Provenance captures the history and origin of components, detailing authorship, suppliers, and their distribution path. CycloneDX provides rich capabilities to represent this information, enabling organizations to track where components come from, how they are used, and who is responsible for their creation and distribution. Through fields like authors, publishers, and suppliers, along with repository references such as Package URLs (purl), CycloneDX creates a transparent record of a component’s origin and history.
Provenance capabilities in CycloneDX are particularly valuable for complex supply chains involving packaging, repackaging, and redistribution. By accurately mapping these relationships, organizations gain an auditable chain of custody, reducing risks associated with unverified or unknown sources. This transparency supports compliance efforts, enhances trust in the software supply chain, and provides critical context for decision-making in development, security, and procurement processes.
| Property | Usage Description |
|---|---|
| supplier | Identifies the organization that provided the component, such as a manufacturer, distributor, or repackager. This field supports provenance by clarifying the origin of a component in the supply chain. |
| author | Specifies the individual or organization responsible for creating the component. Including authorship in provenance establishes accountability and tracks the origin of intellectual property. |
| publisher | Denotes the entity that published the component, which may differ from the supplier or author. It aids provenance by providing transparency about who made the component publicly available. |
| group | Defines a namespace for the component, often corresponding to the producing company or project. This helps organize components and link them to their source in a consistent way. |
| purl | Standardizes metadata for identifying and locating components across ecosystems. Purls enhance provenance by pinpointing the repository or registry from which a component originated. |
| swid | Uses ISO/IEC 19770-2:2015 standards to uniquely identify software, supporting inventory management and vulnerability tracking. SWID tags strengthen provenance by providing a globally recognized identifier for components. |
| externalReferences | Links to external resources, such as documentation, issue trackers, or advisories, related to the component. These references expand provenance by connecting components to supporting or contextual information. |
CycloneDX meets the provenance requirements of NIST SP 800-53 Revision 5, particularly SR-4: Provenance, by tracking the origin, development, ownership, location, and modifications of software components. This structured documentation ensures a complete, auditable chronology, supporting system integrity and security.
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"type": "library",
"supplier": {
"name": "Example, Inc.",
"url": [
"https://example.com",
"https://example.net"
],
"contact": [
{
"name": "Example Support AMER Distribution",
"email": "[email protected]",
"phone": "800-555-1212"
},
{
"name": "Example Support APAC",
"email": "[email protected]"
}
]
},
"author": "Example Development Labs - Alpha Team",
"publisher": "Example Development Labs",
"group": "com.example",
"name": "crypto-library",
"version": "3.0.0",
"swid": {
"tagId": "swidgen-5dcb79af-a1d2-61b3-34fd-536c53b08810_3.0.0",
"name": "Crypto Library",
"version": "3.0.0",
"text": {
"contentType": "text/xml",
"encoding": "base64",
"content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQ3J5cHRvIExpYnJhcnkiIHZlcnNpb249IjMuMC4wIiAKIHZlcnNpb25TY2hlbWU9Im11bHRpcGFydG51bWVyaWMiIAogdGFnSWQ9InN3aWRnZW4tNWRjYjc5YWYtYTFkMi02MWIzLTM0ZmQtNTM2YzUzYjA4ODEwXzMuMC4wIiAKIHhtbG5zPSJodHRwOi8vc3RhbmRhcmRzLmlzby5vcmcvaXNvLzE5NzcwLy0yLzIwMTUvc2NoZW1hLnhzZCI+IAogeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgCiB4c2k6c2NoZW1hTG9jYXRpb249Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS1jdXJyZW50L3NjaGVtYS54c2Qgc2NoZW1hLnhzZCIgPgogIDxNZXRhIGdlbmVyYXRvcj0iU1dJRCBUYWcgT25saW5lIEdlbmVyYXRvciB2MC4xIiAvPiAKICA8RW50aXR5IG5hbWU9IkV4YW1wbGUsIEluYy4iIHJlZ2lkPSJleGFtcGxlLmNvbSIgcm9sZT0idGFnQ3JlYXRvciIgLz4gCjwvU29mdHdhcmVJZGVudGl0eT4="
}
},
"purl": "pkg:maven/com.example/[email protected]?repository_url=repo.example.com",
"externalReferences": [
{
"type": "build-system",
"url": "https://ci.example.com"
},
{
"type": "issue-tracker",
"url": "https://issues.example.com"
},
{
"type": "support",
"url": "mailto:[email protected]"
},
{
"type": "security-contact",
"url": "mailto:[email protected]"
},
{
"type": "formulation",
"url": "https://support.example.com/crypto-library/3.0/formulation.cyclonedx.json"
},
{
"type": "rfc-9116",
"url": "https://code.example.com/crypto-library/security.txt"
},
{
"type": "vcs",
"url": "https://code.example.com/crypto-library"
}
]
}
]
}