Services are a critical aspect of modern software applications, and their inclusion in a Software Bill of Materials (SBOM) provides a more complete view of an application’s inventory. CycloneDX allows services to be described alongside traditional components in an SBOM, capturing the interactions, dependencies, and data flows that define how software operates. By integrating services into the inventory, organizations can achieve greater visibility into how applications interact with external and internal services, enhancing their ability to manage risks, facilitate compliance, and optimize operations.
CycloneDX also supports the creation of BOMs composed entirely of services, referred to as SaaSBOMs. These specialized BOMs are designed to represent the individual services powering cloud-native applications, such as APIs, microservices, and serverless functions. A SaaSBOM enables organizations to document and analyze the services that form the backbone of their cloud environments, focusing on attributes like licensing, data governance, endpoints, and dependencies. This capability helps organizations manage the complexity of cloud-native architectures while maintaining transparency and accountability.
| Property | Usage Description |
|---|---|
| provider | Represents the organization or entity supplying the service, including contact details and URLs for support or additional information. |
| endpoints | Specify the accessible interfaces (URLs or APIs) where the service can be invoked, enabling integration and operational oversight. |
| data.classification | Categorizes the type of data (e.g., PII, PIFI, public) handled by the service to support compliance and security and privacy standards. |
| data.flow | Indicates the direction (inbound, outbound, bi-directional) of data transfer, clarifying interactions between services and components. |
| data.source | Specifies the origin of the data, which can be represented as either a direct URL or a BOM-Link URI that points to a location within the BOM. |
| data.destination | Identifies where the data is transmitted, using either a direct URL or a BOM-Link URI to reference a specific location within the BOM. |
| data.governance | Defines the roles of organizations or individuals in managing the data handled by the service, including oversight of data access, usage, and compliance with policies and regulations. |
| license.licensing | Describes the commercial licenses associated with the service, outlining the licensor, licensee, and the terms that define how the service can be used. This information supports transparency and adherence to contractual obligations. For further details, see Commercial Licensing Use Case. |
| license.licenseTypes | Describes the nature of the license (e.g., subscription, perpetual), aiding in financial and compliance tracking. |
| license.lastRenewal | Indicates the most recent date the license was renewed, providing a reference for lifecycle management. |
| license.expiration | Specifies the date when the commercial license will no longer be valid, providing a clear timeline for renewal or replacement to maintain uninterrupted access to the service. |
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"bom-ref": "component-a",
"type": "library",
"group": "com.acme",
"name": "stock-java-client",
"version": "1.0.12",
"purl": "pkg:maven/com.acme/[email protected]"
}
],
"services": [
{
"bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8",
"provider": {
"name": "Partner Org",
"url": [
"https://partner.org"
],
"contact": [
{
"name": "Support",
"email": "support@partner",
"phone": "800-555-1212"
}
]
},
"group": "org.partner",
"name": "Stock ticker service",
"version": "2020-Q2",
"description": "Provides real-time stock information",
"endpoints": [
"https://partner.org/api/v1/lookup",
"https://partner.org/api/v1/stock"
],
"authenticated": true,
"x-trust-boundary": true,
"trustZone": "public-internet",
"data": [
{
"classification": "PII",
"governance": {
"custodians": [
{
"organization": {
"name": "Acme Inc",
"contact": [{
"name": "IT Department"
}]
}
},
{
"organization": {
"name": "Partner Org"
}
}
],
"stewards": [
{
"organization": {
"name": "Acme Inc",
"contact": [{
"name": "Compliance Officer"
}]
}
}
],
"owners": [
{
"organization": {
"name": "Acme Inc"
}
}
]
},
"flow": "inbound",
"source": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#component-a" ]
},
{
"classification": "PIFI",
"flow": "outbound",
"destination": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#component-a" ]
},
{
"classification": "public",
"flow": "bi-directional",
"source": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#component-a" ],
"destination": [ "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#component-a" ]
}
],
"licenses": [
{
"license":
{
"name": "Partner license",
"licensing": {
"licensor": {
"organization": {
"name": "Partner Org"
}
},
"licensee": {
"organization": {
"name": "Acme Inc"
}
},
"licenseTypes": ["subscription"],
"lastRenewal": "2024-04-13T20:20:39+00:00",
"expiration": "2026-04-13T20:20:39+00:00"
}
}
}
],
"externalReferences": [
{
"type": "website",
"url": "http://partner.org"
},
{
"type": "documentation",
"url": "http://api.partner.org/swagger"
}
]
}
],
"dependencies": [
{
"ref": "pkg:maven/com.acme/[email protected]",
"dependsOn": [
"b2a46a4b-8367-4bae-9820-95557cfe03a8"
]
}
]
}