Optionalauthor?: stringThe person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have .manufacturer instead.
OptionalbomRef?: stringA identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Specifies sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Optionalcopyright?: stringAn copyright notice informing users of the underlying claims to copyright ownership in a published work.
Optionalcpe?: stringDEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
OptionalcryptoProperties?: CryptoPropertiesCryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
This object SHOULD be specified for any component of type data and must not be specified for other component types.
Optionaldescription?: stringSpecifies a description for the component
Optionalevidence?: EvidenceSpecifies license and copyright evidence.
Provides the ability to document external references related to the component or to the project the component describes.
Optionalgroup?: stringThe grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
The hashes of the component.
OptionalisExternal?: booleanDetermine whether this component is external.
An external component is one that is not part of an assembly, but is expected to be provided by the environment, regardless of the component's scope. This setting can be useful for distinguishing which components are bundled with the product and which can be relied upon to be present in the deployment environment.
This may be set to true for runtime components only. For Bom.metadata.component, it must be set to false.
implicit defaults to false
A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
Optionalmanufacturer?: OrganizationalEntityThe organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have .authors instead.
OptionalmimeType?: stringThe mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
OptionalmodelCard?: ModelCardA model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.
Optionalmodified?: booleanDEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid
A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.
Optionalpedigree?: PedigreeComponent pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
Specifies custom properties.
Optionalpublisher?: stringThe person(s) or organization(s) that published the component
Optionalpurl?: stringSpecifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
OptionalreleaseNotes?: ReleaseNotesSpecifies release notes.
Optionalscope?: ScopeSpecifies the scope of the component. If a scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM
Optionalsupplier?: OrganizationalEntityThe organization that supplied the component. The supplier may often be the manufacturer but may also be a distributor or repackager.
Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html
Optionalswid?: SwidSpecifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection".
Specifies the type of component. For software components, classify as an application if no more specific appropriate classification is available or cannot be determined for the component.
The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is recommended to use an empty string to represent components without version information. Must be used exclusively, either 'version' or 'versionRange', but not both.
OptionalversionRange?: stringFor an external component, this specifies the accepted version range.
The value must adhere to the Package URL Version Range syntax (vers), as defined at https://github.com/package-url/vers-spec.
May only be used if isExternal is set to true.
Must be used exclusively, either 'version' or 'versionRange', but not both.
DEPRECATED - DO NOT USE - This will be removed in a future version - Use
.authorsor.manufacturerinstead. The person(s) or organization(s) that authored the component