A collection of attributions indicating which entity supplied information for specific fields within the BOM.
Provides the ability to document a list of components.
Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.
The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.
A collection of reusable objects that are defined and may be used elsewhere in the BOM.
Provides the ability to document dependency relationships.
Provides the ability to document external references related to the BOM or to the project the BOM describes.
Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps.
Optionalmetadata?: MetadataProvides additional information about a BOM.
Specifies custom properties.
OptionalserialNumber?: stringEvery BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
Provides the ability to document a list of external services.
The version of the CycloneDX specification a BOM is written to (starting at version 1.3)
Optionalversion?: numberThe version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
Vulnerabilities identified in components or services.
Comments made by people, organizations, or tools about any object with a bom_ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders.