BOM-Link

Reference components, services, or vulnerabilities in BOMs from other systems or other BOMs.

Introduction to BOM-Link

BOM-Link is a powerful feature within CycloneDX that connects diverse Bill of Materials (BOM) documents, enabling seamless traceability and modularity across complex systems. By linking related BOMs—whether representing software, hardware, services, or cryptographic assets—BOM-Link fosters comprehensive insights into interdependencies while maintaining separation of concerns. This modular approach allows for targeted access to specific BOMs without exposing unrelated or sensitive data, ensuring both transparency and confidentiality.

BOM-Link supports granular relationships, making it possible to document how individual components, services, or systems interact with each other across different stages of their lifecycle. It simplifies managing large-scale projects by enabling collaboration between teams or organizations while preserving the integrity of each BOM. Whether linking cryptographic assets to software or integrating manufacturing details with runtime environments, BOM-Link creates a unified yet flexible view of the supply chain, enhancing risk management and compliance efforts.

BOM-Link is formally registered URN, governed by IANA, and compliant with RFC-8141.

Syntax

urn:cdx:serialNumber/version#bom-ref

Examples

urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1
urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1#componentA
FieldDescription
serialNumberThe unique serial number of the BOM. The serial number MUST conform to RFC-4122.
versionThe version of the BOM. The default version is 1.
bom-refThe optional unique identifier of the object within the BOM.

Highlights

  • Links related BOMs across domains, such as software, hardware, cryptographic assets, and operational data.
  • Provides modularity for managing sensitive data by enabling targeted access to specific BOMs.
  • Documents granular relationships between components and systems across lifecycle stages.
  • Facilitates integration and collaboration across teams, partners, and supply chain participants.
  • Simplifies the representation of dependencies and interactions between diverse BOMs.

Expected Outcomes

  • Improved traceability and understanding of complex system interdependencies.
  • Enhanced collaboration without exposing sensitive or unnecessary information.
  • More efficient risk management by isolating and analyzing specific BOM relationships.
  • Greater transparency and compliance through a unified view of modular supply chain data.
  • Streamlined integration of BOM data into automated workflows and reporting systems.