{
  "schemaVersion": "graph.inspect.v1",
  "tenant": "acme-dev",
  "artifactDigest": "sha256:8f2c1f4c8f9d4c3bb2efc0a9d0a35d4492a0bba4f3c1a2b9d5c7e1f4a8c6b2d1",
  "sbomDigest": "sha256:1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d",
  "collectedAt": "2025-12-04T15:30:00Z",
  "components": [
    {
      "purl": "pkg:maven/org.example/foo@1.2.3",
      "version": "1.2.3",
      "scopes": [
        "runtime"
      ],
      "relationships": [
        {
          "type": "contains",
          "targetPurl": "pkg:docker/library/alpine@3.19.0",
          "scope": "runtime",
          "evidenceHash": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd",
          "source": "scanner.sbom.v1"
        },
        {
          "type": "depends_on",
          "targetPurl": "pkg:npm/lodash@4.17.21",
          "scope": "runtime",
          "evidenceHash": "89abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345",
          "source": "concelier.linkset.v1"
        }
      ],
      "advisories": [
        {
          "advisoryId": "CVE-2024-1111",
          "source": "ghsa",
          "status": "affected",
          "severity": "HIGH",
          "cvss": {
            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "score": 9.8
          },
          "justification": "exploitable_in_default_config",
          "justificationSummary": "Unauthenticated RCE in JSON parser; no mitigations applied.",
          "linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
          "evidenceHash": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210",
          "modifiedAt": "2025-11-30T12:00:00Z",
          "provenance": {
            "source": "concelier.linkset.v1",
            "collectedAt": "2025-11-30T11:55:00Z",
            "eventOffset": 4421,
            "linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
            "evidenceHash": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210"
          }
        }
      ],
      "vexStatements": [
        {
          "statementId": "VEX-2025-0001",
          "source": "excitor.vex.v1",
          "status": "not_affected",
          "justification": "component_not_present",
          "impactStatement": "Library excluded from production image; only used in tests.",
          "knownExploited": false,
          "issuedAt": "2025-12-01T08:00:00Z",
          "expiresAt": "2026-12-01T00:00:00Z",
          "evidenceHash": "0f1e2d3c4b5a69788796a5b4c3d2e1f00f1e2d3c4b5a69788796a5b4c3d2e1f0",
          "provenance": {
            "source": "excitor.overlay.v1",
            "collectedAt": "2025-12-01T08:00:00Z",
            "eventOffset": 171,
            "evidenceHash": "0f1e2d3c4b5a69788796a5b4c3d2e1f00f1e2d3c4b5a69788796a5b4c3d2e1f0"
          }
        }
      ],
      "provenance": {
        "source": "concelier.linkset.v1",
        "collectedAt": "2025-12-04T15:29:00Z",
        "eventOffset": 5123,
        "linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
        "evidenceHash": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd"
      }
    },
    {
      "purl": "pkg:npm/lodash@4.17.21",
      "scopes": [],
      "relationships": [],
      "advisories": [],
      "vexStatements": [],
      "provenance": {
        "source": "concelier.linkset.v1",
        "collectedAt": "2025-12-04T15:29:00Z",
        "eventOffset": 6000,
        "linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
        "evidenceHash": "89abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345"
      }
    }
  ],
  "links": {
    "sbomObservationEventId": "obs-2025-11-22-001",
    "linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd"
  }
}