Software Components

Introduction

Software components form the foundation of modern applications, representing individual building blocks in the software supply chain. Effective inventory management ensures that these components are accounted for. CycloneDX empowers organizations to assert the identity of software components through standardized identifiers, including Package-URLs (PURLs), Common Platform Enumerations (CPEs), Software Identification Tags (SWIDs), OmniBOR Artifact Identifiers (OmniBORs), and Software Heritage Identifiers (SWHIDs).

Further, evidence-based assertions elevate the trustworthiness of inventory records. Evidence captures details like the methods used to establish a component's identity (e.g., hash comparisons, filenames, or abstract syntax tree fingerprints) and the confidence level of these conclusions. This capability allows stakeholders to have transparency and confidence in the veracity of the inventory while supporting compliance, vulnerability management, and operational decision-making.

Highlighted fields

PropertyUsage Description
hashesCryptographic digests (e.g., SHA-256, SHA-512) that assert the integrity of a component
cpeCommon Platform Enumeration string that asserts component identity by mapping to standardized software and hardware platforms.
purlPackage-URL that asserts a components identity
swidSoftware Identification Tags asserting software identity and supporting robust Software Asset Management (SAM), aligned with ISO/IEC 19770-2:2015.
omniborIdOmniBOR Artifact IDs assert the identity of source code files incorporated into software artifacts, ensuring granular tracking.
swhidSoftware Heritage Identifiers assert component identity by tracing software artifacts within a global historical archive.
evidence.identityDocuments methods (e.g., filename matching, AST fingerprinting, hash comparison) with confidence levels to assert the identity of a component, enabling transparency and accountability.
occurrencesSpecifies the locations where a component is present, asserting its existence in different operational or development environments for comprehensive inventory management.
tagsMetadata labels used to categorize components within Software Asset Management (SAM) systems, enabling easier organization, filtering, and analysis based on attributes such as functionality, criticality, or deployment environment.
The example demonstrates how the identifiers in the component object, such as PURLs, CPEs, SWIDs, OmniBORs, and SWHIDs, assert the identity of the software component. Evidence further substantiates these assertions through various methods, including hash comparisons, AST fingerprints, and filenames, enabling support for multiple, even conflicting, pieces of evidence while aligning all identifiers with verifiable data.

Examples

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "application",
      "name": "Example Application",
      "version": "1.0.0",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964"
        },
        {
          "alg": "SHA-512",
          "content": "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6"
        }
      ],
      "cpe": "cpe:/a:acme:example_application:1.0.0",
      "purl": "pkg:maven/acme/[email protected]",
      "omniborId": [
        "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
        "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
      ],
      "swhid": [
        "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2",
        "swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505"
      ],
      "swid": {
        "tagId": "83f4f966-9a9a-4892-a254-473838c57ac4",
        "name": "Example Application",
        "version": "1.0.0",
        "text": {
          "contentType": "text/xml",
          "encoding": "base64",
          "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iRXhhbXBsZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iMS4wLjAiIAogICAgdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiAgICB0YWdJZD0iODNmNGY5NjYtOWE5YS00ODkyLWEyNTQtNDczODM4YzU3YWM0IiAKICAgIHhtbG5zPSJodHRwOi8vc3RhbmRhcmRzLmlzby5vcmcvaXNvLzE5NzcwLy0yLzIwMTUvc2NoZW1hLnhzZCI+CgogICAgPEVudGl0eSBuYW1lPSJBY21lIiByZWdpZD0iZXhhbXBsZS5jb20iIHJvbGU9InNvZnR3YXJlQ3JlYXRvciIgLz4gCiAgICA8RW50aXR5IG5hbWU9IkFjbWUiIHJlZ2lkPSJleGFtcGxlLmNvbSIgcm9sZT0idGFnQ3JlYXRvciIgLz4gCjwvU29mdHdhcmVJZGVudGl0eT4="
        }
      },
      "evidence": {
        "identity": [
          {
            "field": "purl",
            "confidence": 1,
            "concludedValue": "pkg:maven/acme/[email protected]",
            "methods": [
              {
                "technique": "filename",
                "confidence": 0.1,
                "value": "example-application-1.0.0.jar"
              },
              {
                "technique": "ast-fingerprint",
                "confidence": 0.9,
                "value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
              },
              {
                "technique": "hash-comparison",
                "confidence": 0.7,
                "value": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964"
              }
            ]
          }
        ],
        "occurrences": [
          {
            "location": "/path/to/component"
          },
          {
            "location": "/another/path/to/component"
          }
        ]
      },
      "tags": [
        "data-processing",
        "credit-card-processing",
        "iso-20022",
        "java"
      ]
    }
  ]
}

Authoritative Guide