Evidence & Confidence

lynkctl records, for every conclusion it reaches, where that conclusion came from and how strongly it is supported. This lets you audit an SBOM rather than take it on faith.

Evidence Output

When you pass --evidence, lynkctl emits CycloneDX 1.6 evidence on components where it can represent the supporting records cleanly. Evidence can include identity methods, source/manifest/map occurrences, license evidence, copyright evidence, confidence values, and tool references.

lynkctl generate ./myproject --evidence -o sbom.cdx.json

Scope decisions and other conclusions that CycloneDX cannot directly model remain internal. They are surfaced through diagnostics when they affect auditability.

Confidence

Confidence lives on evidence records and CycloneDX evidence methods. Higher values mean stronger evidence. When multiple evidence records support the same conclusion, the resolver applies precedence rules first, then confidence, then a stable evidence-ID tie break.

Score Reference

lynkctl assigns each conclusion a confidence score based on the strength of its source — explicit declarations and build commands score highest, heuristic inferences lowest. The detailed score-to-source breakdown is internal and evolves with the tool. Contact Interlynk if you need the full reference for audit or review purposes.

Interpreting Scores

When multiple stages contribute evidence for the same field, individual evidence records preserve the per-source confidence and reasoning. Conflicting or low-confidence conclusions produce diagnostics with evidence IDs in verbose output.

Overriding a Conclusion

If lynkctl gets a component wrong, or you have authoritative information it cannot derive, supply a --overrides YAML file. Overrides carry confidence 1.00 and take precedence over every other source. Run lynkctl generate --help for the override file format.

Related

• Diagnostics & Exit Codes — how conflicts and low-confidence conclusions are reported