To identify known vulnerabilities in software and hardware components effectively, CycloneDX supports multiple identity standards, including Common Platform Enumeration (CPE) and Package-URL (PURL). These identifiers help map components to known vulnerabilities in databases like the NVD, OSS Index, and OSV.
| Use | Recommendation |
|---|---|
| Open Source Software | PURL is recommended. It provides a clear and structured way to represent package information, making it ideal for OSS distributed as packages or hosted on platforms like GitHub. As a decentralized standard, PURL allows open source projects and vendors to maintain control over the identity of their software, promoting flexibility and autonomy in managing metadata. |
| Proprietary Software | CPE is suitable for identifying software products cataloged in government and some commercial vulnerability databases. While supported by the NVD, CPE is not natively used by the software or hardware industries for product lifecycle management. It is a centralized standard requiring a CVE Numbering Authority (CNA) to define entries, which can limit its adaptability, accuracy, and scalability. This contrasts with the decentralized nature of PURL, which empowers stakeholders to define their software's identity without external dependencies. Proprietary software often benefits from the use of Software Identification (SWID) tags, which are defined in ISO/IEC 19770-2. SWID tags are used to identify installed software in enterprise environments, offering a robust mechanism for tracking and managing software assets. For a lighter-weight and compatible alternative the SWID PURL type can also be used, providing detailed tracking of installed software and facilitating compliance in regulated environments. |
| Hardware | When identifying vulnerabilities in hardware components, CPE is the recommended identifier. While not natively used by the hardware industry for product lifecycle management, CPE provides a standardized method for cataloging hardware products in the NVD, facilitating vulnerability management. Additionally, CycloneDX enhances hardware transparency by supporting the CycloneDX Property Taxonomy, which includes numerous hardware identifiers such as those aligned with GS1 standards. This capability enables organizations to incorporate detailed metadata about hardware assets into their Bill of Materials (BOM), offering comprehensive visibility and control over the hardware components in their supply chain. |
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"type": "application",
"name": "Example Application",
"version": "1.0.0",
"cpe": "cpe:/a:acme:example_application:1.0.0",
"purl": "pkg:swid/Acme/example.com/Example%[email protected]?tag_id=83f4f966-9a9a-4892-a254-473838c57ac4",
"swid": {
"tagId": "83f4f966-9a9a-4892-a254-473838c57ac4",
"name": "Example Application",
"version": "1.0.0",
"text": {
"contentType": "text/xml",
"encoding": "base64",
"content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iRXhhbXBsZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iMS4wLjAiIAogICAgdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiAgICB0YWdJZD0iODNmNGY5NjYtOWE5YS00ODkyLWEyNTQtNDczODM4YzU3YWM0IiAKICAgIHhtbG5zPSJodHRwOi8vc3RhbmRhcmRzLmlzby5vcmcvaXNvLzE5NzcwLy0yLzIwMTUvc2NoZW1hLnhzZCI+CgogICAgPEVudGl0eSBuYW1lPSJBY21lIiByZWdpZD0iZXhhbXBsZS5jb20iIHJvbGU9InNvZnR3YXJlQ3JlYXRvciIgLz4gCiAgICA8RW50aXR5IG5hbWU9IkFjbWUiIHJlZ2lkPSJleGFtcGxlLmNvbSIgcm9sZT0idGFnQ3JlYXRvciIgLz4gCjwvU29mdHdhcmVJZGVudGl0eT4="
}
}
},
{
"type": "library",
"group": "org.apache.tomcat",
"name": "tomcat-catalina",
"version": "9.0.14",
"purl": "pkg:maven/org.apache.tomcat/[email protected]"
}
]
}