# SBOM handling

SBOMs are the primary evidence record for scans. StellaOps supports SPDX and
CycloneDX and keeps outputs deterministic for replay.

Formats and inputs
- SPDX 3.0.1 and CycloneDX 1.6+ are supported for ingestion and export.
- SBOMs may be full or delta (layer-based) for faster rescans.

Mapping and resolution
- CPE and PURL mappings are normalized to canonical forms.
- VEX mapping ties vulnerability statements to SBOM components.
- Version range handling uses ecosystem-native semantics.

Remediation heuristics
- Prefer fixed version guidance when present.
- Track component removal or replacement as remediation.
- Record justification when remediation is deferred.

Determinism rules
- Stable ordering of components and dependencies.
- Canonical JSON before hashing and signing.
- Content-addressed references in evidence bundles.

Related references
- docs/sbom/remediation-heuristics.md
- docs/sbom/vex-mapping.md
- docs/sbom/vuln-resolution.md