Bomly Scan JSON Schema Reference

Complete reference for the bomly scan JSON output.

Document

Field	Type	Description
`schema_version`	`string`
`command`	`string`
`project`	`ProjectDescriptor`
`manifests`	Array<`ScanManifest`>
`packages`	Array<`ScanPackageEntry`>
`findings`	Array<`AuditFinding`>
`audit_summary`	`AuditSummary`
`metadata`	`Metadata`

Types

`AffectedSymbol`

Field	Type	Description
`symbol`	`string`
`kind`	`string`
`package`	`string`
`module`	`string`
`definition`	`SourcePosition`

`AuditFinding`

Field	Type	Description
`id`	`string`
`kind`	`string`
`severity`	`string`
`package`	`PackageRef`
`title`	`string`
`reasons`	Array<`string`>
`source`	`string`
`auditor`	`string`
`disposition`	`string`
`fixed_in`	`string`
`fixed_versions`	Array<`string`>
`fix_state`	`string`
`fix_available`	Array<`FixAvailable`>
`aliases`	Array<`string`>
`description`	`string`
`severity_source`	`string`
`cvss`	Array<`CVSSScore`>
`affected_version_range`	`string`
`references`	Array<`Reference`>
`kev_exploited`	`boolean`
`known_exploited`	Array<`KnownExploited`>
`epss`	Array<`EPSSScore`>
`cwes`	Array<`CWE`>
`risk_score`	`number`
`data_source`	`string`
`namespace`	`string`
`cpes`	Array<`string`>
`reachability`	`Reachability`

`AuditSummary`

Field	Type	Description
`critical`	`integer`
`high`	`integer`
`medium`	`integer`
`low`	`integer`
`unknown`	`integer`
`total`	`integer`

`CVSSScore`

Field	Type	Description
`vector`	`string`
`score`	`number`
`version`	`string`
`source`	`string`

`CWE`

Field	Type	Description
`cve`	`string`
`id`	`string`
`source`	`string`
`type`	`string`

`CallFrame`

Field	Type	Description
`function`	`string`
`package`	`string`
`receiver`	`string`
`position`	`SourcePosition`

`CallPath`

Field	Type	Description
`sink`	`AffectedSymbol`
`frames`	Array<`CallFrame`>

`Digest`

Field	Type	Description
`algorithm`	`string`
`value`	`string`

`EPSSScore`

Field	Type	Description
`cve`	`string`
`epss`	`number`
`percentile`	`number`
`date`	`string`

`FixAvailable`

Field	Type	Description
`version`	`string`
`date`	`string`
`kind`	`string`

`KnownExploited`

Field	Type	Description
`cve`	`string`
`vendor_project`	`string`
`product`	`string`
`date_added`	`string`
`required_action`	`string`
`due_date`	`string`
`known_ransomware_campaign_use`	`string`
`notes`	`string`
`urls`	Array<`string`>
`cwes`	Array<`string`>

`LicenseRef`

Field	Type	Description
`value`	`string`
`spdxExpression`	`string`
`type`	`string`

`LocationRef`

Field	Type	Description
`real_path`	`string`
`access_path`	`string`
`position`	`PositionRef`

`Metadata`

Field	Type	Description
`duration_ms`	`integer`
`reachability_enabled`	`boolean`
`analyzer_runs`	Array<`string`>
`analyzer_stats`	`object`

`PackageEOL`

Field	Type	Description
`source`	`string`
`cycle`	`string`
`eol`	`boolean`
`eol_date`	`string`
`latest_version`	`string`
`release_date`	`string`
`supported`	`boolean`

`PackageRef`

Field	Type	Description
`name`	`string`
`version`	`string`
`scope`	`string`
`purl`	`string`
`id`	`string`
`metadata`	`object`
`locations`	Array<`LocationRef`>
`licenses`	Array<`LicenseRef`>
`vulnerabilities`	Array<`VulnerabilityRef`>
`scorecard`	`PackageScorecard`

`PackageScorecard`

Field	Type	Description
`source`	`string`
`repository`	`string`
`commitSha`	`string`
`scorecardVersion`	`string`
`runDate`	`Time`
`aggregateScore`	`number`
`checks`	Array<`PackageScorecardCheck`>

`PackageScorecardCheck`

Field	Type	Description
`name`	`string`
`score`	`integer`
`reason`	`string`
`documentation`	`string`

`PositionRef`

Field	Type	Description
`file`	`string`
`line`	`integer`
`column`	`integer`
`end_line`	`integer`

`ProjectDescriptor`

Field	Type	Description
`name`	`string`
`path`	`string`
`target_type`	`string`
`target_ref`	`string`
`ecosystem`	`string`
`package_manager`	`string`

`Reachability`

Field	Type	Description
`status`	`string`
`tier`	`string`
`analyzer`	`string`
`reason`	`string`
`symbols`	Array<`AffectedSymbol`>
`call_paths`	Array<`CallPath`>
`hops`	`integer`
`confidence`	`string`
`dynamic_imports_detected`	`boolean`
`analyzed_at`	`string`

`Reference`

Field	Type	Description
`url`	`string`
`type`	`string`

`ScanDependency`

Field	Type	Description
`id`	`string`
`name`	`string`
`version`	`string`
`purl`	`string`
`scopes`	Array<`string`>
`depends_on`	Array<`string`>
`matched`	`boolean`
`package_ref`	`string`
`locations`	Array<`LocationRef`>
`licenses`	Array<`LicenseRef`>

`ScanManifest`

Field	Type	Description
`path`	`string`
`kind`	`string`
`subproject`	`string`
`ecosystem`	`string`
`package_manager`	`string`
`detector`	`string`
`dependencies`	Array<`ScanDependency`>

`ScanPackageEntry`

Field	Type	Description
`purl`	`string`
`name`	`string`
`version`	`string`
`ecosystem`	`string`
`matched`	`boolean`
`licenses`	Array<`LicenseRef`>
`vulnerabilities`	Array<`VulnerabilityRef`>
`scorecard`	`PackageScorecard`
`eol`	`PackageEOL`
`cpes`	Array<`string`>
`digests`	Array<`Digest`>
`metadata`	`object`

`SourcePosition`

Field	Type	Description
`file`	`string`
`line`	`integer`
`column`	`integer`
`end_line`	`integer`

`Time`

`VulnerabilityRef`

Field	Type	Description
`id`	`string`
`source`	`string`
`title`	`string`
`severity`	`string`
`severity_source`	`string`
`aliases`	Array<`string`>
`description`	`string`
`reasons`	Array<`string`>
`cvss`	Array<`CVSSScore`>
`fixed_in`	`string`
`fixed_versions`	Array<`string`>
`fix_state`	`string`
`fix_available`	Array<`FixAvailable`>
`affected_version_range`	`string`
`references`	Array<`Reference`>
`kev_exploited`	`boolean`
`known_exploited`	Array<`KnownExploited`>
`epss`	Array<`EPSSScore`>
`cwes`	Array<`CWE`>
`risk_score`	`number`
`data_source`	`string`
`namespace`	`string`
`cpes`	Array<`string`>
`affected_symbols`	Array<`AffectedSymbol`>
`reachability`	`Reachability`

Back to all docs