CYCLONEDX
/
GETTING STARTED
/
CAPABILITIES
/
SaaSBOM
Inventory services, endpoints, and data flows and classifications that power cloud-native applications
Modern software often relies on external services, or is made up entirely of services. CycloneDX is capable of describing any type of service including:
SaaSBOMs complement Infrastructure-as-Code (IaC) by providing a logical representation of a complex system, complete with inventory of all services, their reliance on other services, endpoint URLs, data classifications, and the directional flow of data between services. Optionally, SaaSBOMs may also include the software components that make up each service.
CycloneDX is protocol agnostic and is capable of describing services over HTTP(S), REST, GraphQL, MQTT, and intra-process communication. The specification provides enough information about services to automatically generate dataflow diagrams useful in security and privacy threat modeling. Refer to Use Cases for details on services.
Use of CycloneDX SaaSBOMs is recommended by the Cloud Security Alliance.
The inventory of services and software components may be combined into a single BOM, or may have independent BOMs. Inventory described in an SBOM will typically remain static until such time the inventory changes. However, deployment information is much more dynamic and subject to change. Therefore, it is recommended to decouple the SaaSBOMs from the SBOMs for large systems. This allows service information to be updated without having to create and track additional SBOMs.
When SaaSBOMs are decoupled from SBOMs, it is possible for every service defined in an SaaSBOM to reference its corresponding SBOM. In the case of large microservice architectures, this would typically result in a one to many relationship with a single SaaSBOM and many SBOMs. Each service in the SaaSBOM would reference its corresponding SBOM.
With CycloneDX, it is possible to reference a component, service, or vulnerability inside a BOM from other systems or other BOMs. This deep-linking capability is referred to as BOM-Link and is a formally registered URN.
Learn more about how CycloneDX makes use of BOM-Link.
CycloneDX also supports embedding services information inside a BOM. There are several uses for embedding services including:
BOMs demonstrating SaaSBOM capabilities can be found at https://github.com/CycloneDX/bom-examples