# SBOM Vulnerability Resolution (Md.XI draft)

> Status: DRAFT — pending export/advisory integration and GRAP0101 field freeze.

## Scope
- Version semantics, scope, paths, safe version hints for SBOM components in Vuln Explorer.
- Deterministic examples with hashes in `docs/assets/vuln-explorer/SHA256SUMS`.

## Dependencies
- Advisory integration (DOCS-VULN-29-008).
- GRAP0101 identifiers.

## Outline
- Component resolution (purl, NEVRA); scope (prod/dev/test).
- Path specificity and deduping rules.
- Safe version hints and policy overlays.

### Hash Capture Checklist (when inputs ready)
- `assets/vuln-explorer/sbom-component-resolution.json`
- `assets/vuln-explorer/sbom-path-dedupe.json`
- `assets/vuln-explorer/safe-version-hints.json`
_Last updated: 2025-12-05 (UTC)_