In CycloneDX, compositions for dependency relationships provide insight into the connections between components within a BOM, focusing on how components functionally rely on each other. Rather than describing the inventory of components, these compositions exclusively address the relationships, capturing the clarity or uncertainty of those connections. For example, a composition may indicate whether the dependency relationships for a specific component are fully understood or if there are gaps in knowledge. This level of detail supports a deeper understanding of how components interact and operate as part of the system.
| Property | Usage Description |
|---|---|
| aggregate | Describes the overall completeness of the inventory for the component, such as complete or incomplete. |
| dependencies | Represents the relationships between components or services that a given component relies on functionally, focusing exclusively on the connections rather than the inventory of components. |
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"component": {
"bom-ref": "acme-application",
"type": "application",
"name": "Acme Application",
"version": "1.0.0"
}
},
"components": [
{
"bom-ref": "library-a",
"type": "library",
"name": "Library A",
"version": "2.5.1"
},
{
"bom-ref": "library-b",
"type": "library",
"name": "Library B",
"version": "3.3.0"
},
{
"bom-ref": "library-c",
"type": "library",
"name": "Library C",
"version": "3.1.3"
}
],
"dependencies": [
{
"ref": "acme-application",
"dependsOn": [
"library-a"
]
}
],
"compositions": [
{
"aggregate": "complete",
"dependencies": [
"acme-application"
]
},
{
"aggregate": "unknown",
"dependencies": [
"library-a",
"library-b",
"library-c"
]
}
]
}