.
build_provenance_subject_invalid_sha256warningA supplied build-provenance subject did not contain a valid SHA-256 digest.
build_provenance_subject_missing_sha256warningA supplied build-provenance subject omitted a SHA-256 digest.
build_provenance_subject_unmatchedwarningA supplied build-provenance subject did not match a scanned local artifact.
invalid_build_provenance_subjectwarningA supplied build-provenance subject digest was malformed or unsupported.
malformed_build_provenancewarningA supplied build-provenance file could not be parsed as supported JSON provenance.
missing_build_provenance_filewarningA configured build-provenance file was missing.

Reachability

CodeDefault severityMeaning
malformed_reachability_evidencewarningReachability evidence input JSON did not match the supported local schema.
malformed_reachability_evidence_inputswarningReachability evidence input JSON did not match the supported local schema.
missing_reachability_evidence_filewarningA configured reachability evidence file was missing.
missing_reachability_evidence_input_filewarningA configured reachability evidence file was missing.
missing_reachability_evidence_inputswarningA configured reachability evidence input file was missing.
reachability_python_parse_errorwarningA Python source file could not be parsed during deterministic reachability inspection.
reachability_tree_sitter_limitwarningOptional Tree-sitter analysis hit a deterministic traversal or output limit.
reachability_tree_sitter_parse_errorwarningOptional Tree-sitter parsing failed or recovered from malformed C/C++ source.
reachability_tree_sitter_unavailablewarningOptional Tree-sitter runtime or C/C++ grammar was unavailable; baseline scanning continued.
reachability_unreadable_filewarningA source file could not be read during deterministic reachability inspection.

Release history

CodeDefault severityMeaning
invalid_support_period_release_metadatawarningRelease support-period metadata could not be parsed as a supported date/time value.
missing_support_policy_filewarningA configured support-policy evidence file was missing.
previous_output_unavailablewarningA previous output directory was unavailable for release-drift comparison.
support_policy_declared_without_release_metadatawarningA support policy was supplied but release support-period metadata was not declared.
support_policy_missing_declared_support_periodwarningA supplied support policy did not contain a deterministic support-period date matching the release metadata shape.
support_policy_multiple_support_period_dateswarningA supplied support policy contained multiple support-period dates and needs reviewer interpretation.
support_policy_support_period_mismatchwarningA supplied support policy date did not match the declared release support period.
unreadable_support_policy_filewarningA supplied support-policy evidence file could not be read.

Resource limits

CodeDefault severityMeaning
resource_limit_exceededwarningAn untrusted input exceeded a configured resource budget (size/expanded-bytes/ratio/entries/depth/path/symlink) and was bounded.

Review

CodeDefault severityMeaning
missing_approvals_filewarningA configured approvals file was missing.
missing_reviews_filewarningA configured evidence reviews file was missing.
missing_waivers_filewarningA configured waivers file was missing.

Scanner

CodeDefault severityMeaning
device_tree_not_parsedinfoA recognized device-tree source overlay was retained and hashed but is not parsed for components in the default scan; hardware-revision differences it encodes need human review.
malformed_component_namewarningA parsed component name was structurally invalid and could not form a valid component identity; the component was dropped with a warning.
malformed_component_versionwarningA parsed component version was structurally invalid (contained table/JSON/line text); it was recorded without a version instead of emitting garbage.
malformed_manifestwarningA local manifest was malformed and could not be parsed for observed facts.
oci_image_index_not_parsedinfoA recognized OCI image index/layout was found but is not parsed for components in the default scan; use the opt-in OCI evidence path.
symlink_outside_rootwarningA path resolved outside the scan root (symlink escape) and was skipped to avoid reading files outside the analyzed product.
unparseable_manifestwarningA local manifest was detected but could not be parsed.
unpinned_requirementsinforequirements.txt lines without exact '==' pins were not inventoried; pin them or supply a lockfile.
unreadable_filewarningA local file could not be read during scanning.
unrecognized_manifest_formatinfoA recognized manifest-like file did not match a supported deterministic parser shape.
unsupported_lockfileinfoA lockfile was recognized but its format/version is not yet parsed.
version_conflictwarningThe scan observed conflicting versions for the same normalized component identity.

Signal

CodeDefault severityMeaning
missing_security_txt_fieldwarningA security.txt file was present but lacked a required RFC 9116 field.
security_txt_expiredwarningA security.txt file has an Expires value before the scan date.

Ssvc

CodeDefault severityMeaning
invalid_ssvc_context_valuewarningSSVC context used a value outside the supported decision-point options.
malformed_ssvc_contextwarningSSVC context JSON did not match the supported local schema.
missing_ssvc_contextwarningA configured SSVC context file was missing.
unknown_ssvc_context_keywarningSSVC context contained an unknown decision-point key.

Supplier vex

CodeDefault severityMeaning
malformed_supplier_vexwarningSupplier VEX input was malformed or unsupported.
malformed_supplier_vex_statementwarningA supplier VEX statement could not be parsed into a supported advisory status.
missing_supplier_vexwarningA configured supplier VEX file was missing.
supplier_vex_invalid_justificationwarningA supplier VEX not_affected statement used an unsupported justification.
unreadable_supplier_vexwarningA supplier VEX file could not be read.
unrecognized_supplier_vex_formatwarningA supplier VEX file was neither supported OpenVEX JSON nor supported CSAF JSON.
unsupported_supplier_vex_statuswarningA supplier VEX statement used a status outside the supported set.

Technical documentation

CodeDefault severityMeaning
ambiguous_technical_documentation_contentwarningSupplied technical-documentation evidence was present but deterministic content extraction found no useful routing fields.
incomplete_technical_documentation_structured_inputwarningStructured technical-documentation metadata was present but omitted one or more expected fields for that input type.
malformed_technical_documentation_inputwarningTechnical-documentation input JSON did not match the supported local schema.
malformed_technical_documentation_input_typewarningA technical-documentation input used an unsupported input-type shape.
malformed_technical_documentation_inputswarningTechnical-documentation input JSON did not match the supported local schema.
malformed_technical_documentation_sectionwarningA technical-documentation section entry did not match the supported input schema.
malformed_technical_documentation_supplied_fileswarningA technical-documentation supplied-files entry was not a supported list of local file paths.
missing_technical_documentation_filewarningA configured technical-documentation evidence file was missing.
missing_technical_documentation_input_filewarningA configured technical-documentation evidence file was missing.
missing_technical_documentation_inputswarningA configured technical-documentation input file was missing.
oversize_technical_documentation_input_filewarningA supplied technical-documentation evidence file exceeded the deterministic content-inspection size limit.
technical_documentation_input_type_section_mismatchwarningA technical-documentation input was routed to a section outside the supported input-type mapping.
technical_documentation_metadata_content_mismatchwarningDeclared Annex VII metadata (support-period date, signed-DoC date, or standard reference) is inconsistent with the content parsed from the supplied document. Consistency signal only — not an adequacy or conformity judgement.
unknown_technical_documentation_input_typewarningA technical-documentation input used an unknown input type.
unknown_technical_documentation_sectionwarningA technical-documentation input referenced an unknown model section.
unreadable_technical_documentation_input_filewarningA supplied technical-documentation evidence file could not be read.

Test results

CodeDefault severityMeaning
inconsistent_test_result_totalswarningA supplied test-result summary had totals that did not reconcile deterministically.
malformed_test_resultwarningA supplied test-result file could not be parsed as supported JUnit XML or TAP.
missing_test_resultwarningA configured test-result file was missing.
missing_test_result_filewarningA configured test-result file was missing.
unreadable_test_resultwarningA supplied test-result file could not be read.
unrecognized_test_result_formatwarningA supplied test-result file was not recognized as supported JUnit XML or TAP.

Update manifest

CodeDefault severityMeaning
suit_draft_formatinfoA SUIT CBOR manifest was parsed against the pinned current Internet-Draft, not a final RFC serialization.
update_manifest_expiredwarningUpdate metadata declared an expiry before the selected as-of time; no trust conclusion was made.
update_manifest_malformedwarningA TUF or SUIT update-manifest artifact was malformed, truncated, or exceeded a resource limit.
update_manifest_missing_rolewarningA supplied TUF metadata set omitted one of root, targets, snapshot, or timestamp.

Vendor update

CodeDefault severityMeaning
mender_artifact_malformedwarningA Mender Artifact tar/header structure was malformed, unsafe, or exceeded a resource limit.
mender_artifact_missingwarningThe requested Mender Artifact file was not found.
rauc_bundle_container_unsupportedwarningA RAUC signed SquashFS/CMS bundle was supplied where the bounded stdlib adapter requires manifest.raucm.
rauc_manifest_malformedwarningA RAUC manifest.raucm file was malformed or exceeded a resource limit.
rauc_manifest_missingwarningA RAUC manifest.raucm file was not found at the requested path.
rauc_unsafe_payload_pathwarningA RAUC manifest referenced an absolute or traversing payload path; it was rejected.
swupdate_artifact_malformedwarningAn SWUpdate newc/crc cpio or sw-description artifact was malformed, unsafe, or exceeded a resource limit.
swupdate_artifact_missingwarningThe requested SWUpdate .swu or sw-description artifact was not found.
uptane_metadata_expiredwarningUptane repository metadata declared an expiry before the selected as-of time.
uptane_metadata_malformedwarningUptane Director/Image repository metadata was malformed or exceeded a resource limit.
uptane_metadata_missingwarningNo Uptane/TUF JSON metadata was found at the requested path.

Vulnerability

CodeDefault severityMeaning
vulnerability_enrichment_errorwarningA vulnerability data source or exploitation snapshot (OSV/NVD/KEV/EPSS) failed to load or enrich; results may be incomplete.

Vulnerability source

CodeDefault severityMeaning
cross_source_severity_conflictinfoVulnerability sources disagree on a finding's severity; surfaced for human review, never merged into a consensus.
no_usable_vulnerability_intelligencewarningNo configured vulnerability source produced usable intelligence on this run (distinct from zero findings).
stale_vulnerability_datawarningA configured vulnerability source's data is older than the configured staleness window.

West

CodeDefault severityMeaning
unsupported_west_importwarningA Zephyr west import reference could not be resolved by the opt-in resolver.
west_import_fetch_failedwarningThe opt-in Zephyr west import resolver could not fetch an imported manifest.
west_import_unparseablewarningThe opt-in Zephyr west import resolver fetched a manifest that could not be parsed.
west_import_unrecognizedwarningThe opt-in Zephyr west import resolver fetched a manifest with an unrecognized shape.
west_import_unresolved_remotewarningThe opt-in Zephyr west import resolver could not resolve a remote URL for an imported project.
west_import_unsupported_forgewarningThe opt-in Zephyr west import resolver encountered a remote forge it does not support.

If a warning looks wrong

A warning that appears incorrect — firing on a valid file, or naming the wrong reason — is a bug we want to know about. Include the warning code, the file's shape (never customer content), and your SBOMFlow version. See the FAQ for how to get support.