[
  {
    "kind": "CONTAINS",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "artifact_node_id": "gn:tenant-alpha:artifact:RX033HH7S6JXMY66QM51S89SX76B3JXJHWHPXPPBJCD05BR3GVXG",
      "component_node_id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
      "sbom_digest": "sha256:sbom111"
    },
    "attributes": {
      "detected_by": "sbom.analyzer.nuget",
      "layer_digest": "sha256:layer123",
      "scope": "runtime",
      "evidence_digest": "sha256:evidence001"
    },
    "provenance": {
      "source": "scanner.sbom.v1",
      "collected_at": "2025-10-30T12:00:02Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 2100
    },
    "valid_from": "2025-10-30T12:00:02Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:CONTAINS:EVA5N7P029VYV9W8Q7XJC0JFTEQYFSAQ6381SNVM3T1G5290XHTG",
    "hash": "139e534be32f666cbd8e4fb0daee629b7b133ef8d10e98413ffc33fde59f7935"
  },
  {
    "kind": "DEPENDS_ON",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "component_node_id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
      "dependency_purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0",
      "sbom_digest": "sha256:sbom111"
    },
    "attributes": {
      "dependency_purl": "pkg:nuget/System.Text.Encoding.Extensions@4.7.0",
      "dependency_version": "4.7.0",
      "relationship": "direct",
      "evidence_digest": "sha256:evidence002"
    },
    "provenance": {
      "source": "scanner.sbom.v1",
      "collected_at": "2025-10-30T12:00:02Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 2101
    },
    "valid_from": "2025-10-30T12:00:02Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:DEPENDS_ON:FJ7GZ9RHPKPR30XVKECD702QG20PGT3V75DY1GST8AAW9SR8TBB0",
    "hash": "4caae0dff840dee840d413005f1b493936446322e8cfcecd393983184cc399c1"
  },
  {
    "kind": "DECLARED_IN",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "component_node_id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
      "file_node_id": "gn:tenant-alpha:file:M1MWHCXA66MQE8FZMPK3RNRMN7Z18H4VGWX6QTNNBKABFKRACKDG",
      "sbom_digest": "sha256:sbom111"
    },
    "attributes": {
      "detected_by": "sbom.analyzer.nuget",
      "scope": "runtime",
      "evidence_digest": "sha256:evidence003"
    },
    "provenance": {
      "source": "scanner.layer.v1",
      "collected_at": "2025-10-30T12:00:03Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 2102
    },
    "valid_from": "2025-10-30T12:00:03Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:DECLARED_IN:T7E8NQEMKXPZ3T1SWT8HXKWAHJVS9QKD87XBKAQAAQ29CDHEA47G",
    "hash": "2a2e7ba8785d75eb11feebc2df99a6a04d05ee609b36cbe0b15fa142e4c4f184"
  },
  {
    "kind": "BUILT_FROM",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "parent_artifact_node_id": "gn:tenant-alpha:artifact:RX033HH7S6JXMY66QM51S89SX76B3JXJHWHPXPPBJCD05BR3GVXG",
      "child_artifact_digest": "sha256:base000"
    },
    "attributes": {
      "build_type": "https://slsa.dev/provenance/v1",
      "builder_id": "builder://tekton/pipeline/default",
      "attestation_digest": "sha256:attestation001"
    },
    "provenance": {
      "source": "scanner.provenance.v1",
      "collected_at": "2025-10-30T12:00:05Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 2103
    },
    "valid_from": "2025-10-30T12:00:05Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:BUILT_FROM:HJNKVFSDSA44HRY0XAJ0GBEVPD2S82JFF58BZVRT9QF6HB2EGPJG",
    "hash": "17bdb166f4ba05406ed17ec38d460fb83bd72cec60095f0966b1d79c2a55f1de"
  },
  {
    "kind": "AFFECTED_BY",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "component_node_id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
      "advisory_node_id": "gn:tenant-alpha:advisory:RFGYXZ2TG0BF117T3HCX3XYAZFXPD72991QD0JZWDVY7FXYY87R0",
      "linkset_digest": "sha256:linkset001"
    },
    "attributes": {
      "evidence_digest": "sha256:evidence004",
      "matched_versions": [
        "13.0.3"
      ],
      "cvss": 8.1,
      "confidence": 0.9
    },
    "provenance": {
      "source": "concelier.overlay.v1",
      "collected_at": "2025-10-30T12:05:10Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 3100
    },
    "valid_from": "2025-10-30T12:05:10Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:AFFECTED_BY:1V3NRKAR6KMXAWZ89R69G8JAY3HV7DXNB16YY9X25X1TAFW9VGYG",
    "hash": "45e845ee51dc2e8e8990707906bddcd3ecedf209de10b87ce8eed604dcc51ff5"
  },
  {
    "kind": "VEX_EXEMPTS",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "component_node_id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
      "vex_node_id": "gn:tenant-alpha:vex_statement:BVRF35CX6TZTHPD7YFHYTJJACPYJD86JP7C74SH07QT9JT82NDSG",
      "statement_hash": "sha256:eee555"
    },
    "attributes": {
      "status": "not_affected",
      "justification": "component not present",
      "impact_statement": "Library not loaded at runtime",
      "evidence_digest": "sha256:evidence005"
    },
    "provenance": {
      "source": "excititor.overlay.v1",
      "collected_at": "2025-10-30T12:06:10Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 3200
    },
    "valid_from": "2025-10-30T12:06:10Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:VEX_EXEMPTS:DT0BBCM9S0KJVF61KVR7D2W8DVFTKK03F3TFD4DR9DRS0T5CWZM0",
    "hash": "0ae4085e510898e68ad5cb48b7385a1ae9af68fcfea9bd5c22c47d78bb1c2f2e"
  },
  {
    "kind": "GOVERNS_WITH",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "policy_node_id": "gn:tenant-alpha:policy_version:YZSMWHHR6Y5XR1HFRBV3H5TR6GMZVN9BPDAAVQEACV7XRYP06390",
      "component_node_id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
      "finding_explain_hash": "sha256:explain001"
    },
    "attributes": {
      "verdict": "fail",
      "explain_hash": "sha256:explain001",
      "policy_rule_id": "rule:runtime/critical-dependency",
      "evaluation_timestamp": "2025-10-30T12:07:00Z"
    },
    "provenance": {
      "source": "policy.engine.v1",
      "collected_at": "2025-10-30T12:07:00Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 4200
    },
    "valid_from": "2025-10-30T12:07:00Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:GOVERNS_WITH:XG3KQTYT8D4NY0BTFXWGBQY6TXR2MRYDWZBQT07T0200NQ72AFG0",
    "hash": "38a05081a9b046bfd391505d47da6b7c6e3a74e114999b38a4e4e9341f2dc279"
  },
  {
    "kind": "OBSERVED_RUNTIME",
    "tenant": "tenant-alpha",
    "canonical_key": {
      "tenant": "tenant-alpha",
      "runtime_node_id": "gn:tenant-alpha:runtime_context:EFVARD7VM4710F8554Q3NGH0X8W7XRF3RDARE8YJWK1H3GABX8A0",
      "component_node_id": "gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0",
      "runtime_fingerprint": "pod-abc123"
    },
    "attributes": {
      "process_name": "dotnet",
      "entrypoint_kind": "container",
      "runtime_evidence_digest": "sha256:evidence006",
      "confidence": 0.8
    },
    "provenance": {
      "source": "signals.runtime.v1",
      "collected_at": "2025-10-30T12:15:10Z",
      "sbom_digest": "sha256:sbom111",
      "event_offset": 5200
    },
    "valid_from": "2025-10-30T12:15:10Z",
    "valid_to": null,
    "id": "ge:tenant-alpha:OBSERVED_RUNTIME:CVV4ACPPJVHWX2NRZATB8H045F71HXT59TQHEZE2QBAQGJDK1FY0",
    "hash": "15d24ebdf126b6f8947d3041f8cbb291bb66e8f595737a7c7dd2683215568367"
  }
]