Software-as-a-Service BOM (SaaSBOM)

 

Inventory services, endpoints, and data flows and classifications that power cloud-native applications

Modern software often relies on external services, or is made up entirely of services. CycloneDX is capable of describing any type of service including:

  • Microservice Architecture
  • Service Orientated Architecture (SOA)
  • Function as a Service (FaaS)
  • n-Tier Architecture
  • Actor model
  • System of Systems

SaaSBOMs complement Infrastructure-as-Code (IaC) by providing a logical representation of a complex system, complete with inventory of all services, their reliance on other services, endpoint URLs, data classifications, and the directional flow of data between services. Optionally, SaaSBOMs may also include the software components that make up each service.

CycloneDX is protocol agnostic and is capable of describing services over HTTP(S), REST, GraphQL, MQTT, and intra-process communication. The specification provides enough information about services to automatically generate dataflow diagrams useful in security and privacy threat modeling. Refer to Use Cases for details on services.

Use of CycloneDX SaaSBOMs is recommended by the Cloud Security Alliance.

Independent SBOM and SaaSBOM

The inventory of services and software components may be combined into a single BOM, or may have independent BOMs. Inventory described in an SBOM will typically remain static until such time the inventory changes. However, deployment information is much more dynamic and subject to change. Therefore, it is recommended to decouple the SaaSBOMs from the SBOMs for large systems. This allows service information to be updated without having to create and track additional SBOMs.

Independent BOM and VEX Document

When SaaSBOMs are decoupled from SBOMs, it is possible for every service defined in an SaaSBOM to reference its corresponding SBOM. In the case of large microservice architectures, this would typically result in a one to many relationship with a single SaaSBOM and many SBOMs. Each service in the SaaSBOM would reference its corresponding SBOM.

With CycloneDX, it is possible to reference a component, service, or vulnerability inside a BOM from other systems or other BOMs. This deep-linking capability is referred to as BOM-Link and is a formally registered URN.

Learn more about how CycloneDX makes use of BOM-Link.

SBOM With Embedded Services

BOM With Embedded VEX

CycloneDX also supports embedding services information inside a BOM. There are several uses for embedding services including:

  • Organizations with a shared responsibility model for software development and deployment
  • SBOMs containing components that may rely on external services with the goal of augmenting the SBOM with these services

High-Level Object Model

CycloneDX Object Model Swimlane

Examples

BOMs demonstrating SaaSBOM capabilities can be found at https://github.com/CycloneDX/bom-examples

See also

Additional Capabilities

SBOM

Software Bill of Materials

Inventory software components and services and the dependency relationships between them

 

SaaSBOM

Software as a Service Bill of Materials

Inventory services, endpoints, and data flows and classifications that power cloud-native applications

 

CBOM

Cryptography Bill of Materials

Discover, manage and report on cryptography in preparation for quantum-safe systems and applications

 

VEX

Vulnerability Exploitability eXchange

Convey the exploitability of vulnerable components in the context of the product in which they're used

 

HBOM

Hardware Bill of Materials

Inventory hardware components for IoT, ICS, and other types of embedded and connected devices

 

ML-BOM

Machine-Learning Bill of Materials

Model and dataset transparency for security, privacy, safety and ethical considerations

 

Attestations

Attestations (CDXA)

Machine-readable statements of claims, evidence, and testimony in compliance with standards

 

MBOM

Manufacturing Bill of Materials

Declared and observed formulation for reproducibility throughout product lifecycle

 

OBOM

Operations Bill of Materials

Full-stack inventory of runtime environments, configurations, and additional dependencies

 

VDR

Vulnerability Disclosure Report

Communicate known and unknown vulnerabilities affecting components and services

 

BOM-Link

Bill of Materials Linkage Syntax

Reference components, services, or vulnerabilities in BOMs from other systems or other BOMs

 

BOV

Bill of Vulnerabilities

Share vulnerability data between systems and sources of vulnerability intelligence

 

Release Notes

Common Release Notes Format

Standardizes release notes unlocking new workflows for software publishers and consumers

 

CycloneDX Supporters

Apiiro
Bloomberg
Contrast Security
Ecma International
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype