BOM-Link is a powerful feature within CycloneDX that connects diverse Bill of Materials (BOM) documents, enabling seamless traceability and modularity across complex systems. By linking related BOMs—whether representing software, hardware, services, or cryptographic assets—BOM-Link fosters comprehensive insights into interdependencies while maintaining separation of concerns. This modular approach allows for targeted access to specific BOMs without exposing unrelated or sensitive data, ensuring both transparency and confidentiality.
BOM-Link supports granular relationships, making it possible to document how individual components, services, or systems interact with each other across different stages of their lifecycle. It simplifies managing large-scale projects by enabling collaboration between teams or organizations while preserving the integrity of each BOM. Whether linking cryptographic assets to software or integrating manufacturing details with runtime environments, BOM-Link creates a unified yet flexible view of the supply chain, enhancing risk management and compliance efforts.
BOM-Link is formally registered URN, governed by IANA, and compliant with RFC-8141.
urn:cdx:serialNumber/version#bom-refurn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1
urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1#componentA| Field | Description |
|---|---|
| serialNumber | The unique serial number of the BOM. The serial number MUST conform to RFC-4122. |
| version | The version of the BOM. The default version is 1. |
| bom-ref | The optional unique identifier of the object within the BOM. |
