Service Dependencies

Introduction

Service dependencies are the backbone of modern application architectures, facilitating functionality through APIs, microservices, and external systems. These dependencies can be direct, where a software component or service explicitly relies on another service, or transitive, where a service depends on additional services to fulfill its role.

CycloneDX provides the ability to describe services and their dependency on other services. This relies on a services bom-ref to associate the service to the dependency element in the graph. The only requirement for bom-ref is that it is unique within the BOM.

Highlighted fields

PropertyUsage Description
bom-refA unique identifier within the BOM used to reference a specific component or service elsewhere in the document, enabling precise cross-referencing and relationships.
refIdentifies the component or service being described, which may depend on other components or services.
dependsOnLists the bom-ref identifiers of components or services that the described component or service depends on.
Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.
This example outlines the dependency relationships for the "Acme Cloud Example" application and its supporting services. It shows how the application relies on multiple services, such as Microservice 1, 2, and 3, while also detailing how these services depend on resources like a Postgres database and an S3 bucket, forming a clear hierarchy of interconnected services.

Examples

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "timestamp": "2024-12-10T12:00:00Z",
    "component": {
      "bom-ref": "acme-application",
      "type": "application",
      "name": "Acme Cloud Example",
      "version": "2025-1"
    }
  },
  "services": [
    {
      "bom-ref": "microservice-1",
      "name": "Microservice 1",
      "endpoints": [
        "https://ms-1.example.com"
      ],
      "data": [
        {
          "classification": "PII",
          "flow": "bi-directional",
          "source": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#acme-application" ]
        },
        {
          "classification": "PII",
          "flow": "bi-directional",
          "destination": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pgsql" ]
        }
      ]
    },
    {
      "bom-ref": "microservice-2",
      "name": "Microservice 2",
      "endpoints": [
        "https://ms-2.example.com"
      ],
      "data": [
        {
          "classification": "PIFI",
          "flow": "inbound",
          "source": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#acme-application" ]
        }
      ]
    },
    {
      "bom-ref": "microservice-3",
      "name": "Microservice 3",
      "endpoints": [
        "https://ms-3.example.com"
      ],
      "data": [
        {
          "classification": "Public",
          "flow": "bi-directional",
          "source": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#acme-application" ]
        },
        {
          "classification": "Public",
          "flow": "bi-directional",
          "destination": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-service" ]
        }
      ]
    },
    {
      "bom-ref": "pgsql",
      "name": "Postgres",
      "endpoints": [
        "https://ms-1-pgsql.example.com:5432"
      ],
      "data": [
        {
          "classification": "PII",
          "flow": "bi-directional",
          "source": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#microservice-1" ]
        }
      ]
    },
    {
      "bom-ref": "s3-service",
      "name": "S3 bucket",
      "endpoints": [
        "https://s3-example.amazon.com"
      ],
      "data": [
        {
          "classification": "Public",
          "flow": "bi-directional",
          "source": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#microservice-3" ]
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "acme-application",
      "dependsOn": [ "microservice-1", "microservice-2", "microservice-3" ]
    },
    {
      "ref":"microservice-1",
      "dependsOn": [ "pgsql" ]
    },
    {
      "ref": "microservice-2",
      "dependsOn": [ ]
    },
    {
      "ref": "microservice-3",
      "dependsOn": [ "s3-service" ]
    }
  ]
}