Components in a BOM can be nested to form an assembly. An assembly is a collection of components that are included in a parent component. As an analogy, an automotive dashboard contains an instrument panel component. And the instrument panel component contains a speedometer component. This nested relationship is called an assembly in CycloneDX.
Software assemblies that can be represented in CycloneDX can range from large enterprise solutions comprising multiple systems, to cloud-native deployments containing extensive collections of related micro-services. Assemblies can also describe simpler inclusions, such as software packages that contain supporting files.
Assemblies, or leaves within an assembly, can independently be signed. BOMs comprising component assemblies from multiple suppliers can benefit from this capability. Each supplier can sign their respective assembly. The creator of final goods can then sign the BOM as a whole. Refer to Authenticity.
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"type": "application",
"name": "Acme Commerce Suite",
"version": "2.0.0",
"components": [
{
"type": "application",
"name": "Acme Storefront Server",
"version": "3.7.0"
},
{
"type": "application",
"name": "Acme Payment Processor",
"version": "3.1.1"
}
]
},
{
"type": "application",
"name": "Acme Management App",
"version": "2.0.0"
},
{
"type": "application",
"name": "Acme License Utility",
"version": "2.0.0"
}
]
}