-
Notifications
You must be signed in to change notification settings - Fork 0
User Guide Output and Report Formats
Prev: Security, Audit, and SBOM | Up: User Guide | Next: Remote Mode
This page documents file outputs, machine-readable schemas, overwrite behavior, and exit-code details.
- SBOM prints to stdout when no output path is resolved.
- Audit prints to stdout when no output path is set.
- Snapshot prints command-output block to stdout when no output path is set.
-
test-pluginprints human report to stdout;--reportadds JSON file.
Relative output paths are resolved against current working directory.
Exporters create parent directories when needed.
SBOM, audit, and snapshot all prompt before overwrite unless force flag is present.
Prompt shape is:
<resolved path> already exists. Overwrite? [y/N]
If answer is not y or Y, command aborts.
Formats:
tablejsoncyclonedx-json
Format resolution:
- explicit
--formatwins - otherwise request output path implies
cyclonedx-json - otherwise
config.sbom.defaultFormat
Output path resolution:
- request
--outputwins - otherwise
config.sbom.defaultOutputPath
Columns are:
SYSTEMNAMEVERSIONSOURCE
SOURCE is package sourcePath or - when empty.
Flags affecting table output:
--wide--no-wrap
Top-level shape:
{
"packages": [
{
"system": "npm",
"name": "react",
"displayName": "react",
"version": "18.3.1",
"sourcePath": "",
"localTarget": false
}
],
"dependencies": [
{ "from": "npm:react@18.3.1", "to": "npm:loose-envify@1.4.0" }
]
}Notes:
-
dependenciessection is present only whensbom.includeDependencyEdges = true -
displayNameis ReqPack-rendered display label, not raw source field
Top-level shape:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"components": [
{
"type": "library",
"bom-ref": "npm:react@18.3.1",
"name": "react",
"version": "18.3.1",
"purl": "pkg:npm/react@18.3.1",
"properties": [
{ "name": "reqpack:system", "value": "npm" },
{ "name": "reqpack:sourcePath", "value": "/tmp/react.tgz" },
{ "name": "reqpack:localTarget", "value": "true" }
]
}
],
"dependencies": [
{
"ref": "npm:react@18.3.1",
"dependsOn": ["npm:loose-envify@1.4.0"]
}
]
}Notes:
-
purlis included only when metadata provider can build one -
reqpack:sourcePathandreqpack:localTargetproperties appear only when applicable -
dependenciessection is omitted when dependency edges are disabled
Formats:
tablejsoncyclonedx-vex-jsonsarif
Format resolution:
- explicit
--formatwins - otherwise
--outputpath extension decides:-
.sarif->sarif - all other file outputs ->
cyclonedx-vex-json
-
- otherwise default is
table
- without output file, findings cause exit code
1 - with output file, findings are exported and do not fail command by themselves
This matters for CI: file export success is not same thing as “no findings.”
Columns are:
SYSTEMNAMEVERSIONFINDINGSEVERITYSCORE- trailing
MESSAGEcolumn
If there are no findings, output is exactly:
No vulnerabilities or audit findings detected.
Top-level shape:
{
"summary": {
"packageCount": 3,
"findingCount": 1
},
"packages": [
{
"system": "npm",
"name": "react",
"displayName": "react",
"version": "18.3.1",
"sourcePath": "",
"localTarget": false,
"ref": "npm:react@18.3.1"
}
],
"findings": [
{
"id": "GHSA-...",
"kind": "vulnerability",
"source": "osv",
"severity": "high",
"score": 7.5,
"message": "...",
"package": {
"system": "npm",
"name": "react",
"version": "18.3.1"
}
}
]
}Top-level shape:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"components": [ ... ],
"dependencies": [ ... ],
"vulnerabilities": [
{
"id": "GHSA-...",
"source": { "name": "osv" },
"ratings": [
{
"source": { "name": "osv" },
"severity": "high",
"score": 7.5
}
],
"analysis": {
"state": "in_triage",
"detail": "Matched by ReqPack audit from local vulnerability data. Reachability and exploitability were not analyzed."
},
"description": "...",
"affects": [
{ "ref": "npm:react@18.3.1" }
]
}
]
}Notes:
- component section mirrors SBOM-style component emission
-
dependenciesexists only whensbom.includeDependencyEdges = true - VEX
analysis.detailvaries by finding kind such as vulnerability, unresolved version, unsupported ecosystem, sync error
Top-level shape:
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "ReqPack",
"rules": [ ... ]
}
},
"results": [
{
"ruleId": "GHSA-...",
"level": "error",
"message": { "text": "..." },
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "pkg:npm:react@18.3.1"
}
}
}
],
"properties": {
"system": "npm",
"package": "react",
"version": "18.3.1",
"kind": "vulnerability",
"score": 7.5
}
}
]
}
]
}SARIF severity mapping from source:
-
sync_error->error -
criticalorhigh->error -
mediumorlow->warning - otherwise ->
note
Snapshot format is always Lua manifest text.
Top-level shape:
-- Generated by ReqPack snapshot
return {
packages = {
{ system = "apt", name = "curl", version = "8.5.0" },
{ system = "npm", name = "react", version = "18.3.1" },
},
}Behavior:
- entries are sorted by
system, thenname - if no installed state exists, command still emits warning-style message about
history.trackInstalled - file-output mode also emits structured command summary including output path artifact
Human output on stdout looks like:
[PASS] list success
[FAIL] info failure - no fakeExec rule matched command: ...
Cases: 2, Passed: 1, Failed: 1
--report JSON top-level shape:
{
"plugin": "demo-system",
"pluginPath": "/abs/path/run.lua",
"passed": 3,
"failed": 1,
"cases": [
{
"name": "system fixture list",
"success": true,
"message": "",
"commands": ["demo-pm list"],
"stdout": ["alpha entry"],
"stderr": [],
"events": ["listed"],
"artifacts": [],
"eventRecords": [
{ "name": "listed", "payload": "{name=alpha, version=1.2.3}" }
]
}
]
}Case entry fields are:
namesuccessmessagecommands[]stdout[]stderr[]events[]artifacts[]-
eventRecords[]withnameandpayload
Config reports.* exists, and validator policy sees reports.enabled.
Current source still marks Validator::generateReport() as skeleton hook, so do not treat it as finished general report-export feature.
Prev: Security, Audit, and SBOM | Up: User Guide | Next: Remote Mode
- User Guide
- Getting Started
- Command Reference
- Configuration
- Configuration Reference
- Security, Audit, and SBOM
- Output and Report Formats
- Remote Mode
- Remote Protocol Reference
- Using Native
rqpPackages - Troubleshooting