The date and time (timestamp) when the document was created.
The date and time (timestamp) when the document was created.
Element tools
The tool(s) used in the creation of the BOM.
The tool(s) used in the creation of the BOM.
Element authors
The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.
The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.
Element component
The component that the BOM describes.
The component that the BOM describes.
Element manufacture
The organization that manufactured the component that the BOM describes.
The organization that manufactured the component that the BOM describes.
Element supplier
The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
Element name
The name of the organization
The name of the organization
Element url
The URL of the organization. Multiple URLs are allowed.
The URL of the organization. Multiple URLs are allowed.
Element contact
A contact person at the organization. Multiple contacts are allowed.
A contact person at the organization. Multiple contacts are allowed.
Element vendor
The vendor of the tool used to create the BOM.
The vendor of the tool used to create the BOM.
Element name
The name of the tool used to create the BOM.
The name of the tool used to create the BOM.
Element version
The version of the tool used to create the BOM.
The version of the tool used to create the BOM.
Element name
The name of the contact
The name of the contact
Element email
The email address of the contact. Multiple email addresses are allowed.
The email address of the contact. Multiple email addresses are allowed.
Element phone
The phone number of the contact. Multiple phone numbers are allowed.
The phone number of the contact. Multiple phone numbers are allowed.
Element supplier
The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.
The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.
Element author
The person(s) or organization(s) that authored the component
The person(s) or organization(s) that authored the component
Element publisher
The person(s) or organization(s) that published the component
The person(s) or organization(s) that published the component
Element group
The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
Element name
The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
Element version
The component version. The version should ideally comply with semantic versioning but is not enforced.
The component version. The version should ideally comply with semantic versioning but is not enforced.
Element description
Specifies a description for the component
Specifies a description for the component
Element scope
Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM
Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM
Element expression
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
Element copyright
An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
Element cpe
DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
Element purl
Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
Element swid
Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
Element modified
DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
Element pedigree
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
Element externalReferences
Provides the ability to document external references related to the component or to the project the component describes.
Provides the ability to document external references related to the component or to the project the component describes.
Element components
Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Attribute type
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
Attribute mime-type
The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
Attribute bom-ref
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Element id
A valid SPDX license ID
A valid SPDX license ID
Element name
If SPDX does not define the license used, this field may be used to provide the license name
If SPDX does not define the license used, this field may be used to provide the license name
Element text
Specifies the optional full text of the attachment
Specifies the optional full text of the attachment
Element url
The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness.
The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness.
Attribute content-type
Specifies the content type of the text. Defaults to text/plain if not specified.
Specifies the content type of the text. Defaults to text/plain if not specified.
Attribute encoding
Specifies the optional encoding the text is represented in
Specifies the optional encoding the text is represented in
Attribute alg
Specifies the algorithm used to create the hash
Specifies the algorithm used to create the hash
Simple Type cpe
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Element text
Specifies the full content of the SWID tag.
Specifies the full content of the SWID tag.
Element url
The URL to the SWID file.
The URL to the SWID file.
Attribute tagId
Maps to the tagId of a SoftwareIdentity.
Maps to the tagId of a SoftwareIdentity.
Attribute name
Maps to the name of a SoftwareIdentity.
Maps to the name of a SoftwareIdentity.
Attribute version
Maps to the version of a SoftwareIdentity.
Maps to the version of a SoftwareIdentity.
Attribute tagVersion
Maps to the tagVersion of a SoftwareIdentity.
Maps to the tagVersion of a SoftwareIdentity.
Attribute patch
Maps to the patch of a SoftwareIdentity.
Maps to the patch of a SoftwareIdentity.
Simple Type urnUuid
Defines a string representation of a UUID conforming to RFC 4122.
Defines a string representation of a UUID conforming to RFC 4122.
Element reference
Zero or more external references can be defined
Zero or more external references can be defined
Element url
The URL to the external reference
The URL to the external reference
Element comment
An optional comment describing the external reference
An optional comment describing the external reference
Attribute type
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Element commit
Specifies an individual commit.
Specifies an individual commit.
Element uid
A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
Element url
The URL to the commit. This URL will typically point to a commit in a version control system.
The URL to the commit. This URL will typically point to a commit in a version control system.
Element author
The author who created the changes in the commit
The author who created the changes in the commit
Element committer
The person who committed or pushed the commit
The person who committed or pushed the commit
Element message
The text description of the contents of the commit
The text description of the contents of the commit
Element patch
Specifies an individual patch.
Specifies an individual patch.
Element diff
The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff
The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff
Attribute type
Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality
Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality
Element text
Specifies the optional text of the diff
Specifies the optional text of the diff
Element url
Specifies the URL to the diff
Specifies the URL to the diff
Element id
The identifier of the issue assigned by the source of the issue
The identifier of the issue assigned by the source of the issue
Element name
The name of the issue
The name of the issue
Element description
A description of the issue
A description of the issue
Element name
The name of the source. For example "National Vulnerability Database", "NVD", and "Apache"
The name of the source. For example "National Vulnerability Database", "NVD", and "Apache"
Element url
The url of the issue documentation as provided by the source
The url of the issue documentation as provided by the source
Attribute type
Specifies the type of issue
Specifies the type of issue
Element timestamp
The timestamp in which the action occurred
The timestamp in which the action occurred
Element name
The name of the individual who performed the action
The name of the individual who performed the action
Element email
The email address of the individual who performed the action
The email address of the individual who performed the action
Element ancestors
Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
Element descendants
Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
Element variants
Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
Element commits
A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
Element patches
A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.
A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.
Element notes
Notes, observations, and other non-structured commentary describing the components pedigree.
Notes, observations, and other non-structured commentary describing the components pedigree.
Attribute ref
References a component or service by the its bom-ref attribute
References a component or service by the its bom-ref attribute
Element dependency
Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.
Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.
Element provider
The organization that provides the service.
The organization that provides the service.
Element group
The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.
The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.
Element name
The name of the service. This will often be a shortened, single name of the service.
The name of the service. This will often be a shortened, single name of the service.
Element version
The service version.
The service version.
Element description
Specifies a description for the service.
Specifies a description for the service.
Element endpoint
A service endpoint URI.
A service endpoint URI.
Element authenticated
A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.
A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.
Element x-trust-boundary
A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
Element classification
Specifies the data classification.
Specifies the data classification.
Element expression
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
Element externalReferences
Provides the ability to document external references related to the service.
Provides the ability to document external references related to the service.
Element services
Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Attribute bom-ref
An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Attribute flow
Specifies the flow direction of the data.
Specifies the flow direction of the data.
Simple Type dataFlowType
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
Element metadata
Provides additional information about a BOM.
Provides additional information about a BOM.
Element components
Provides the ability to document a list of components.
Provides the ability to document a list of components.
Element services
Provides the ability to document a list of external services.
Provides the ability to document a list of external services.
Element externalReferences
Provides the ability to document external references related to the BOM or to the project the BOM describes.
Provides the ability to document external references related to the BOM or to the project the BOM describes.
Element dependencies
Provides the ability to document dependency relationships.
Provides the ability to document dependency relationships.
Attribute version
The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
Attribute serialNumber
Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
The version allows component publishers/authors to make changes to existing
BOMs to update various aspects of the document such as description or licenses. When a system
is presented with multiple BOMs for the same component, the system should use the most recent
version of the BOM. The default version is '1' and should be incremented for each version of the
BOM that is published. Each version of a component should have a unique BOM and if no changes are
made to the BOMs, then each BOM will have a version of '1'.
The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
Every BOM generated should have a unique serial number, even if the contents
of the BOM being generated have not changed over time. The process or tool responsible for
creating the BOM should create random UUID's for every BOM generated.
Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
Allow any attributes from any namespace (lax validation).><!--
Uniqueness Constraint - bom-ref
Selector - .//*
Field(s) - @bom-ref
-->
<bom:metadata>bom:metadata</bom:metadata>[0..1]<bom:components>bom:componentsType</bom:components>[0..1]<bom:services>bom:servicesType</bom:services>[0..1]<bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]<bom:dependencies>bom:dependenciesType</bom:dependencies>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</bom:bom>
<...><bom:uid>xs:normalizedString</bom:uid>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]<bom:author>bom:identifiableActionType</bom:author>[0..1]<bom:committer>bom:identifiableActionType</bom:committer>[0..1]<bom:message>xs:normalizedString</bom:message>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Sequence[0..*]<bom:commit>bom:commitType</bom:commit>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Specifies the type of component. For software components, classify as application if no more
specific appropriate classification is available or cannot be determined for the component.
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
The optional mime-type of the component. When used on file components, the mime-type
can provide additional context about the kind of file being represented such as an image,
font, or executable. Some library or framework components may also have an associated mime-type.
The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
An optional identifier which can be used to reference the component elsewhere in the BOM.
Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Allow any attributes from any namespace (lax validation).><bom:supplier>bom:organizationalEntity</bom:supplier>[0..1]<bom:author>xs:normalizedString</bom:author>[0..1]<bom:publisher>xs:normalizedString</bom:publisher>[0..1]<bom:group>xs:normalizedString</bom:group>[0..1]<bom:name>xs:normalizedString</bom:name>[1]<bom:version>xs:normalizedString</bom:version>[1]<bom:description>xs:normalizedString</bom:description>[0..1]<bom:scope>bom:scope</bom:scope>[0..1]<bom:hashes>[0..1]Start Sequence[0..*]<bom:hash>bom:hashType</bom:hash>[1]End Sequence</bom:hashes><bom:licenses>[0..1]Start Choice[1]<bom:license>bom:licenseType</bom:license>[0..*]<bom:expression>xs:normalizedString</bom:expression>[0..1]End Choice</bom:licenses><bom:copyright>xs:normalizedString</bom:copyright>[0..1]<bom:cpe>bom:cpe</bom:cpe>[0..1]<bom:purl>xs:anyURI</bom:purl>[0..1]<bom:swid>bom:swidType</bom:swid>[0..1]<bom:modified>xs:boolean</bom:modified>[0..1]<bom:pedigree>bom:pedigreeType</bom:pedigree>[0..1]<bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]<bom:components>[0..1]Start Sequence[0..*]<bom:component>bom:component</bom:component>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</bom:components>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:component>bom:component</bom:component>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
References a component or service by the its bom-ref attribute
References a component or service by the its bom-ref attribute
Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..*]<bom:dependency>bom:dependencyType</bom:dependency>[1]End Sequence</...>
<...><bom:text>bom:attachedTextType</bom:text>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
Specifies the type of external reference. There are built-in types to describe common
references. If a type does not exist for the reference being referred to, use the "other" type.
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Allow any attributes from any namespace (lax validation).><bom:url>xs:anyURI</bom:url>[1]<bom:comment>xs:string</bom:comment>[0..1]</...>
<...><bom:timestamp>xs:dateTime</bom:timestamp>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:email>xs:normalizedString</bom:email>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
><bom:id>xs:normalizedString</bom:id>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:description>xs:normalizedString</bom:description>[0..1]<bom:source>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]</bom:source><bom:references>[0..1]Start Sequence[0..*]<bom:url>xs:anyURI</bom:url>[1]End Sequence</bom:references>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Choice[1]<bom:id>spdx:licenseId</bom:id>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]End Choice<bom:text>bom:attachedTextType</bom:text>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..1]<bom:timestamp>xs:dateTime</bom:timestamp>[0..1]<bom:tools>[0..1]Start Sequence[0..*]<bom:tool>bom:toolType</bom:tool>[0..1]End Sequence</bom:tools><bom:authors>[0..1]Start Sequence[0..*]<bom:author>bom:organizationalContact</bom:author>[1]End Sequence</bom:authors><bom:component>bom:component</bom:component>[0..1]<bom:manufacture>bom:organizationalEntity</bom:manufacture>[0..*]<bom:supplier>bom:organizationalEntity</bom:supplier>[0..*]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
<...Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:email>xs:normalizedString</bom:email>[0..*]<bom:phone>xs:normalizedString</bom:phone>[0..*]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
<...Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:url>xs:anyURI</bom:url>[0..*]<bom:contact>bom:organizationalContact</bom:contact>[0..*]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Specifies the purpose for the patch including the resolution of defects,
security issues, or new behavior or functionality
Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality
><bom:diff>bom:diffType</bom:diff>[0..1]<bom:resolves>[0..1]Start Sequence[0..*]<bom:issue>bom:issueType</bom:issue>[1]End Sequence</bom:resolves>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Sequence[0..*]<bom:patch>bom:patchType</bom:patch>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
An optional identifier which can be used to reference the service elsewhere in the BOM.
Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Allow any attributes from any namespace (lax validation).><bom:provider>bom:organizationalEntity</bom:provider>[0..1]<bom:group>xs:normalizedString</bom:group>[0..1]<bom:name>xs:normalizedString</bom:name>[1]<bom:version>xs:normalizedString</bom:version>[0..1]<bom:description>xs:normalizedString</bom:description>[0..1]<bom:endpoints>[0..1]Start Sequence[0..*]<bom:endpoint>xs:anyURI</bom:endpoint>[1]End Sequence</bom:endpoints><bom:authenticated>xs:boolean</bom:authenticated>[0..1]<bom:x-trust-boundary>xs:boolean</bom:x-trust-boundary>[0..1]<bom:data>[0..1]Start Sequence[0..*]<bom:classification>bom:dataClassificationType</bom:classification>[1]End Sequence</bom:data><bom:licenses>[0..1]Start Choice[1]<bom:license>bom:licenseType</bom:license>[0..*]<bom:expression>xs:normalizedString</bom:expression>[0..1]End Choice</bom:licenses><bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]<bom:services>[0..1]Start Sequence[0..*]<bom:service>bom:service</bom:service>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</bom:services>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:service>bom:service</bom:service>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
><bom:text>bom:attachedTextType</bom:text>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..1]<bom:vendor>xs:normalizedString</bom:vendor>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:version>xs:normalizedString</bom:version>[0..1]<bom:hashes>[0..1]Start Sequence[0..*]<bom:hash>bom:hashType</bom:hash>[1]End Sequence</bom:hashes>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
Abstract(Applies to complex type definitions and element declarations). An abstract element or complex type cannot used to validate an element instance. If there is a reference to an abstract element, only element declarations that can substitute the abstract element can be used to validate the instance. For references to abstract type definitions, only derived types can be used.
Collapse Whitespace PolicyReplace tab, line feed, and carriage return characters with space character (Unicode character 32). Then, collapse contiguous sequences of space characters into single space character, and remove leading and trailing space characters.
Disallowed Substitutions(Applies to element declarations). If substitution is specified, then substitution group members cannot be used in place of the given element declaration to validate element instances. If derivation methods, e.g. extension, restriction, are specified, then the given element declaration will not validate element instances that have types derived from the element declaration's type using the specified derivation methods. Normally, element instances can override their declaration's type by specifying an xsi:type attribute.
Nillable(Applies to element declarations). If an element declaration is nillable, instances can use the xsi:nil attribute. The xsi:nil attribute is the boolean attribute, nil, from the http://www.w3.org/2001/XMLSchema-instance namespace. If an element instance has an xsi:nil attribute set to true, it can be left empty, even though its element declaration may have required content.
Prohibited Derivations(Applies to type definitions). Derivation methods that cannot be used to create sub-types from a given type definition.
Prohibited Substitutions(Applies to complex type definitions). Prevents sub-types that have been derived using the specified derivation methods from validating element instances in place of the given type definition.
Replace Whitespace PolicyReplace tab, line feed, and carriage return characters with space character (Unicode character 32).
Substitution GroupElements that are members of a substitution group can be used wherever the head element of the substitution group is referenced.
Substitution Group Exclusions(Applies to element declarations). Prohibits element declarations from nominating themselves as being able to substitute a given element declaration, if they have types that are derived from the original element's type using the specified derivation methods.
Target NamespaceThe target namespace identifies the namespace that components in this schema belongs to. If no target namespace is provided, then the schema components do not belong to any namespace.
Element comment
An optional comment describing the external reference