diff.md

Bomly Diff JSON Schema Reference

Complete reference for the bomly diff JSON output.

Document

Field	Type	Description
schema_version	string
command	string
project	ProjectDescriptor
comparison	DiffComparison
results	DiffResults
summary	DiffSummary
audit	DiffAudit
metadata	Metadata

Types

AffectedSymbol

Field	Type	Description
symbol	string
kind	string
package	string
module	string
definition	SourcePosition

AuditFinding

Field	Type	Description
id	string
kind	string
severity	string
package	PackageRef
title	string
reasons	Array<string>
source	string
auditor	string
disposition	string
fixed_in	string
fixed_versions	Array<string>
fix_state	string
fix_available	Array<FixAvailable>
aliases	Array<string>
description	string
severity_source	string
cvss	Array<CVSSScore>
affected_version_range	string
references	Array<Reference>
kev_exploited	boolean
known_exploited	Array<KnownExploited>
epss	Array<EPSSScore>
cwes	Array<CWE>
risk_score	number
data_source	string
namespace	string
cpes	Array<string>
reachability	Reachability

AuditSummary

Field	Type	Description
critical	integer
high	integer
medium	integer
low	integer
unknown	integer
total	integer

CVSSScore

Field	Type	Description
vector	string
score	number
version	string
source	string

CWE

Field	Type	Description
cve	string
id	string
source	string
type	string

CallFrame

Field	Type	Description
function	string
package	string
receiver	string
position	SourcePosition

CallPath

Field	Type	Description
sink	AffectedSymbol
frames	Array<CallFrame>

DiffAudit

Field	Type	Description
introduced	Array<AuditFinding>
resolved	Array<AuditFinding>
persisted	Array<AuditFinding>
audit_summary	AuditSummary

DiffChangedPackage

Field	Type	Description
after	PackageRef
before	PackageRef

DiffComparison

Field	Type	Description
base	string
head	string

DiffDependencyResults

Field	Type	Description
added	Array<DiffPackageChange>
removed	Array<DiffPackageChange>
changed	Array<DiffChangedPackage>

DiffLicenseChange

Field	Type	Description
package	PackageRef
licenses	Array<LicenseRef>

DiffLicenseDelta

Field	Type	Description
package	PackageRef
before	Array<LicenseRef>
after	Array<LicenseRef>

DiffLicenseResults

Field	Type	Description
added	Array<DiffLicenseChange>
removed	Array<DiffLicenseChange>
changed	Array<DiffLicenseDelta>

DiffManifestResult

Field	Type	Description
status	string
path	string
kind	string
subproject	string
ecosystem	string
package_manager	string
added	Array<DiffPackageChange>
removed	Array<DiffPackageChange>
changed	Array<DiffChangedPackage>

DiffPackageChange

Field	Type	Description
package	PackageRef

DiffResults

Field	Type	Description
dependencies	DiffDependencyResults
licenses	DiffLicenseResults
vulnerabilities	DiffVulnerabilityResults
manifests	Array<DiffManifestResult>

DiffSummary

Field	Type	Description
added_manifest_count	integer
changed_manifest_count	integer
removed_manifest_count	integer
unchanged_manifest_count	integer
added_package_count	integer
changed_package_count	integer
removed_package_count	integer
exact_match_count	integer
fuzzy_match_count	integer
unmatched_package_count	integer

DiffVulnerabilityChange

Field	Type	Description
package	PackageRef
vulnerability	VulnerabilityRef

DiffVulnerabilityResults

Field	Type	Description
added	Array<DiffVulnerabilityChange>
removed	Array<DiffVulnerabilityChange>

EPSSScore

Field	Type	Description
cve	string
epss	number
percentile	number
date	string

FixAvailable

Field	Type	Description
version	string
date	string
kind	string

KnownExploited

Field	Type	Description
cve	string
vendor_project	string
product	string
date_added	string
required_action	string
due_date	string
known_ransomware_campaign_use	string
notes	string
urls	Array<string>
cwes	Array<string>

LicenseRef

Field	Type	Description
value	string
spdxExpression	string
type	string

LocationRef

Field	Type	Description
real_path	string
access_path	string
position	PositionRef

Metadata

Field	Type	Description
duration_ms	integer
reachability_enabled	boolean
analyzer_runs	Array<string>
analyzer_stats	object

PackageRef

Field	Type	Description
name	string
version	string
scope	string
purl	string
id	string
metadata	object
locations	Array<LocationRef>
licenses	Array<LicenseRef>
vulnerabilities	Array<VulnerabilityRef>
scorecard	PackageScorecard

PackageScorecard

Field	Type	Description
source	string
repository	string
commitSha	string
scorecardVersion	string
runDate	Time
aggregateScore	number
checks	Array<PackageScorecardCheck>

PackageScorecardCheck

Field	Type	Description
name	string
score	integer
reason	string
documentation	string

PositionRef

Field	Type	Description
file	string
line	integer
column	integer
end_line	integer

ProjectDescriptor

Field	Type	Description
name	string
path	string
target_type	string
target_ref	string
ecosystem	string
package_manager	string

Reachability

Field	Type	Description
status	string
tier	string
analyzer	string
reason	string
symbols	Array<AffectedSymbol>
call_paths	Array<CallPath>
hops	integer
confidence	string
dynamic_imports_detected	boolean
analyzed_at	string

Reference

Field	Type	Description
url	string
type	string

SourcePosition

Field	Type	Description
file	string
line	integer
column	integer
end_line	integer

Time

VulnerabilityRef

Field	Type	Description
id	string
source	string
title	string
severity	string
severity_source	string
aliases	Array<string>
description	string
reasons	Array<string>
cvss	Array<CVSSScore>
fixed_in	string
fixed_versions	Array<string>
fix_state	string
fix_available	Array<FixAvailable>
affected_version_range	string
references	Array<Reference>
kev_exploited	boolean
known_exploited	Array<KnownExploited>
epss	Array<EPSSScore>
cwes	Array<CWE>
risk_score	number
data_source	string
namespace	string
cpes	Array<string>
affected_symbols	Array<AffectedSymbol>
reachability	Reachability