sbom_component,spine_node,graph_node,policy_input,evidence_ref
pkg:demo/lib-a@1.2.3,spine://component/lib-a,graph://node/lib-a,policy://input/component/lib-a,hash:blake3:27c6de0c
pkg:demo/lib-b@2.0.0,spine://component/lib-b,graph://node/lib-b,policy://input/component/lib-b,hash:blake3:da5b631a
vuln:CVE-0000-0001,spine://vuln/CVE-0000-0001,graph://advisory/CVE-0000-0001,policy://input/vuln/CVE-0000-0001,hash:sha256:22d8f6f8