Validate a CycloneDX SBOM against the EU CRA Annex I machine-readable SBOM requirement (art-135) → verify the SLSA provenance in-toto statement: subject SHA-256 digest match, builder.id present, claimed build level (art-136) → validate the OpenVEX vulnerability disclosure statement including not_affected justification (art-137). Full EU CRA supply-chain attestation pipeline. Zero network.
validate_cyclonedx_sbom{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "validate_cyclonedx_sbom",
"arguments": {
"sbom": {
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"components": [
{ "name": "express", "version": "4.18.2", "purl": "pkg:npm/[email protected]" }
],
"dependencies": [
{ "ref": "pkg:npm/[email protected]", "dependsOn": [] }
]
}
}
},
"id": 1
}
verify_slsa_provenance{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "verify_slsa_provenance",
"arguments": {
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{ "name": "app.tar.gz", "digest": { "sha256": "d3b07384d113edec49eaa6238ad5ff00" } }
],
"predicate": {
"runDetails": { "builder": { "id": "https://github.com/actions/runner" } }
}
},
"artifact_digest_sha256": "d3b07384d113edec49eaa6238ad5ff00",
"claimed_build_level": 2
}
},
"id": 2
}
validate_openvex_statement{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "validate_openvex_statement",
"arguments": {
"vex": {
"@context": "https://openvex.dev/ns/v0.2.0",
"statements": [
{
"vulnerability": { "name": "CVE-2026-0001" },
"products": ["pkg:npm/[email protected]"],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
}
},
"id": 3
}