Contents
Frontispiece
Preface
Introduction
Design Philosophy and Guiding Principles
Defining Software Bill of Materials
The Role of SBOM in Software Transparency
CycloneDX Object Model
The Anatomy of a CycloneDX BOM
Lifecycle Phases
Use Cases
Enterprise Configuration Management Database (CMDB)
Foreign Ownership, Control, or Influence (FOCI)
Composition Completeness and “Known Unknowns”
Formulation Assurance and Verification
BOM Coverage, Maturity, and Quality
Generating CycloneDX BOMs
Approaches to Generating CycloneDX SBOMs
Generating SBOMs for Source Files
Integrating CycloneDX Into The Build Process
Generating BOMs from Evidence (from binaries)
Building CycloneDX BOMs Manually
Consuming CycloneDX BOMs
Leveraging Data Components
Establishing Relationships in CycloneDX
External References
Establishing Relationships With BOM-Link
Pedigree
Formulation
Evidence
Reachability Using Call Stacks
Scenarios and Recommendations
Single Application (monolith, mobile app, etc)
Using Modified Open Source Software
Extensibility
CycloneDX Properties and Registered Namespaces