Operations Bill of Materials (OBOM)
Software Bill of Materials
Vulnerability Exploitability Exchange
Manufacturing Bill of Materials
Operations Bill of Materials
Bill of Vulnerabilities
Extensible Markup Language
CycloneDX is a full-stack bill of materials standard supporting entire runtime environments consisting of hardware, firmware, containers, operating systems, applications and their libraries. Coupled with the ability to specify configuration makes CycloneDX ideal for Operational Bill of Materials. OBOM is a security behavior defined in BSIMM and similar maturity models.
CycloneDX properties provide a mechanism to store configuration on a per-component and per-service basis inside a BOM. The specification also provides a mechanism to store URLs to documentation, including configuration management systems.
Independent OBOM and SBOM
Inventory described in a SBOM will typically remain static until such time the inventory changes. However, operational information may be dynamic and subject to change. Therefore, it is recommended to decouple the OBOM from the SBOM. This allows OBOM information to be updated without having to create and track additional SBOMs.
High-Level Object Model
BOMs demonstrating OBOM capabilities can be found at https://github.com/CycloneDX/sbom-examples