The person(s) or organization(s) that published the component
The person(s) or organization(s) that published the component
Element group
The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
Element name
The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
Element version
The component version. The version should ideally comply with semantic versioning but is not enforced.
The component version. The version should ideally comply with semantic versioning but is not enforced.
Element description
Specifies a description for the component
Specifies a description for the component
Element scope
Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM
Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM
Element expression
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
Element copyright
An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
Element cpe
DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
Element purl
Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
Element modified
DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
Element pedigree
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
Element externalReferences
Provides the ability to document external references related to the component or to the project the component describes.
Provides the ability to document external references related to the component or to the project the component describes.
Element components
Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Attribute type
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Valid choices are: application, framework, library, operating-system, device, or file Refer to the bom:classification documentation for information describing each one
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Valid choices are: application, framework, library, operating-system, device, or file Refer to the bom:classification documentation for information describing each one
Attribute bom-ref
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Element id
A valid SPDX license ID
A valid SPDX license ID
Element name
If SPDX does not define the license used, this field may be used to provide the license name
If SPDX does not define the license used, this field may be used to provide the license name
Element text
Specifies the optional full text of the license
Specifies the optional full text of the license
Element url
The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness.
The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness.
Attribute content-type
Specifies the content type of the license text. Defaults to text/plain if not specified.
Specifies the content type of the license text. Defaults to text/plain if not specified.
Attribute encoding
Specifies the optional encoding the license text is represented in
Specifies the optional encoding the license text is represented in
Attribute alg
Specifies the algorithm used to create the hash
Specifies the algorithm used to create the hash
Simple Type cpe
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Simple Type urnUuid
Defines a string representation of a UUID conforming to RFC 4122.
Defines a string representation of a UUID conforming to RFC 4122.
Element reference
Zero or more external references can be defined
Zero or more external references can be defined
Element url
The URL to the external reference
The URL to the external reference
Element comment
An optional comment describing the external reference
An optional comment describing the external reference
Attribute type
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Element commit
Specifies an individual commit.
Specifies an individual commit.
Element uid
A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
Element url
The URL to the commit. This URL will typically point to a commit in a version control system.
The URL to the commit. This URL will typically point to a commit in a version control system.
Element author
The author who created the changes in the commit
The author who created the changes in the commit
Element committer
The person who committed or pushed the commit
The person who committed or pushed the commit
Element message
The text description of the contents of the commit
The text description of the contents of the commit
Element timestamp
The timestamp in which the action occurred
The timestamp in which the action occurred
Element name
The name of the individual who performed the action
The name of the individual who performed the action
Element email
The email address of the individual who performed the action
The email address of the individual who performed the action
Element ancestors
Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
Element descendants
Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
Element variants
Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
Element commits
A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
Element notes
Notes, observations, and other non-structured commentary describing the components pedigree.
Notes, observations, and other non-structured commentary describing the components pedigree.
Element externalReferences
Provides the ability to document external references related to the BOM or to the project the BOM describes.
Provides the ability to document external references related to the BOM or to the project the BOM describes.
Attribute version
The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
Attribute serialNumber
Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
The version allows component publishers/authors to make changes to existing
BOMs to update various aspects of the document such as description or licenses. When a system
is presented with multiple BOMs for the same component, the system should use the most recent
version of the BOM. The default version is '1' and should be incremented for each version of the
BOM that is published. Each version of a component should have a unique BOM and if no changes are
made to the BOMs, then each BOM will have a version of '1'.
The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
Every BOM generated should have a unique serial number, even if the contents
of the BOM being generated have not changed over time. The process or tool responsible for
creating the BOM should create random UUID's for every BOM generated.
Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
Allow any attributes from any namespace (lax validation).><!--
Uniqueness Constraint - bom-ref
Selector - .//*
Field(s) - @bom-ref
-->
<bom:components>bom:componentsType</bom:components>[1]<bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</bom:bom>
<...><bom:uid>xs:normalizedString</bom:uid>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]<bom:author>bom:identifiableActionType</bom:author>[0..1]<bom:committer>bom:identifiableActionType</bom:committer>[0..1]<bom:message>xs:normalizedString</bom:message>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Sequence[0..*]<bom:commit>bom:commitType</bom:commit>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Specifies the type of component. For software components, classify as application if no more
specific appropriate classification is available or cannot be determined for the component.
Valid choices are: application, framework, library, operating-system, device, or file
Refer to the bom:classification documentation for information describing each one
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Valid choices are: application, framework, library, operating-system, device, or file Refer to the bom:classification documentation for information describing each one
An optional identifier which can be used to reference the component elsewhere in the BOM.
Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Allow any attributes from any namespace (lax validation).><bom:publisher>xs:normalizedString</bom:publisher>[0..1]<bom:group>xs:normalizedString</bom:group>[0..1]<bom:name>xs:normalizedString</bom:name>[1]<bom:version>xs:normalizedString</bom:version>[1]<bom:description>xs:normalizedString</bom:description>[0..1]<bom:scope>bom:scope</bom:scope>[0..1]<bom:hashes>[0..1]Start Sequence[0..*]<bom:hash>bom:hashType</bom:hash>[1]End Sequence</bom:hashes><bom:licenses>[0..1]Start Choice[1]<bom:license>bom:licenseType</bom:license>[0..*]<bom:expression>xs:normalizedString</bom:expression>[0..1]End Choice</bom:licenses><bom:copyright>xs:normalizedString</bom:copyright>[0..1]<bom:cpe>bom:cpe</bom:cpe>[0..1]<bom:purl>xs:anyURI</bom:purl>[0..1]<bom:modified>xs:boolean</bom:modified>[0..1]<bom:pedigree>bom:pedigreeType</bom:pedigree>[0..1]<bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]<bom:components>[0..1]Start Sequence[0..*]<bom:component>bom:component</bom:component>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</bom:components>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:component>bom:component</bom:component>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Specifies the type of external reference. There are built-in types to describe common
references. If a type does not exist for the reference being referred to, use the "other" type.
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Allow any attributes from any namespace (lax validation).><bom:url>xs:anyURI</bom:url>[1]<bom:comment>xs:string</bom:comment>[0..1]</...>
<...><bom:timestamp>xs:dateTime</bom:timestamp>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:email>xs:normalizedString</bom:email>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Choice[1]<bom:id>spdx:licenseId</bom:id>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]End Choice<bom:text>bom:licenseTextType</bom:text>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Abstract(Applies to complex type definitions and element declarations). An abstract element or complex type cannot used to validate an element instance. If there is a reference to an abstract element, only element declarations that can substitute the abstract element can be used to validate the instance. For references to abstract type definitions, only derived types can be used.
Collapse Whitespace PolicyReplace tab, line feed, and carriage return characters with space character (Unicode character 32). Then, collapse contiguous sequences of space characters into single space character, and remove leading and trailing space characters.
Disallowed Substitutions(Applies to element declarations). If substitution is specified, then substitution group members cannot be used in place of the given element declaration to validate element instances. If derivation methods, e.g. extension, restriction, are specified, then the given element declaration will not validate element instances that have types derived from the element declaration's type using the specified derivation methods. Normally, element instances can override their declaration's type by specifying an xsi:type attribute.
Nillable(Applies to element declarations). If an element declaration is nillable, instances can use the xsi:nil attribute. The xsi:nil attribute is the boolean attribute, nil, from the http://www.w3.org/2001/XMLSchema-instance namespace. If an element instance has an xsi:nil attribute set to true, it can be left empty, even though its element declaration may have required content.
Prohibited Derivations(Applies to type definitions). Derivation methods that cannot be used to create sub-types from a given type definition.
Prohibited Substitutions(Applies to complex type definitions). Prevents sub-types that have been derived using the specified derivation methods from validating element instances in place of the given type definition.
Replace Whitespace PolicyReplace tab, line feed, and carriage return characters with space character (Unicode character 32).
Substitution GroupElements that are members of a substitution group can be used wherever the head element of the substitution group is referenced.
Substitution Group Exclusions(Applies to element declarations). Prohibits element declarations from nominating themselves as being able to substitute a given element declaration, if they have types that are derived from the original element's type using the specified derivation methods.
Target NamespaceThe target namespace identifies the namespace that components in this schema belongs to. If no target namespace is provided, then the schema components do not belong to any namespace.
Element comment
An optional comment describing the external reference