NAME
SBOM::CycloneDX - Software Bill Of Materials, CyclonDX style
SYNOPSIS
use SBOM::CycloneDX;
DESCRIPTION
SBOM::CycloneDX provides a distribution for the implementation of the Software Bill Of Materials standard provided by CycloneDX using the JSON Reference.
This is still alpha state, but all necessary classes are currently implemented. But no way to ingest any JSON generated data yet.
PRELIMINARY STRUCTURE DEFINITION
CycloneDX
- serialNumber $serialNumber ----------------------------------
Every BOM generated SHOULD have a unique serial number,
even if the contents of the BOM have not changed over
time. If specified, the serial number must conform to RFC
4122. Use of serial numbers is recommended.
- Int $version ------------------------------------------------
Whenever an existing BOM is modified, either manually or
through automated processes, the version of the BOM SHOULD
be incremented by 1. When a system is presented with
multiple BOMs with identical serial numbers, the system
SHOULD use the most recent version of the BOM. The default
version is '1'.
- Metadata $metadata ------------------------------------------
Provides additional information about a BOM.
DateTime $timestamp
The date and time (timestamp) when the BOM was created.
Phase @lifecycles
Lifecycles communicate the stage(s) in which data in
the BOM was captured. Different types of data may be
available at various phases of a lifecycle, such as the
Software Development Lifecycle (SDLC), IT Asset
Management (ITAM), and Software Asset Management (SAM).
Thus, a BOM may include data specific to or only
obtainable in a
AnyTool $tools
The tool(s) used in the creation, enrichment, and
validation of the BOM.
Organization $manufacturer
The organization that created the BOM. Manufacturer is
common in BOMs created through automated processes. BOMs
created through
bom-ref $bom-ref
An optional identifier which can be used to reference
the object elsewhere in the BOM.
Str $name
The name of the organization.
Address $address
The physical address (location) of the organization.
bom-ref $bom-ref
An optional identifier which can be used to
reference the address elsewhere in the BOM.
Str $country
The country name or the two-letter ISO 3166-1
country code.
Str $region
The region or state in the country.
Str $locality
The locality or city within the country.
Str $postOfficeBoxNumber
The post office box number.
Str $postalCode
The postal code.
Str $streetAddress
The street address.
URL @url
The URL of the organization. Multiple URLs are
allowed.
Contact @contact
A contact at the organization. Multiple contacts are
allowed.
bom-ref $bom-ref
An optional identifier which can be used to
reference the person elsewhere in the BOM.
Str $name
The name of a contact.
email $email
The email address of the contact.
Str $phone
The phone number of the contact.
Contact @authors
The person(s) who created the BOM. Authors are common
in BOMs created through manual processes. BOMs created
through automated means may have @.manufacturer instead.
bom-ref $bom-ref
An optional identifier which can be used to reference
the person elsewhere in the BOM.
Str $name
The name of a contact.
email $email
The email address of the contact.
Str $phone
The phone number of the contact.
Component $component
The component that the BOM describes.
ComponentType $type (required)
Specifies the type of the component. For software
components, classify as application if no more
specific appropriate classification is available or
cannot be determined for the component.
mime-type $mime-type
The optional mime-type of the component. When used on
file components, the mime-type can provide additional
context about the kind of file being represented, such
as an image, font, or executable. Some library or
framework components may also have an associated
mime-type.
bom-ref $bom-ref
An optional identifier which can be used to reference
the component elsewhere in the BOM. Every bom-ref must
be unique within the BOM. Value SHOULD not start with
the BOM-Link intro 'urn:cdx:' to avoid conflicts with
BOM-Links.
Organization $supplier
The organization that supplied the component. The
supplier may often be the manufacturer, but may also
be a distributor or repackager.
bom-ref $bom-ref
An optional identifier which can be used to
reference the object elsewhere in the BOM.
Str $name
The name of the organization.
Address $address
The physical address (location) of the
organization.
URL @url
The URL of the organization. Multiple URLs are
allowed.
Contact @contact
A contact at the organization. Multiple contacts
are allowed.
Organization $manufacturer
The organization that created the component.
Manufacturer is common in components created through
automated processes. Components created through manual
means may have @.authors instead.
Contact @authors
The person(s) who created the component. Authors are
common in components created through manual processes.
Components created through automated means may have
@.manufacturer instead.
Str $publisher
The person(s) or organization(s) that published the
component.
Str $group
The grouping name or identifier. This will often be a
shortened, single name of the company or project that
produced the component, or the source package or
domain name. Whitespace and special characters should
be avoided. Examples include: apache,
org.apache.commons, and apache.org.
Str $name (required)
The name of the component. This will often be a
shortened, single name of the component. Examples:
commons-lang3 and jquery.
versionString $version
The component version. The version should ideally
comply with semantic versioning but is not enforced.
Str $description
Specifies a description for the component
Scope $scope
Specifies the scope of the component. If scope is not
specified, 'required' scope SHOULD be assumed by the
consumer of the BOM.
HashedString @hashes
The hashes of the component.
HashAlgorithm $alg (required)
The algorithm that generated the hash value.
contentHash $content (required)
The value of the hash.
AnyLicense @licenses
EITHER (list of SPDX licenses and/or named licenses)
OR (tuple of one SPDX License Expression)
Str $copyright
A copyright notice informing users of the underlying
claims to copyright ownership in a published work.
CPE $cpe
Asserts the identity of the component using CPE. The
CPE must conform to the CPE 2.2 or 2.3 specification.
See https://nvd.nist.gov/products/cpe. Refer to
@.evidence.identity to optionally provide evidence
that substantiates the assertion of the component's
identity.
PURL $purl
Asserts the identity of the component using
package-url (purl). The purl, if specified, must be
valid and conform to the specification defined at:
https://github.com/package-url/purl-spec. Refer to
@.evidence.identity to optionally provide evidence
that substantiates the assertion of the component's
identity.
omniborId @omniborId
Asserts the identity of the component using the
OmniBOR Artifact ID. The OmniBOR, if specified, must
be valid and conform to the specification defined at:
https://www.iana.org/assignments/uri-schemes/prov/gitoid.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWHID @swhid
Asserts the identity of the component using the
Software Heritage persistent identifier (SWHID). The
SWHID, if specified, must be valid and conform to the
specification defined at:
https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWID $swid
Asserts the identity of the component using ISO-IEC
19770-2 Software Identification (SWID) Tags. Refer to
@.evidence.identity to optionally provide evidence
that substantiates the assertion of the component's
identity.
Str:D $tagID (required)
Maps to the tagId of a SoftwareIdentity.
Str:D $name (required)
Maps to the name of a SoftwareIdentity.
Str:D $version
Maps to the version of a SoftwareIdentity.
Int:D @tagVersion
Maps to the tagVersion of a SoftwareIdentity.
Bool:D $patch
Maps to the patch of a SoftwareIdentity.
Attachment $text
Specifies the metadata and content of the SWID tag.
mime-type $contentType
Specifies the format and nature of the data being
attached, helping systems correctly interpret and
process the content. Common content type examples
include application/json for JSON data and
text/plain for plan text documents.
Encoding $encoding
Specifies the optional encoding the text is
represented in.
Str $content (required)
The attachment data. Proactive controls such as
input validation and sanitization should be
employed to prevent misuse of attachment text.
URL $url
The URL to the SWID file.
Bool $modified
[Deprecated] This will be removed in a future
version. Use the pedigree element instead to supply
information on exactly how the component was modified.
A boolean value indicating if the component has been
modified from the original. A value of true indicates
the component is a derivative of the original. A value
of false indicates the component has not been modified
from the original.
Pedigree $pedigree
Component pedigree is a way to document complex
supply chain scenarios where components are created,
distributed, modified, redistributed, combined with
other components, etc. Pedigree supports viewing this
complex chain from the beginning, the end, or anywhere
in the middle. It also provides a way to document
variants where the exact relation may not be known.
Component @ancestors
Describes zero or more components in which a
component is derived from. This is commonly used to
describe forks from existing projects where the
forked version contains a ancestor node containing
the original component it was forked from. For
example, Component A is the original component.
Component B is the component being used and
documented in the BOM. However, Component B contains
a pedigree node with a single ancestor documenting
Component A - the original component from which
Component B is derived from.
ComponentType $type (required)
Specifies the type of the component. For software
components, classify as application if no more
specific appropriate classification is available
or cannot be determined for the component.
mime-type $mime-type
The optional mime-type of the component. When
used on file components, the mime-type can provide
additional context about the kind of file being
represented, such as an image, font, or
executable. Some library or framework components
may also have an associated mime-type.
bom-ref $bom-ref
An optional identifier which can be used to
reference the component elsewhere in the BOM.
Every bom-ref must be unique within the BOM. Value
SHOULD not start with the BOM-Link intro
'urn:cdx:' to avoid conflicts with BOM-Links.
Organization $supplier
The organization that supplied the component. The
supplier may often be the manufacturer, but may
also be a distributor or repackager.
Organization $manufacturer
The organization that created the component.
Manufacturer is common in components created
through automated processes. Components created
through manual means may have @.authors instead.
Contact @authors
The person(s) who created the component. Authors
are common in components created through manual
processes. Components created through automated
means may have @.manufacturer instead.
Str $publisher
The person(s) or organization(s) that published
the component.
Str $group
The grouping name or identifier. This will often
be a shortened, single name of the company or
project that produced the component, or the source
package or domain name. Whitespace and special
characters should be avoided. Examples include:
apache, org.apache.commons, and apache.org.
Str $name (required)
The name of the component. This will often be a
shortened, single name of the component. Examples:
commons-lang3 and jquery.
versionString $version
The component version. The version should ideally
comply with semantic versioning but is not
enforced.
Str $description
Specifies a description for the component
Scope $scope
Specifies the scope of the component. If scope is
not specified, 'required' scope SHOULD be assumed
by the consumer of the BOM.
HashedString @hashes
The hashes of the component.
AnyLicense @licenses
EITHER (list of SPDX licenses and/or named
licenses) OR (tuple of one SPDX License
Expression)
Str $copyright
A copyright notice informing users of the
underlying claims to copyright ownership in a
published work.
CPE $cpe
Asserts the identity of the component using CPE.
The CPE must conform to the CPE 2.2 or 2.3
specification. See
https://nvd.nist.gov/products/cpe. Refer to
@.evidence.identity to optionally provide evidence
that substantiates the assertion of the
component's identity.
PURL $purl
Asserts the identity of the component using
package-url (purl). The purl, if specified, must
be valid and conform to the specification defined
at: https://github.com/package-url/purl-spec.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
omniborId @omniborId
Asserts the identity of the component using the
OmniBOR Artifact ID. The OmniBOR, if specified,
must be valid and conform to the specification
defined at:
https://www.iana.org/assignments/uri-schemes/prov/gitoid.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWHID @swhid
Asserts the identity of the component using the
Software Heritage persistent identifier (SWHID).
The SWHID, if specified, must be valid and conform
to the specification defined at:
https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWID $swid
Asserts the identity of the component using
ISO-IEC 19770-2 Software Identification (SWID)
Tags. Refer to @.evidence.identity to optionally
provide evidence that substantiates the assertion
of the component's identity.
Bool $modified
[Deprecated] This will be removed in a future
version. Use the pedigree element instead to
supply information on exactly how the component
was modified. A boolean value indicating if the
component has been modified from the original. A
value of true indicates the component is a
derivative of the original. A value of false
indicates the component has not been modified from
the original.
Pedigree $pedigree
Component pedigree is a way to document complex
supply chain scenarios where components are
created, distributed, modified, redistributed,
combined with other components, etc. Pedigree
supports viewing this complex chain from the
beginning, the end, or anywhere in the middle. It
also provides a way to document variants where the
exact relation may not be known.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be
relevant but are not included with the BOM. They
may also establish specific relationships within
or external to the BOM.
referenceURL $url (required)
The URI (URL or URN) to the external reference.
External references are URIs and therefore can
accept any URL scheme including https
(RFC-7230), mailto (RFC-2368), tel (RFC-3966),
and dns (RFC-4501). External references may also
include formally registered URNs such as
CycloneDX BOM-Link to reference CycloneDX BOMs
or any object within a BOM. BOM-Link transforms
applicable external references into
relationships that can be expressed in a BOM or
across BOMs.
Str $comment
An optional comment describing the external
reference.
ReferenceSource $type (required)
Specifies the type of external reference.
HashedString @hashes
The hashes of the external reference (if
applicable).
Component @components
A list of software and hardware components
included in the parent component. This is not a
dependency tree. It provides a way to specify a
hierarchical representation of component
assemblies, similar to system → subsystem → parts
assembly in physical supply chains.
ComponentType $type (required)
Specifies the type of the component. For
software components, classify as application if
no more specific appropriate classification is
available or cannot be determined for the
component.
mime-type $mime-type
The optional mime-type of the component. When
used on file components, the mime-type can
provide additional context about the kind of
file being represented, such as an image, font,
or executable. Some library or framework
components may also have an associated
mime-type.
bom-ref $bom-ref
An optional identifier which can be used to
reference the component elsewhere in the BOM.
Every bom-ref must be unique within the BOM.
Value SHOULD not start with the BOM-Link intro
'urn:cdx:' to avoid conflicts with BOM-Links.
Organization $supplier
The organization that supplied the component.
The supplier may often be the manufacturer, but
may also be a distributor or repackager.
Organization $manufacturer
The organization that created the component.
Manufacturer is common in components created
through automated processes. Components created
through manual means may have @.authors instead.
Contact @authors
The person(s) who created the component.
Authors are common in components created through
manual processes. Components created through
automated means may have @.manufacturer instead.
Str $publisher
The person(s) or organization(s) that published
the component.
Str $group
The grouping name or identifier. This will
often be a shortened, single name of the company
or project that produced the component, or the
source package or domain name. Whitespace and
special characters should be avoided. Examples
include: apache, org.apache.commons, and
apache.org.
Str $name (required)
The name of the component. This will often be a
shortened, single name of the component.
Examples: commons-lang3 and jquery.
versionString $version
The component version. The version should
ideally comply with semantic versioning but is
not enforced.
Str $description
Specifies a description for the component
Scope $scope
Specifies the scope of the component. If scope
is not specified, 'required' scope SHOULD be
assumed by the consumer of the BOM.
HashedString @hashes
The hashes of the component.
AnyLicense @licenses
EITHER (list of SPDX licenses and/or named
licenses) OR (tuple of one SPDX License
Expression)
Str $copyright
A copyright notice informing users of the
underlying claims to copyright ownership in a
published work.
CPE $cpe
Asserts the identity of the component using
CPE. The CPE must conform to the CPE 2.2 or 2.3
specification. See
https://nvd.nist.gov/products/cpe. Refer to
@.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
PURL $purl
Asserts the identity of the component using
package-url (purl). The purl, if specified, must
be valid and conform to the specification
defined at:
https://github.com/package-url/purl-spec. Refer
to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
omniborId @omniborId
Asserts the identity of the component using the
OmniBOR Artifact ID. The OmniBOR, if specified,
must be valid and conform to the specification
defined at:
https://www.iana.org/assignments/uri-schemes/prov/gitoid.
Refer to @.evidence.identity to optionally
provide evidence that substantiates the
assertion of the component's identity.
SWHID @swhid
Asserts the identity of the component using the
Software Heritage persistent identifier (SWHID).
The SWHID, if specified, must be valid and
conform to the specification defined at:
https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html.
Refer to @.evidence.identity to optionally
provide evidence that substantiates the
assertion of the component's identity.
SWID $swid
Asserts the identity of the component using
ISO-IEC 19770-2 Software Identification (SWID)
Tags. Refer to @.evidence.identity to optionally
provide evidence that substantiates the
assertion of the component's identity.
Bool $modified
[Deprecated] This will be removed in a future
version. Use the pedigree element instead to
supply information on exactly how the component
was modified. A boolean value indicating if the
component has been modified from the original. A
value of true indicates the component is a
derivative of the original. A value of false
indicates the component has not been modified
from the original.
Pedigree $pedigree
Component pedigree is a way to document complex
supply chain scenarios where components are
created, distributed, modified, redistributed,
combined with other components, etc. Pedigree
supports viewing this complex chain from the
beginning, the end, or anywhere in the middle.
It also provides a way to document variants
where the exact relation may not be known.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be
relevant but are not included with the BOM. They
may also establish specific relationships within
or external to the BOM.
Component @components
A list of software and hardware components
included in the parent component. This is not a
dependency tree. It provides a way to specify a
hierarchical representation of component
assemblies, similar to system → subsystem →
parts assembly in physical supply chains.
ComponentEvidence $evidence
Provides the ability to document evidence
collected through various forms of extraction or
analysis.
Identity $identity
Evidence that substantiates the identity of a
component.
Occurrence @occurrences
Evidence of individual instances of a
component spread across multiple locations.
bom-ref $bom-ref
An optional identifier which can be used to
reference the occurrence elsewhere in the
BOM
Str $location (required)
The location or path to where the component
was found.
PositiveInt $line
The line number where the component was
found.
PositiveInt $offset
The offset where the component was found.
Str $symbol
The symbol name that was found associated
with the component.
Str $additionalContext
Any additional context of the detected
component (e.g. a code snippet).
Callstack $callstack
Evidence of the components use through the
callstack.
Frame @frames
The frames seen in the callstack.
Str $package
A package organizes modules into
namespaces, providing a unique namespace
for each type it contains.
Str $module (required)
A module or class that encloses
functions/methods and other code.
Str $function
A block of code designed to perform a
particular task.
Str @parameters
Optional arguments that are passed to the
module or function.
PositiveInt $line
The line number the code that is called
resides on.
PositiveInt $column
The column the code that is called
resides.
Str $fullFilename
The full path and filename of the module.
AnyLicense @licenses
EITHER (list of SPDX licenses and/or named
licenses) OR (tuple of one SPDX License
Expression).
Copyright @copyright
A copyright notice informing users of the
underlying claims to copyright ownership in a
published work.
Str $text (required)
The textual content of the copyright.
ReleaseNotes $releaseNotes
Specifies optional release notes.
ReleaseLevel $type (required)
The software versioning type the release note
describes.
Str $title
The title of the release.
URL $featuredImage
The URL to an image that may be prominently
displayed with the release note.
URL $socialImage
The URL to an image that may be used in
messaging on social media platforms.
Str $description
A short description of the release.
DateTime $timestamp
The date and time (timestamp) when the
release note was created.
Str @aliases
One or more alternate names the release may
be referred to. This may include unofficial
terms used by development and marketing teams
(e.g. code names).
Str @tags
Textual strings that aid in discovery,
search, and retrieval of the associated
object. Tags often serve as a way to group or
categorize similar or related objects by
various attributes.
Resolve @resolves
A collection of issues that have been
resolved.
ResolveType $type (required)
Specifies the type of issue.
Str $id
The identifier of the issue assigned by the
source of the issue.
Str $name
The name of the issue.
Str $description
A description of the issue.
Source $source
The source of the issue where it is
documented.
URL $url
The url of documentation as provided by
the source.
Str $name
The name of the source.
URL @references
A collection of URL's for reference.
Multiple URLs are allowed.
Note @notes
A release note containing the locale and
content.
locale $locale
The ISO-639 (or higher) language code and
optional ISO-3166 (or higher) country code.
Attachment $text (required)
Specifies the full content of the release
note.
mime-type $contentType
Specifies the format and nature of the
data being attached, helping systems
correctly interpret and process the
content. Common content type examples
include application/json for JSON data and
text/plain for plan text documents.
Encoding $encoding
Specifies the optional encoding the text
is represented in.
Str $content (required)
The attachment data. Proactive controls
such as input validation and sanitization
should be employed to prevent misuse of
attachment text.
Property @properties
Any additional properties as name-value
pairs.
Str $name (required)
The name of the property. Duplicate names
are allowed.
Str $value
The value of the property.
ModelCard $modelCard
A model card describes the intended uses of a
machine learning model and potential
limitations, including biases and ethical
considerations. Model cards typically contain
the training parameters, which datasets were
used to train the model, performance metrics,
and other relevant data useful for ML
transparency. This object SHOULD be specified
for any component of type machine-learning-model
and must not be specified for other component
types.
bom-ref $bom-ref
An optional identifier which can be used to
reference the model card elsewhere in the BOM.
ModelParameters $modelParameters
Hyper-parameters for construction of the
model.
Approach $approach
The overall approach to learning used by
the model for problem solving.
Learning $type
Learning types describing the learning
problem or hybrid learning problem.
Str $task
Directly influences the input and/or
output. Examples include classification,
regression, clustering, etc.
Str $architectureFamily
The model architecture family such as
transformer network, convolutional neural
network, residual neural network, LSTM
neural network, etc.
Str $modelArchitecture
The specific architecture of the model such
as GPT-1, ResNet-50, YOLOv3, etc.
ModelDataset @datasets
The datasets used to train and evaluate the
model.
bom-ref $bom-ref
An optional identifier which can be used
to reference the dataset elsewhere in the
BOM.
DataSource $type (required)
The general theme or subject matter of
the data being specified.
Str $name
The name of the dataset.
DataContents $contents
The contents or references to the
contents of the data being described.
Attachment $attachment
An optional way to include textual or
encoded data.
mime-type $contentType
Specifies the format and nature of
the data being attached, helping
systems correctly interpret and
process the content. Common content
type examples include application/json
for JSON data and text/plain for plan
text documents.
Encoding $encoding
Specifies the optional encoding the
text is represented in.
Str $content (required)
The attachment data. Proactive
controls such as input validation and
sanitization should be employed to
prevent misuse of attachment text.
URL $url
The URL to where the data can be
retrieved.
Property @properties
Any additional properties as name-value
pairs.
Str $classification
Data classification tags data according
to its type, sensitivity,
Str @sensitiveData
A description of any sensitive data in a
dataset.
Graphics $graphics
A collection of graphics that represent
various measurements.
Str $description
A description of this collection of
graphics.
Graphic @collection
A collection of graphics.
Str $name
The name of the graphic.
Attachment $image
The graphic (vector or raster).
mime-type $contentType
Specifies the format and nature of
the data being attached, helping
systems correctly interpret and
process the content. Common content
type examples include
application/json for JSON data and
text/plain for plan text documents.
Encoding $encoding
Specifies the optional encoding the
text is represented in.
Str $content (required)
The attachment data. Proactive
controls such as input validation
and sanitization should be employed
to prevent misuse of attachment
text.
Str $description
A description of the dataset. Can
describe size of dataset, whether it's
used for source code, training, testing,
or validation, etc.
Governance $governance
Data governance captures information
regarding data ownership, stewardship, and
custodianship, providing insights into the
individuals or entities responsible for
managing, overseeing, and safeguarding the
data throughout its lifecycle.
Governor @custdians
Data custodians are responsible for the
safe custody, transport, and storage of
data.
Governor @stewards
Data stewards are responsible for data
content, context, and associated
business rules.
Governor @owners
Data owners are concerned with risk and
appropriate access to data.
ModelFormat @inputs
The input format(s) of the model.
Str $format
The data format for input/output to the
model, e.g. "string", "image",
"time-series".
ModelFormat @outputs
The output format(s) of the model.
Str $format
The data format for input/output to the
model, e.g. "string", "image",
"time-series".
QuantitativeAnalysis $quantitativeAnalysis
A quantitative analysis of the model
PerformanceMetric @performanceMetrics
The model performance metrics being
reported.
Str $type
The type of performance metric.
Str $value
The value of the performance metric.
Str $slice
The name of the slice this metric was
computed on. By default, assume this
metric is not sliced.
ConfidenceInterval $confidenceInterval
The confidence interval of the metric.
Str $lowerBound
The lower bound of the confidence
interval.
Str $UpperBound
The upper bound of the confidence
interval.
Graphics $graphics
A collection of graphics that represent
various measurements.
Considerations $considerations
What considerations should be taken into
account regarding a model's construction,
training, and application?
Str @users
Who are the intended users of the model?
Str @useCases
What are the intended use cases of the
model?
Str @technicalLimitations
What are the known technical limitations of
the model? E.g. What kind(s) of data should
the model be expected not to perform well
on? What are the factors that might degrade
model performance?
Str @performanceTradeoffs
What are the known tradeoffs in
accuracy/performance of the model?
EthicalConsideration @ethicalConsiderations
What are the ethical risks involved in the
application of this model?
Str $name
The name of the risk.
Str $mitigationStragegy
Strategy used to address this risk.
EnvironmentalConsiderations $environmentalConsiderations
What are the various environmental impacts
a machine learning model has exhibited
across its lifecycle?
EnergyConsumption @energyConsumptions
Describes energy consumption information
incurred for one or more component
lifecycle activities.
Activity $activity (required)
The type of activity that is part of a
machine learning model development or
operational lifecycle.
EnergyProvider @energyProviders (required)
The provider(s) of the energy consumed
by the associated model development
lifecycle activity.
bom-ref $bom-ref
An optional identifier which can be
used to reference the energy provider
elsewhere in the BOM.
Str $description
A description of the energy provider.
Organization $organization (required)
The organization that provides
energy.
bom-ref $bom-ref
An optional identifier which can be
used to reference the object
elsewhere in the BOM.
Str $name
The name of the organization.
Address $address
The physical address (location) of
the organization.
URL @url
The URL of the organization.
Multiple URLs are allowed.
Contact @contact
A contact at the organization.
Multiple contacts are allowed.
Energy $energySource (required)
The energy source for the energy
provider.
EnergyCost $energyProvided (required)
The energy provided by the energy
source for an associated activity.
Rat $value (required)
Quantity of energy.
EnergyUnit $unit (required)
Unit of energy.
Reference @externalReferences
External references provide a way to
document systems, sites, and
information that may be relevant but
are not included with the BOM. They
may also establish specific
relationships within or external to
the BOM.
EnergyCost $activityEnergyCost (required)
The total energy cost associated with
the model lifecycle activity.
Rat $value (required)
Quantity of energy.
EnergyUnit $unit (required)
Unit of energy.
CO2Cost $co2CostEquivalent
The CO2 cost (debit) equivalent to the
total energy cost.
Rat $value (required)
Quantity of carbon dioxide (CO2).
CO2Cost $unit (required)
Unit of carbon dioxide (CO2).
CO2Cost $co2CostOffset
The CO2 offset (credit) for the CO2
equivalent cost.
Rat $value (required)
Quantity of carbon dioxide (CO2).
CO2Cost $unit (required)
Unit of carbon dioxide (CO2).
Property @properties
Any additional properties as name-value
pairs.
Property @properties
Any additional properties as name-value
pairs.
FairnessAssessment @fairnessAssessments
How does the model affect groups at risk of
being systematically disadvantaged? What are
the harms and benefits to the various
affected groups?
Str $groupAtRisk
The groups or individuals at risk of
being systematically disadvantaged by the
model.
Str $benefits
Expected benefits to the identified
groups.
Str $harms
Expected harms to the identified groups.
Str $mitigationStrategy
With respect to the benefits and harms
outlined, please describe any mitigation
strategy implemented.
Property @properties
Any additional properties as name-value
pairs.
ComponentDataset @data
Data associated with a data component.
bom-ref $bom-ref
An optional identifier which can be used to
reference the dataset elsewhere in the BOM.
DataSource $type (required)
The general theme or subject matter of the
data being specified.
Str $name
The name of the dataset.
DataContents $contents
The contents or references to the contents of
the data being described.
Str $classification
Data classification tags data according to
its type, sensitivity, and value if altered,
stolen, or destroyed.
Str @sensitiveData
A description of any sensitive data in a
dataset.
Graphics $graphics
A collection of graphics that represent
various measurements.
Str $description
A description of the dataset. Can describe
size of dataset, whether it's used for source
code, training, testing, or validation, etc.
Governance $governance
Data governance captures information
regarding data ownership, stewardship, and
custodianship, providing insights into the
individuals or entities responsible for
managing, overseeing, and safeguarding the
data throughout its lifecycle.
CryptoProperties $cryptoProperties
Cryptographic assets have properties that
uniquely define them and that make them
actionable for further reasoning. As an example,
it makes a difference if one knows the algorithm
family (e.g. AES) or the specific variant or
instantiation (e.g. AES-128-GCM). This is
because the security level and the algorithm
primitive (authenticated encryption) are only
defined by the definition of the algorithm
variant. The presence of a weak cryptographic
algorithm like SHA1 vs. HMAC-SHA1 also makes a
difference.
CryptoAsset $assetType (required)
Type of crypto asset.
AlgorithmProperties $algorithmProperties
Additional properties specific to a
cryptographic algorithm.
AlgorithmPrimitive $primitive
Cryptographic building blocks used in
higher-level cryptographic systems and
protocols.
Str $parameterSetIdentifier
An identifier for the parameter set of the
cryptographic algorithm. Examples: in
AES128, '128' identifies the key length in
bits, in SHA256, '256' identifies the digest
length, '128' in SHAKE128 identifies its
maximum security level in bits, and
'SHA2-128s' identifies a parameter set used
in SLH-DSA (FIPS205).
Str $curve
The specific underlying Elliptic Curve (EC)
definition employed which is an indicator of
the level of security strength, performance
and complexity. Absent an authoritative
source of curve names, CycloneDX recommends
using curve names as defined at
https://neuromancer.sk/std/, the source of
which can be found at
https://github.com/J08nY/std-curves.
ExecutionEnvironment $executionEnvironmment
The target and execution environment in
which the algorithm is implemented in.
Platform $implementationPlatform
The target platform for which the algorithm
is implemented. The implementation can be
'generic', running on any platform or for a
specific platform.
Certification $certficationLevel
The certification that the implementation
of the cryptographic algorithm has received,
if any. Certifications include revisions and
levels of FIPS 140 or Common Criteria of
different Extended Assurance Levels
(CC-EAL).
CertificationMode $mode
The mode of operation in which the
cryptographic algorithm (block cipher) is
used.
CertificationPadding $padding
The padding scheme that is used for the
cryptographic algorithm.
CryptoFunction @cryptoFunctions
The cryptographic functions implemented by
the cryptographic algorithm.
UInt $classicalSecurityLevel
The classical security level that a
cryptographic algorithm provides (in bits).
nistQuantumSecurityLevel $nistQuantumSecurityLevel
The NIST security strength category as
defined in
https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria).
A value of 0 indicates that none of the
categories are met.
CertificateProperties $certificateProperties
Properties for cryptographic assets of asset
type 'certificate'.
Str $subjectName
The subject name for the certificate.
Str $issuerName
The issuer name for the certificate.
DateTime $notValidBefore
The date and time according to ISO-8601
standard from which the certificate is
valid.
DateTime $notValidAfter
The date and time according to ISO-8601
standard from which the certificate is not
valid anymore.
Str $signatureAlgorithmRef
The bom-ref to signature algorithm used by
the certificate.
Str $subjectPublicKeyRef
The bom-ref to the public key of the
subject.
Str $certificateFormat
The format of the certificate.
Str $certificateExtension
The file extension of the certificate.
CryptoMaterialProperties $relatedCryptoMaterialProperties
Properties for cryptographic assets of asset
type 'related-crypto-material'.
Crypto $type
The type for the related cryptographic
material
Str $id
The optional unique identifier for the
related cryptographic material.
CryptoState $state
The key state as defined by NIST SP 800-57.
Str $algorithmRef
The bom-ref to the algorithm used to
generate the related cryptographic material.
DateTime $creationDate
The date and time (timestamp) when the
related cryptographic material was created.
DateTime $activationDate
The date and time (timestamp) when the
related cryptographic material was
activated.
DateTime $updateDate
The date and time (timestamp) when the
related cryptographic material was updated.
DateTime $expirationDate
The date and time (timestamp) when the
related cryptographic material expires.
Str $value
The associated value of the cryptographic
material.
UInt $size
The size of the cryptographic asset (in
bits).
Str $format
The format of the related cryptographic
material (e.g. P8, PEM, DER).
CryptoSecurity $securedBy
The mechanism by which the cryptographic
asset is secured by.
Str $mechanism
Specifies the mechanism by which the
cryptographic asset is secured by.
Str $algorithmRef
The bom-ref to the algorithm.
CryptoProtocolProperties $protocolProperties
Properties specific to cryptographic assets
of type: protocol.
CryptoProtocol $type
The concrete protocol type.
versionString $version
The version of the protocol.
CipherSuite @cipherSuites
A list of cipher suites related to the
protocol.
Str $name
A common name for the cipher suite.
Str @algorithms
A list of algorithms related to the
cipher suite.
Str @identifiers
A list of common identifiers for the
cipher suite.
IKEv2TransformTypes $ikev2TransformTypes
The IKEv2 transform types supported (types
1-4), defined in RFC 7296 section 3.3.2, and
additional properties.
Str @encr
Transform Type 1: encryption algorithms.
Str @prf
Transform Type 2: pseudorandom functions.
Str @integ
Transform Type 3: integrity algorithms.
Str @ke
Transform Type 4: Key Exchange Method
(KE) per RFC 9370, formerly called
Diffie-Hellman Group (D-H).
Bool $esn
Specifies if an Extended Sequence Number
(ESN) is used.
IDnotbomLink @auth
IKEv2 Authentication methods: identifier
for referable and therefore interlinkable
elements.
IDnotbomLink @cryptoRefArray
A list of protocol-related cryptographic
assets, Identifier for referable and
therefore interlinkable elements.
Str $oid
The object identifier (OID) of the
cryptographic asset.
Property @properties
Any additional properties as name-value pairs.
Str @tags
Textual strings that aid in discovery, search,
and retrieval of the associated object. Tags
often serve as a way to group or categorize
similar or related objects by various
attributes.
ValidSignature $signature
Enveloped signature in JSON Signature Format
(JSF).
ComponentEvidence $evidence
Provides the ability to document evidence
collected through various forms of extraction or
analysis.
ReleaseNotes $releaseNotes
Specifies optional release notes.
ModelCard $modelCard
A model card describes the intended uses of a
machine learning model and potential limitations,
including biases and ethical considerations. Model
cards typically contain the training parameters,
which datasets were used to train the model,
performance metrics, and other relevant data
useful for ML transparency. This object SHOULD be
specified for any component of type
machine-learning-model and must not be specified
for other component types.
ComponentDataset @data
Data associated with a data component.
CryptoProperties $cryptoProperties
Cryptographic assets have properties that
uniquely define them and that make them actionable
for further reasoning. As an example, it makes a
difference if one knows the algorithm family (e.g.
AES) or the specific variant or instantiation
(e.g. AES-128-GCM). This is because the security
level and the algorithm primitive (authenticated
encryption) are only defined by the definition of
the algorithm variant. The presence of a weak
cryptographic algorithm like SHA1 vs. HMAC-SHA1
also makes a difference.
Property @properties
Any additional properties as name-value pairs.
Str @tags
Textual strings that aid in discovery, search,
and retrieval of the associated object. Tags often
serve as a way to group or categorize similar or
related objects by various attributes.
ValidSignature $signature
Enveloped signature in JSON Signature Format
(JSF).
Component @descendants
Descendants are the exact opposite of ancestors.
This provides a way to document all forks (and their
forks) of an original or root component.
ComponentType $type (required)
Specifies the type of the component. For software
components, classify as application if no more
specific appropriate classification is available
or cannot be determined for the component.
mime-type $mime-type
The optional mime-type of the component. When
used on file components, the mime-type can provide
additional context about the kind of file being
represented, such as an image, font, or
executable. Some library or framework components
may also have an associated mime-type.
bom-ref $bom-ref
An optional identifier which can be used to
reference the component elsewhere in the BOM.
Every bom-ref must be unique within the BOM. Value
SHOULD not start with the BOM-Link intro
'urn:cdx:' to avoid conflicts with BOM-Links.
Organization $supplier
The organization that supplied the component. The
supplier may often be the manufacturer, but may
also be a distributor or repackager.
Organization $manufacturer
The organization that created the component.
Manufacturer is common in components created
through automated processes. Components created
through manual means may have @.authors instead.
Contact @authors
The person(s) who created the component. Authors
are common in components created through manual
processes. Components created through automated
means may have @.manufacturer instead.
Str $publisher
The person(s) or organization(s) that published
the component.
Str $group
The grouping name or identifier. This will often
be a shortened, single name of the company or
project that produced the component, or the source
package or domain name. Whitespace and special
characters should be avoided. Examples include:
apache, org.apache.commons, and apache.org.
Str $name (required)
The name of the component. This will often be a
shortened, single name of the component. Examples:
commons-lang3 and jquery.
versionString $version
The component version. The version should ideally
comply with semantic versioning but is not
enforced.
Str $description
Specifies a description for the component
Scope $scope
Specifies the scope of the component. If scope is
not specified, 'required' scope SHOULD be assumed
by the consumer of the BOM.
HashedString @hashes
The hashes of the component.
AnyLicense @licenses
EITHER (list of SPDX licenses and/or named
licenses) OR (tuple of one SPDX License
Expression)
Str $copyright
A copyright notice informing users of the
underlying claims to copyright ownership in a
published work.
CPE $cpe
Asserts the identity of the component using CPE.
The CPE must conform to the CPE 2.2 or 2.3
specification. See
https://nvd.nist.gov/products/cpe. Refer to
@.evidence.identity to optionally provide evidence
that substantiates the assertion of the
component's identity.
PURL $purl
Asserts the identity of the component using
package-url (purl). The purl, if specified, must
be valid and conform to the specification defined
at: https://github.com/package-url/purl-spec.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
omniborId @omniborId
Asserts the identity of the component using the
OmniBOR Artifact ID. The OmniBOR, if specified,
must be valid and conform to the specification
defined at:
https://www.iana.org/assignments/uri-schemes/prov/gitoid.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWHID @swhid
Asserts the identity of the component using the
Software Heritage persistent identifier (SWHID).
The SWHID, if specified, must be valid and conform
to the specification defined at:
https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWID $swid
Asserts the identity of the component using
ISO-IEC 19770-2 Software Identification (SWID)
Tags. Refer to @.evidence.identity to optionally
provide evidence that substantiates the assertion
of the component's identity.
Bool $modified
[Deprecated] This will be removed in a future
version. Use the pedigree element instead to
supply information on exactly how the component
was modified. A boolean value indicating if the
component has been modified from the original. A
value of true indicates the component is a
derivative of the original. A value of false
indicates the component has not been modified from
the original.
Pedigree $pedigree
Component pedigree is a way to document complex
supply chain scenarios where components are
created, distributed, modified, redistributed,
combined with other components, etc. Pedigree
supports viewing this complex chain from the
beginning, the end, or anywhere in the middle. It
also provides a way to document variants where the
exact relation may not be known.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be
relevant but are not included with the BOM. They
may also establish specific relationships within
or external to the BOM.
Component @components
A list of software and hardware components
included in the parent component. This is not a
dependency tree. It provides a way to specify a
hierarchical representation of component
assemblies, similar to system → subsystem → parts
assembly in physical supply chains.
ComponentEvidence $evidence
Provides the ability to document evidence
collected through various forms of extraction or
analysis.
ReleaseNotes $releaseNotes
Specifies optional release notes.
ModelCard $modelCard
A model card describes the intended uses of a
machine learning model and potential limitations,
including biases and ethical considerations. Model
cards typically contain the training parameters,
which datasets were used to train the model,
performance metrics, and other relevant data
useful for ML transparency. This object SHOULD be
specified for any component of type
machine-learning-model and must not be specified
for other component types.
ComponentDataset @data
Data associated with a data component.
CryptoProperties $cryptoProperties
Cryptographic assets have properties that
uniquely define them and that make them actionable
for further reasoning. As an example, it makes a
difference if one knows the algorithm family (e.g.
AES) or the specific variant or instantiation
(e.g. AES-128-GCM). This is because the security
level and the algorithm primitive (authenticated
encryption) are only defined by the definition of
the algorithm variant. The presence of a weak
cryptographic algorithm like SHA1 vs. HMAC-SHA1
also makes a difference.
Property @properties
Any additional properties as name-value pairs.
Str @tags
Textual strings that aid in discovery, search,
and retrieval of the associated object. Tags often
serve as a way to group or categorize similar or
related objects by various attributes.
ValidSignature $signature
Enveloped signature in JSON Signature Format
(JSF).
Component @variants
Variants describe relations where the relationship
between the components is not known. For example, if
Component A contains nearly identical code to
Component B. They are both related, but it is
unclear if one is derived from the other, or if they
share a common ancestor.
ComponentType $type (required)
Specifies the type of the component. For software
components, classify as application if no more
specific appropriate classification is available
or cannot be determined for the component.
mime-type $mime-type
The optional mime-type of the component. When
used on file components, the mime-type can provide
additional context about the kind of file being
represented, such as an image, font, or
executable. Some library or framework components
may also have an associated mime-type.
bom-ref $bom-ref
An optional identifier which can be used to
reference the component elsewhere in the BOM.
Every bom-ref must be unique within the BOM. Value
SHOULD not start with the BOM-Link intro
'urn:cdx:' to avoid conflicts with BOM-Links.
Organization $supplier
The organization that supplied the component. The
supplier may often be the manufacturer, but may
also be a distributor or repackager.
Organization $manufacturer
The organization that created the component.
Manufacturer is common in components created
through automated processes. Components created
through manual means may have @.authors instead.
Contact @authors
The person(s) who created the component. Authors
are common in components created through manual
processes. Components created through automated
means may have @.manufacturer instead.
Str $publisher
The person(s) or organization(s) that published
the component.
Str $group
The grouping name or identifier. This will often
be a shortened, single name of the company or
project that produced the component, or the source
package or domain name. Whitespace and special
characters should be avoided. Examples include:
apache, org.apache.commons, and apache.org.
Str $name (required)
The name of the component. This will often be a
shortened, single name of the component. Examples:
commons-lang3 and jquery.
versionString $version
The component version. The version should ideally
comply with semantic versioning but is not
enforced.
Str $description
Specifies a description for the component
Scope $scope
Specifies the scope of the component. If scope is
not specified, 'required' scope SHOULD be assumed
by the consumer of the BOM.
HashedString @hashes
The hashes of the component.
AnyLicense @licenses
EITHER (list of SPDX licenses and/or named
licenses) OR (tuple of one SPDX License
Expression)
Str $copyright
A copyright notice informing users of the
underlying claims to copyright ownership in a
published work.
CPE $cpe
Asserts the identity of the component using CPE.
The CPE must conform to the CPE 2.2 or 2.3
specification. See
https://nvd.nist.gov/products/cpe. Refer to
@.evidence.identity to optionally provide evidence
that substantiates the assertion of the
component's identity.
PURL $purl
Asserts the identity of the component using
package-url (purl). The purl, if specified, must
be valid and conform to the specification defined
at: https://github.com/package-url/purl-spec.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
omniborId @omniborId
Asserts the identity of the component using the
OmniBOR Artifact ID. The OmniBOR, if specified,
must be valid and conform to the specification
defined at:
https://www.iana.org/assignments/uri-schemes/prov/gitoid.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWHID @swhid
Asserts the identity of the component using the
Software Heritage persistent identifier (SWHID).
The SWHID, if specified, must be valid and conform
to the specification defined at:
https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html.
Refer to @.evidence.identity to optionally provide
evidence that substantiates the assertion of the
component's identity.
SWID $swid
Asserts the identity of the component using
ISO-IEC 19770-2 Software Identification (SWID)
Tags. Refer to @.evidence.identity to optionally
provide evidence that substantiates the assertion
of the component's identity.
Bool $modified
[Deprecated] This will be removed in a future
version. Use the pedigree element instead to
supply information on exactly how the component
was modified. A boolean value indicating if the
component has been modified from the original. A
value of true indicates the component is a
derivative of the original. A value of false
indicates the component has not been modified from
the original.
Pedigree $pedigree
Component pedigree is a way to document complex
supply chain scenarios where components are
created, distributed, modified, redistributed,
combined with other components, etc. Pedigree
supports viewing this complex chain from the
beginning, the end, or anywhere in the middle. It
also provides a way to document variants where the
exact relation may not be known.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be
relevant but are not included with the BOM. They
may also establish specific relationships within
or external to the BOM.
Component @components
A list of software and hardware components
included in the parent component. This is not a
dependency tree. It provides a way to specify a
hierarchical representation of component
assemblies, similar to system → subsystem → parts
assembly in physical supply chains.
ComponentEvidence $evidence
Provides the ability to document evidence
collected through various forms of extraction or
analysis.
ReleaseNotes $releaseNotes
Specifies optional release notes.
ModelCard $modelCard
A model card describes the intended uses of a
machine learning model and potential limitations,
including biases and ethical considerations. Model
cards typically contain the training parameters,
which datasets were used to train the model,
performance metrics, and other relevant data
useful for ML transparency. This object SHOULD be
specified for any component of type
machine-learning-model and must not be specified
for other component types.
ComponentDataset @data
Data associated with a data component.
CryptoProperties $cryptoProperties
Cryptographic assets have properties that
uniquely define them and that make them actionable
for further reasoning. As an example, it makes a
difference if one knows the algorithm family (e.g.
AES) or the specific variant or instantiation
(e.g. AES-128-GCM). This is because the security
level and the algorithm primitive (authenticated
encryption) are only defined by the definition of
the algorithm variant. The presence of a weak
cryptographic algorithm like SHA1 vs. HMAC-SHA1
also makes a difference.
Property @properties
Any additional properties as name-value pairs.
Str @tags
Textual strings that aid in discovery, search,
and retrieval of the associated object. Tags often
serve as a way to group or categorize similar or
related objects by various attributes.
ValidSignature $signature
Enveloped signature in JSON Signature Format
(JSF).
Commit @commits
A list of zero or more commits which provide a
trail describing how the component deviates from an
ancestor, descendant, or variant.
Str $uid
A unique identifier of the commit. This may be
version control specific. For example, Subversion
uses revision numbers whereas git uses commit
hashes.
URL $url
The URL to the commit. This URL will typically
point to a commit in a version control system.
Development $author
The author who created the changes in the commit.
DateTime $timestamp
The timestamp in which the action occurred.
Str $name
The name of the individual who performed the
action.
email $email
The email address of the individual who
performed the action.
Development $committer
The person who committed or pushed the commit.
DateTime $timestamp
The timestamp in which the action occurred.
Str $name
The name of the individual who performed the
action.
email $email
The email address of the individual who
performed the action.
Str $message
The text description of the contents of the
commit.
Patch @patches
A list of zero or more patches describing how the
component deviates from an ancestor, descendant, or
variant. Patches may be complementary to commits or
may be used in place of commits.
Patch $type (required)
Specifies the purpose for the patch including the
resolution of defects, security issues, or new
behavior or functionality.
Diff $diff
The patch file (or diff) that shows changes.
Refer to https://en.wikipedia.org/wiki/Diff
Attachment $text
Specifies the optional text of the diff.
URL $url
Specifies the URL to the diff.
Resolve @resolves
A collection of issues the patch resolves.
Str $notes
Notes, observations, and other non-structured
commentary describing the components pedigree.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be relevant
but are not included with the BOM. They may also
establish specific relationships within or external to
the BOM.
Component @components
A list of software and hardware components included
in the parent component. This is not a dependency
tree. It provides a way to specify a hierarchical
representation of component assemblies, similar to
system → subsystem → parts assembly in physical supply
chains.
ComponentEvidence $evidence
Provides the ability to document evidence collected
through various forms of extraction or analysis.
ReleaseNotes $releaseNotes
Specifies optional release notes.
ModelCard $modelCard
A model card describes the intended uses of a machine
learning model and potential limitations, including
biases and ethical considerations. Model cards
typically contain the training parameters, which
datasets were used to train the model, performance
metrics, and other relevant data useful for ML
transparency. This object SHOULD be specified for any
component of type machine-learning-model and must not
be specified for other component types.
ComponentDataset @data
Data associated with a data component.
CryptoProperties $cryptoProperties
Cryptographic assets have properties that uniquely
define them and that make them actionable for further
reasoning. As an example, it makes a difference if one
knows the algorithm family (e.g. AES) or the specific
variant or instantiation (e.g. AES-128-GCM). This is
because the security level and the algorithm primitive
(authenticated encryption) are only defined by the
definition of the algorithm variant. The presence of a
weak cryptographic algorithm like SHA1 vs. HMAC-SHA1
also makes a difference.
Property @properties
Any additional properties as name-value pairs.
Str @tags
Textual strings that aid in discovery, search, and
retrieval of the associated object. Tags often serve
as a way to group or categorize similar or related
objects by various attributes.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
Organization $supplier
The organization that supplied the component that the
BOM describes. The supplier may often be the
manufacturer, but may also be a
AnyLicense @licenses
The license information for the BOM document. This may
be different from the license(s) of the component(s)
that the BOM describes.
Property @properties
Any additional properties as name-value pairs.
- Component @components ---------------------------------------
A list of software and hardware components. All items
must be unique.
- Service @services -------------------------------------------
A list of services. This may include microservices,
function-as-a-service, and other types of network or
intra-process services. All items must be unique.
bom-ref $bom-ref
An optional identifier which can be used to reference
the service elsewhere in the BOM. Every bom-ref must be
unique within the BOM.
Organization $provider
The organization that provides the service.
bom-ref $bom-ref
An optional identifier which can be used to reference
the object elsewhere in the BOM.
Str $name
The name of the organization.
Address $address
The physical address (location) of the organization.
URL @url
The URL of the organization. Multiple URLs are
allowed.
Contact @contact
A contact at the organization. Multiple contacts are
allowed.
Str $group
The grouping name, namespace, or identifier. This will
often be a shortened, single name of the company or
project that produced the service or domain name.
Whitespace and special characters should be avoided.
Str $name (required)
The name of the service. This will often be a
shortened, single name of the service.
versionString $version
The service version.
Str $description
Specifies a description for the service.
URL @endpoints
The endpoint URIs of the service.
Bool $authenticated
A boolean value indicating if the service requires
authentication. A value of true indicates the service
requires authentication prior to use. A value of false
indicates the service does not require authentication.
Bool $x-trust-boundary
A boolean value indicating if use of the service
crosses a trust zone or boundary. A value of true
indicates that by using the service, a trust boundary is
crossed. A value of false indicates that by using the
service, a trust boundary is not crossed.
Str $trustZone
The name of the trust zone the service resides in.
ServiceDataset @data
Specifies information about the data including the
directional flow of data and the data classification.
DataFlow $flow (required)
Specifies the flow direction of the data, relative to
the service.
Str $classification (required)
Data classification tags data according to its type,
sensitivity, and value if altered, stolen, or
destroyed.
Str $name
Name for the defined data.
Str $description
Short description of the data content and usage.
Governance $governance
Data governance captures information regarding data
ownership, stewardship, and custodianship, providing
insights into the individuals or entities responsible
for managing, overseeing, and safeguarding the data
throughout its lifecycle.
Endpoint $source
The URI, URL, or BOM-Link of the components or
services the data came in from.
Endpoint $destination
The URI, URL, or BOM-Link of the components or
services the data is sent to.
AnyLicense @licenses
EITHER (list of SPDX licenses and/or named licenses) OR
(tuple of one SPDX License Expression).
Reference @externalReferences
External references provide a way to document systems,
sites, and information that may be relevant but are not
included with the BOM. They may also establish specific
relationships within or external to the BOM.
Service @services
A list of services included or deployed behind the
parent service. This is not a dependency tree. It
provides a way to specify ai hierarchical representation
of service assemblies. All items must be unique.
ReleaseNotes $releaseNotes
Specifies optional release notes.
Property @properties
Any additional properties as name-value pairs.
Str @tags
Textual strings that aid in discovery, search, and
retrieval of the associated object. Tags often serve as
a way to group or categorize similar or related objects
by various attributes.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
- Reference @externalReferences -------------------------------
External references provide a way to document systems,
sites, and information that may be relevant but are not
included with the BOM. They may also establish specific
relationships within or external to the BOM.
- Dependency @dependencies ------------------------------------
Provides the ability to document dependency relationships
including provided & implemented components. All items
must be unique.
bom-ref $ref
References a component or service by its bom-ref
attribute.
bom-ref @dependsOn
The bom-ref identifiers of the components or services
that are dependencies of this dependency object.
bom-ref @provides
The bom-ref identifiers of the components or services
that define a given specification or standard, which are
provided or implemented by this dependency object. For
example, a cryptographic library which implements a
cryptographic algorithm. A component which implements
another component does not imply that the implementation
is in use.
- Composition @compositions -----------------------------------
Compositions describe constituent parts (including
components, services, and dependency relationships) and
their completeness. The completeness of vulnerabilities
expressed in a BOM may also be described.
bom-ref $bom-ref
An optional identifier which can be used to reference
the composition elsewhere in the BOM.
Aggregate $aggregate
Specifies an aggregate type that describes how complete
a relationship is.
bomLinkElement @assemblies
The bom-ref identifiers of the components or services
being described. Assemblies refer to nested
relationships whereby a constituent part may include
other constituent parts. References do not cascade to
child parts. References are explicit for the specified
constituent part only.
bom-ref @dependencies
The bom-ref identifiers of the components or services
being described. Dependencies refer to a relationship
whereby an independent constituent part requires another
independent constituent part. References do not cascade
to transitive dependencies. References are explicit for
the specified dependency only.
bom-ref @vulnerabilities
The bom-ref identifiers of the vulnerabilities being
described.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
- Vulnerability @vulnerabilities ------------------------------
Vulnerabilities identified in components or services. All
items must be unique.
bom-ref $bom-ref
An optional identifier which can be used to reference
the vulnerability elsewhere in the BOM.
Str $id
The identifier that uniquely identifies the
vulnerability.
Source $source
The source that published the vulnerability.
SourceReference @references
Zero or more pointers to vulnerabilities that are the
equivalent of the vulnerability specified. Often times,
the same vulnerability may exist in multiple sources of
vulnerability intelligence, but have different
identifiers. References provide a way to correlate
vulnerabilities across multiple sources of vulnerability
intelligence.
Str $id
An identifier that uniquely identifies the
vulnerability.
Source $source
The source that published the vulnerability.
Rating @ratings
List of vulnerability ratings.
Source $source
The source that calculated the severity or risk
rating of the vulnerability.
Rat $score
The numerical score of the rating.
Severity $severity
Textual representation of the severity that
corresponds to the numerical score of the rating.
RiskMethodology $method
Specifies the severity or risk scoring methodology or
standard used.
Str $vector
Textual representation of the metric values used to
score the vulnerability.
Str $justification
An optional reason for rating the vulnerability as it
was.
PositiveInt @cwes
List of Common Weaknesses Enumerations (CWEs) codes
that describes this vulnerability. For example 399 (of
https://cwe.mitre.org/data/definitions/399.html).
Str $description
A description of the vulnerability as provided by the
source.
Str $detail
If available, an in-depth description of the
vulnerability as provided by the source organization.
Details often include
Str $recommendation
Recommendations of how the vulnerability can be
remediated or mitigated.
Str $workaround
A bypass, usually temporary, of the vulnerability that
reduces its likelihood and/or impact. Workarounds often
involve changes to configuration or deployments.
ProofOfConcept $proofOfConcept
Evidence used to reproduce the vulnerability.
Str $reproductionSteps
Precise steps to reproduce the vulnerability.
Str $environment
A description of the environment in which
reproduction was possible.
Attachment @supportingMaterial
Supporting material that helps in reproducing or
understanding how reproduction is possible. This may
include screenshots, payloads, and PoC exploit code.
mime-type $contentType
Specifies the format and nature of the data being
attached, helping systems correctly interpret and
process the content. Common content type examples
include application/json for JSON data and
text/plain for plan text documents.
Encoding $encoding
Specifies the optional encoding the text is
represented in.
Str $content (required)
The attachment data. Proactive controls such as
input validation and sanitization should be employed
to prevent misuse of attachment text.
Advisory @advisories
Published advisories of the vulnerability if provided.
Str $title
An optional name of the advisory.
URL $url (required)
Location where the advisory can be obtained.
DateTime $created
The date and time (timestamp) when the vulnerability
record was created in the vulnerability database.
DateTime $published
The date and time (timestamp) when the vulnerability
record was first published.
DateTime $updated
The date and time (timestamp) when the vulnerability
record was last updated.
DateTime $rejected
The date and time (timestamp) when the vulnerability
record was rejected (if applicable).
Credits $credits
Individuals or organizations credited with the
discovery of the vulnerability.
Organization @organizations
The organizations credited with vulnerability
discovery.
bom-ref $bom-ref
An optional identifier which can be used to
reference the object elsewhere in the BOM.
Str $name
The name of the organization.
Address $address
The physical address (location) of the
organization.
URL @url
The URL of the organization. Multiple URLs are
allowed.
Contact @contact
A contact at the organization. Multiple contacts
are allowed.
Contact @individuals
The individuals, not associated with organizations,
that are credited with vulnerability discovery.
bom-ref $bom-ref
An optional identifier which can be used to
reference the person elsewhere in the BOM.
Str $name
The name of a contact.
email $email
The email address of the contact.
Str $phone
The phone number of the contact.
AnyTool $tools
The tool(s) used to identify, confirm, or score the
vulnerability.
Analysis $analysis
An assessment of the impact and exploitability of the
vulnerability.
VulnerabilityState $state
Declares the current state of an occurrence of a
vulnerability, after automated or manual analysis.
Justification $justification
The rationale of why the impact analysis state was
asserted.
Response $response
A response to the vulnerability by the manufacturer,
supplier, or project responsible for the affected
component or service. More than one response is
allowed. Responses are strongly encouraged for
vulnerabilities where the analysis state is
exploitable.
Str $detail
Detailed description of the impact including methods
used during assessment. If a vulnerability is not
exploitable, this field should include specific
details on why the component or service is not
impacted by this vulnerability.
DateTime $firstIssued
The date and time (timestamp) when the analysis was
first issued.
DateTime $lastUpdated
The date and time (timestamp) when the analysis was
last updated.
referenceURL @affects
The components or services that are affected by the
vulnerability.
Property @properties
Any additional properties as name-value pairs.
- Annotation @annotations -------------------------------------
Comments made by people, organizations, or tools about
any object with a bom-ref, such as components, services,
vulnerabilities, or the BOM itself. Unlike inventory
information, annotations may contain opinions or
commentary from various stakeholders. Annotations may be
inline (with inventory) or externalized viai BOM-Link and
may optionally be signed. All items must be unique.
bom-ref $bom-ref
An optional identifier which can be used to reference
the annotation elsewhere in the BOM.
referenceURL @subjects (required)
The object in the BOM identified by its bom-ref. This
is often a component or service, but may be any object
type supporting bom-refs.
Annotator $annotator (required)
The organization, person, component, or service which
created the textual content of the annotation.
DateTime $timestamp (required)
The date and time (timestamp) when the annotation was
created.
Str $text (required)
The textual content of the annotation.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
- Formulation @formulations -----------------------------------
Describes how a component or service was manufactured or
deployed. This is achieved through the use of formulas,
workflows, tasks, the observed formulas describing the
steps which transpired in the manufacturing process. All
items must be unique.
bom-ref $bom-ref
An optional identifier which can be used to reference
the formula elsewhere in the BOM.
Component @components
Transient components that are used in tasks that
constitute one or more of this formula's workflows.
Service @services
Transient services that are used in tasks that
constitute one or more of this formula's workflows.
Workflow @workflows
List of workflows that can be declared to accomplish
specific orchestrated goals and independently triggered.
bom-ref $bom-ref (required)
An optional identifier which can be used to reference
the workflow elsewhere in the BOM.
Str $uid (required)
The unique identifier for the resource instance
within its deployment context.
Str $name
The name of the resource instance.
Str $description
A description of the resource instance.
resourceRef @resourceReferences
References to component or service resources that are
used toi realize the resource instance.
Task @tasks
The tasks that comprise the workflow.
bom-ref $bom-ref (required)
An optional identifier which can be used to
reference the task elsewhere in the BOM.
Str $uid (required)
The unique identifier for the resource instance
within its deployment context.
Str $name
The name of the resource instance.
Str $description
A description of the resource instance.
resourceRef @resourceReferences
References to component or service resources that
are used to realize the resource instance.
TaskActivity @taskTypes (required)
Indicates the types of activities performed by the
set of workflow tasks.
Trigger $trigger
The trigger that initiated the task.
bom-ref $bom-ref (required)
An optional identifier which can be used to
reference the trigger elsewhere in the BOM.
Str $uid (required)
The unique identifier for the resource instance
within its deployment context.
Str $name
The name of the resource instance.
Str $description
A description of the resource instance.
resourceRef @resourceReferences
References to component or service resources that
are used to realize the resource instance.
TriggerEvent $type
The source type of event which caused the trigger
to fire.
Event $event
The event data that caused the associated trigger
to activate.
Str $uid
The unique identifier of the event.
Str $description
A description of the event.
DateTime $timeReceived
The date and time (timestamp) when the event
was received.
Attachment $data
Encoding of the raw event data.
mime-type $contentType
Specifies the format and nature of the data
being attached, helping systems correctly
interpret and process the content. Common
content type examples include application/json
for JSON data and text/plain for plan text
documents.
Encoding $encoding
Specifies the optional encoding the text is
represented in.
Str $content (required)
The attachment data. Proactive controls such
as input validation and sanitization should be
employed to prevent misuse of attachment text.
resourceRef $source
References the component or service that was
the source of the event.
resourceRef $target
References the component or service that was
the target of the event.
Property @properties
Any additional properties as name-value pairs.
Condition @conditions
A list of conditions used to determine if a
trigger should be activated.
Str $description
Describes the set of conditions which cause the
trigger to activate.
Str $expression
The logical expression that was evaluated that
determined the trigger should be fired.
Property @properties
Any additional properties as name-value pairs.
DateTime $timeActivated
The date and time (timestamp) when the trigger
was activated.
Input @inputs
Represents resources and data brought into a task
at runtime by executor or task commands.
resourceRef $source
A reference to the component or service that
provided the input to the task (e.g., reference
to a service with data flow value of inbound)
resourceRef $target
A reference to the component or service that
received or stored the input if not the task
itself (e.g., a local, named storage workspace)
resourceRef $resource
A reference to an independent resource provided
as an input to a task by the workflow runtime.
Parameter @parameters
Inputs that have the form of parameters with
names and values.
Str $name
The name of the parameter.
Str $value
The value of the parameter.
Str $dataType
The data type of the parameter.
StrOrProperty @environmentVars
Inputs that have the form of parameters with
names and values.
Attachment $data
Inputs that have the form of data.
Property @properties
Any additional properties as name-value pairs.
Output @outputs
Represents resources and data output from a task
at runtime by executor or task commands.
OutputType $type
Describes the type of data output.
resourceRef $source
Either a referenceURL or a Reference are
allowed.
resourceRef $target
Either a referenceURL or a Reference are
allowed.
resourceRef $resource
Either a referenceURL or a Reference are
allowed.
Attachment $data
Supporting material that helps in reproducing
or understanding. This may include screenshots,
payloads, and PoC exploit code.
StrOrProperty @environmentVars
Allow for a Property or a string
Property @properties
Any additional properties as name-value pairs.
Property @properties
Any additional properties as name-value pairs.
ExecutionStep @steps
The sequence of steps for the task.
Str $name
A name for the step.
Str $description
A description for the step.
Command @commands
Ordered list of commands or directives for the
step.
Str $executed
A text representation of the executed command.
Property @properties
Any additional properties as name-value pairs.
Property @properties
Any additional properties as name-value pairs.
Input @inputs
Represents resources and data brought into a task
at runtime by executor or task commands.
Output @outputs
Represents resources and data output from a task at
runtime by executor or task commands
DateTime $timeStart
The date and time (timestamp) when the task
started.
DateTime $timeEnd
The date and time (timestamp) when the task ended.
Workspace @workspaces
A set of named filesystem or data resource
shareable by workflow tasks.
bom-ref $bom-ref (required)
An optional identifier which can be used to
reference the workspace elsewhere in the BOM.
Str $uid (required)
The unique identifier for the resource instance
within its deployment context.
Str $name
The name of the resource instance.
Str @aliases
The names for the workspace as referenced by
other workflow tasks. Effectively, a name mapping
so other tasks can use their own local name in
their steps.
Str $description
A description of the resource instance.
resourceRef @resourceReferences
References to component or service resources that
are used to realize the resource instance.
AccessMode $accessMode
Describes the read-write access Acontrol for the
workspace relative to the owning resource
instance.
Str $mountPath
A path to a location on disk where the workspace
will be available to the associated task's steps.
Str $managedDataType
The name of a domain-specific data type the
workspace represents.
Str $volumeRequest
Identifies the reference to the request for a
specific volume type and parameters.
Volume $volume
Information about the actual volume instance
allocated to the workspace.
Str $uid
The unique identifier for the volume instance
within its deployment context.
Str $name
The name of the volume instance.
VolumeMode $mode
The mode for the volume instance.
Str $path
The underlying path created from the actual
volume.
Str $sizeAllocated
The allocated size of the volume accessible to
the associated workspace. This should include
the scalar size as well as IEC standard unit in
either decimal or binary form.
Bool $persistent
Indicates if the volume persists beyond the
life of the resource it is associated with.
Bool $remote
Indicates if the volume is remotely (i.e.,
network) attached.
Property @properties
Any additional properties as name-value pairs.
Property @properties
Any additional properties as name-value pairs.
RuntimeTopology @runtimeTopology
A graph of the component runtime topology for
task's instance.
Str $ref (required)
References a component or service by its bom-ref
attribute
Str @dependsOn
The bom-ref identifiers of the components or
services that are dependencies of this dependency
object.
Str @provides
The bom-ref identifiers of the components or
services that define a given specification or
standard, which are provided or implemented by
this dependency object. For example, a
cryptographic library which implements a
cryptographic algorithm. A component which
implements another component does not imply that
the implementation is in use.
Property @properties
Any additional properties as name-value pairs.
Dependency @taskDependencies
The graph of dependencies between tasks within the
workflow.
bom-ref $ref
References a component or service by its bom-ref
attribute.
bom-ref @dependsOn
The bom-ref identifiers of the components or
services that are dependencies of this dependency
object.
bom-ref @provides
The bom-ref identifiers of the components or
services that define a given specification or
standard, which are provided or implemented by this
dependency object. For example, a cryptographic
library which implements a cryptographic algorithm.
A component which implements another component does
not imply that the implementation is in use.
TaskActivity @taskTypes
Indicates the types of activities performed by the
set of workflow tasks.
Trigger $trigger
The trigger that initiated the task.
ExecutionStep @steps
The sequence of steps for the task.
Input @inputs
Represents resources and data brought into a task at
runtime by executor or task commands.
Input @outputs
Represents resources and data output from a task at
runtime by executor or task commands.
resourceRef $source
A reference to the component or service that
provided the input to the task (e.g., reference to a
service with data flow value of inbound)
resourceRef $target
A reference to the component or service that
received or stored the input if not the task itself
(e.g., a local, named storage workspace)
resourceRef $resource
A reference to an independent resource provided as
an input to a task by the workflow runtime.
Parameter @parameters
Inputs that have the form of parameters with names
and values.
StrOrProperty @environmentVars
Inputs that have the form of parameters with names
and values.
Attachment $data
Inputs that have the form of data.
Property @properties
Any additional properties as name-value pairs.
DateTime $timeStart
The date and time (timestamp) when the task started.
DateTime $timeEnd
The date and time (timestamp) when the task ended.
Workspace @worksSpaces
A set of named filesystem or data resource shareable
by workflow tasks.
bom-ref $bom-ref (required)
An optional identifier which can be used to
reference the workspace elsewhere in the BOM.
Str $uid (required)
The unique identifier for the resource instance
within its deployment context.
Str $name
The name of the resource instance.
Str @aliases
The names for the workspace as referenced by other
workflow tasks. Effectively, a name mapping so other
tasks can use their own local name in their steps.
Str $description
A description of the resource instance.
resourceRef @resourceReferences
References to component or service resources that
are used to realize the resource instance.
AccessMode $accessMode
Describes the read-write access Acontrol for the
workspace relative to the owning resource instance.
Str $mountPath
A path to a location on disk where the workspace
will be available to the associated task's steps.
Str $managedDataType
The name of a domain-specific data type the
workspace represents.
Str $volumeRequest
Identifies the reference to the request for a
specific volume type and parameters.
Volume $volume
Information about the actual volume instance
allocated to the workspace.
Property @properties
Any additional properties as name-value pairs.
RuntimeTopology @runtimeTopology
A graph of the component runtime topology for task's
instance.
Property @properties
Any additional properties as name-value pairs.
Property @properties
Any additional properties as name-value pairs.
- Declaration @declarations -----------------------------------
The list of declarations which describe the conformance
to standards. Each declaration may include attestations,
claims, and evidence.
Assessor @assessors
The list of assessors evaluating claims and determining
conformance to requirements and confidence in that
assessment.
bom-ref $bom-ref
An optional identifier which can be used to reference
the object elsewhere in the BOM.
Bool $thirdParty
The boolean indicating if the assessor is outside the
organization generating claims. A value of false
indicates a self assessor.
Organization $organization
The entity issuing the assessment.
bom-ref $bom-ref
An optional identifier which can be used to
reference the object elsewhere in the BOM.
Str $name
The name of the organization.
Address $address
The physical address (location) of the
organization.
URL @url
The URL of the organization. Multiple URLs are
allowed.
Contact @contact
A contact at the organization. Multiple contacts
are allowed.
Attestation @attestations
The list of attestations asserted by an assessor that
maps requirements to claims.
Str $summary
The short description explaining the main points of
the attestation.
bom-ref $assessor
The bom-ref to the assessor asserting the
attestation.
RequirementGrouping @map
The grouping of requirements to claims and the
attestors declared conformance and confidence thereof.
bom-ref $requirement
The bom-ref to the requirement being attested to.
bom-ref @claims
The list of bom-ref to the claims being attested
to.
bom-ref @counterClaims
The list of bom-ref to the counter claims being
attested to.
Conformance $conformance
The conformance of the claim meeting a requirement.
conformanceValue $score
The conformance of the claim between and
inclusive of 0 and 1, where 1 is 100% conformance.
Str $rationale
The rationale for the conformance score.
bom-ref @mitigationStrategies
The list of bom-ref to the evidence provided
describing the mitigation strategies.
Confidence $confidence
The confidence of the claim meeting a requirement.
confidenceValue $score
The confidence of the claim between and inclusive
of 0 and 1, where 1 is 100% confidence.
Str $rationale
The rationale for the confidence score.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
Claim @claims
The list of claims.
bom-ref $bom-ref
An optional identifier which can be used to reference
the object elsewhere in the BOM.
bom-ref $target
The bom-ref to a target representing a specific
system, application, API, module, team, person,
process, business unit, company, etc... that this
claim is being applied to.
Str $predicate
The specific statement or assertion about the target.
bom-ref @mitigatinStrategies
The list of bom-ref to the evidence provided
describing the mitigation strategies. Each mitigation
strategy should include an explanation of how any
weaknesses in the evidence will be mitigated.
Str $reasoning
The written explanation of why the evidence provided
substantiates the claim.
bom-ref @evidence
The list of bom-ref to evidence that supports this
claim.
bom-ref @counterEvidence
The list of bom-ref to counter evidence that supports
this claim.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be relevant
but are not included with the BOM. They may also
establish specific relationships within or external to
the BOM.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
DeclarationEvidence $evidence
The list of evidence.
bom-ref $bom-ref
An optional identifier which can be used to reference
the object elsewhere in the BOM.
propertyName $propertyName
The reference to the property name as defined in the
CycloneDX Property Taxonomy.
Str $description
The written description of what this evidence is and
how it was created.
EvidenceDataset @data
The output or analysis that supports claims.
Str $name
The name of the data.
DataContents $contents
The contents or references to the contents of the
data being described.
Str $classification
Data classification tags data according to its
type, sensitivity, and value if altered, stolen, or
destroyed.
Str @sensitiveData
A description of any sensitive data included.
Governance $governance
Data governance captures information regarding data
ownership, stewardship, and custodianship, providing
insights into the individuals or entities
responsible for managing, overseeing, and
safeguarding the data throughout its lifecycle.
DateTime $created
The date and time (timestamp) when the evidence was
created.
DateTime $expires
The date and time (timestamp) when the evidence is no
longer valid.
Contact $author
The author of the evidence.
bom-ref $bom-ref
An optional identifier which can be used to
reference the person elsewhere in the BOM.
Str $name
The name of a contact.
email $email
The email address of the contact.
Str $phone
The phone number of the contact.
Contact $reviewer
The reviewer of the evidence.
bom-ref $bom-ref
An optional identifier which can be used to
reference the person elsewhere in the BOM.
Str $name
The name of a contact.
email $email
The email address of the contact.
Str $phone
The phone number of the contact.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
Target @targets
The list of targets which claims are made against.
Organization @organizations
The list of organizations which claims are made
against.
Component @components
The list of components which claims are made against.
Service @services
The list of services which claims are made against.
Affirmation $affirmation
A concise statement affirmed by an individual regarding
all declarations, often used for third-party auditor
acceptance or recipient acknowledgment. It includes a
list of authorized signatories who assert the validity
of the document on behalf of the organization.
Str $statement
The brief statement affirmed by an individual
regarding all declarations. This could be an
affirmation of acceptance by a third-party auditor or
receiving individual of a file.
Signatory @signatories
The list of signatories authorized on behalf of an
organization to assert validity of this document.
Str $name
The signatory's name.
Str $role
The signatory's role within an organization.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
Organization $organization
The signatory's organization.
Reference $externalReference
External references provide a way to document
systems, sites, and information that may be relevant
but are not included with the BOM. They may also
establish specific relationships within or external
to the BOM.
referenceURL $url (required)
The URI (URL or URN) to the external reference.
External references are URIs and therefore can
accept any URL scheme including https (RFC-7230),
mailto (RFC-2368), tel (RFC-3966), and dns
(RFC-4501). External references may also include
formally registered URNs such as CycloneDX
BOM-Link to reference CycloneDX BOMs or any object
within a BOM. BOM-Link transforms applicable
external references into relationships that can be
expressed in a BOM or across BOMs.
Str $comment
An optional comment describing the external
reference.
ReferenceSource $type (required)
Specifies the type of external reference.
HashedString @hashes
The hashes of the external reference (if
applicable).
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
- Definition @definitions -------------------------------------
A collection of reusable objects that are defined and may
be used elsewhere in the BOM.
Standard @standards
The list of standards which may consist of regulations,
industry or organizational-specific standards, maturity
models, best practices, or any other requirements which
can be evaluated against or attested to.
bom-ref $bom-ref
An optional identifier which can be used to reference
the object elsewhere in the BOM.
Str $name
The name of the standard. This will often be a
shortened, single name of the standard.
Str $version
The version of the standard.
Str $description
The description of the standard.
Str $owner
The owner of the standard, often the entity
responsible for its release.
Requirement @requirements
The list of requirements comprising the standard.
bom-ref $bom-ref
An optional identifier which can be used to
reference the object elsewhere in the BOM.
Str $identifier
The unique identifier used in the standard to
identify a specific requirement. This should match
what is in the standard and should not be the
requirements bom-ref.
Str $title
The title of the requirement.
Str $text
The textual content of the requirement.
Str @descriptions
The supplemental text that provides additional
guidance or context to the requirement, but is not
directly part of the requirement.
CRE @openCRE
The Common Requirements Enumeration (CRE)
identifier(s).
bom-ref $parent
The optional bom-ref to a parent requirement. This
establishes a hierarchy of requirements. Top-level
requirements must not define a parent. Only child
requirements should define parents.
Property @properties
Any additional properties as name-value pairs.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be relevant
but are not included with the BOM. They may also
establish specific relationships within or external
to the BOM.
RequirementLevel @levels
The list of levels associated with the standard. Some
standards have different levels of compliance.
bom-ref $bom-ref
An optional identifier which can be used to
reference the object elsewhere in the BOM.
Str $identifier
The identifier used in the standard to identify a
specific level.
Str $title
The title of the requirement.
Str $description
The description of the requirement.
bom-ref @requirements
The list of requirement bom-refs that comprise the
level.
Reference @externalReferences
External references provide a way to document
systems, sites, and information that may be relevant
but are not included with the BOM. They may also
establish specific relationships within or external to
the BOM.
ValidSignature $signature
Enveloped signature in JSON Signature Format (JSF).
- Property @properties ----------------------------------------
Any additional properties as name-value pairs.
- ValidSignature $signature -----------------------------------
Enveloped signature in JSON Signature Format (JSF).
AUTHOR
Elizabeth Mattijsen liz@raku.rocks
COPYRIGHT AND LICENSE
Copyright 2025 Elizabeth Mattijsen
This library is free software; you can redistribute it and/or modify it under the Artistic License 2.0.