What is included

Sttor Code SBOM focuses on code supply-chain visibility.

A typical SBOM includes

1. Packages and components
   • Direct and transitive dependencies discovered from supported ecosystems and lockfiles.
   • Package name, version, package type/ecosystem, and dependency relationships.
2. Provenance metadata
   • Repository + branch context
   • Commit identifier / scan timestamp
   • Dependency manifest/lockfile references (where applicable)
3. Security and governance metadata (when available)
   • License identifiers (used by License Compliance)
   • Package hashes/digests (where supported by the ecosystem)
   • Optional linkage to issues (e.g., vulnerable components) for traceability

NOTE

• SBOM is designed to be complete and reproducible for the scanned branch state.
• Findings marked False Positive or Acceptable Risk (Ignored) are governance decisions and are handled in reporting/scoring, not by removing components from the SBOM itself.