Achieving Modularity

Introduction

Modularity in CycloneDX enables components to be included in a BOM while allowing their detailed BOMs to be externalized and referenced separately. This approach simplifies complex systems by promoting a clean separation of concerns, where each component’s specific details can be maintained independently. Externalizing component BOMs also enhances scalability, as updates to a component’s BOM can be managed without altering the parent BOM. Additionally, it reduces redundancy and file size, as multiple BOMs can reference the same externalized component BOM. This promotes reusability, improves clarity, and supports efficient collaboration across teams and organizations in managing intricate software supply chains.

This example represents a modular solution consisting of three distinct products, each with its own BOM: Product A, Product B, and Product C. The example BOM itself does not contain any inventory details but serves as a high-level representation of the delivered solution. Each product is referenced by an external BOM, enabling the detailed inventory and relationships for each product to be maintained separately. This approach simplifies management, reduces redundancy, and ensures the modularity of the solution while providing clear traceability to the components delivered as part of the solution.

Examples

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-21T12:00:00Z",
    "component": {
      "name": "Billing Solution",
      "bom-ref": "billing-solution",
      "type": "application",
      "components": [
        {
          "type": "application",
          "name": "Product A",
          "version": "3.2.0",
          "externalReferences": [
            {
              "type": "bom",
              "url": "https://example.com/boms/product-a-3.2.0.cdx.bom"
            }
          ]
        },
        {
          "type": "application",
          "name": "Product B",
          "version": "3.0.1",
          "externalReferences": [
            {
              "type": "bom",
              "url": "https://example.com/boms/product-b-3.0.1.cdx.bom"
            }
          ]
        },
        {
          "type": "application",
          "name": "Product C",
          "version": "5.7.2",
          "externalReferences": [
            {
              "type": "bom",
              "url": "https://example.com/boms/product-c-5.7.2.cdx.bom"
            }
          ]
        }
      ]
    },
    "manufacturer": {
      "name": "Acme Inc"
    },
    "supplier": {
      "name": "Acme Inc"
    }
  }
}

Authoritative Guide