Implementation Details

Introduction

In CycloneDX, dependsOn and provides describe different aspects of dependency relationships within a system. dependsOn represents what a component or service requires to function, such as libraries, APIs, or other services it relies upon. For example, an application may depend on a cryptographic library for encryption or a protocol for secure communication. This helps define the consumer-side dependencies needed to maintain functionality and performance.

In contrast, provides specifies what a component or service delivers, particularly in terms of standards or capabilities it implements. For instance, a library may provide support for a specific algorithm or protocol, highlighting its role as a producer of certain functionalities. Together, these attributes offer a complete view of system relationships, supporting better transparency, compliance, and risk management.

Highlighted fields

PropertyUsage Description
bom-refA unique identifier within the BOM used to reference a specific component or service elsewhere in the document, enabling precise cross-referencing and relationships.
refIdentifies the component or service being described, which may depend on other components or services.
dependsOnLists the bom-ref identifiers of components or services that the described component or service depends on.
providesIdentifies the components or services, referenced by their bom-ref, that implement or fulfill a specific specification or standard associated with this dependency.
This example describes the "Acme Application" and its dependency on a cryptographic library for its functionality. The library provides an implementation of the AES-128-GCM encryption algorithm.

Examples

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-01T12:00:00Z",
    "component": {
      "bom-ref": "acme-application",
      "type": "application",
      "name": "Acme Application",
      "version": "1.0.0"
    }
  },
  "components": [
    {
      "bom-ref": "crypto-library",
      "type": "library",
      "name": "Cryptographic Library",
      "version": "2.5.0"
    },
    {
      "name": "AES-128-GCM",
      "type": "cryptographic-asset",
      "bom-ref": "[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "parameterSetIdentifier": "128",
          "primitive": "ae",
          "mode": "gcm",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "cryptoFunctions": [ "keygen", "encrypt", "decrypt" ]
        },
        "oid": "2.16.840.1.101.3.4.1.6"
      }
    }
  ],
  "dependencies": [
    {
      "ref": "acme-application",
      "dependsOn": ["crypto-library"]
    },
    {
      "ref": "crypto-library",
      "provides": ["[email protected]"]
    }
  ]
}

Related Guides and Resources