SBOM
Introduction
The SBOM Schema (Software Bill of Materials) is a JSON schema designed to describe and standardise the components, tools, and metadata associated with a software project within the Trusted AI BOM (TAIBOM) ecosystem. This schema provides a comprehensive overview of a project's dependencies, tools used, and key details for ensuring traceability and security.
Description
This schema captures essential metadata for an SBOM, including:
- BOM Format: The format of the SBOM (e.g., CycloneDX).
- Specification Version: The version of the SBOM specification used.
- Serial Number: A unique identifier for the SBOM instance.
- Version: The version number of the SBOM itself.
- Metadata: Details about the SBOM generation process, including timestamps, tools, and component information.
- Components: A detailed list of all components in the SBOM, including their type, name, version, and identifiers (e.g., CPE, PURL).
Use Case
The SBOM Schema is primarily used within the TAIBOM framework to:
- Document Software Components: Provide a standardised record of all dependencies and components used in a software project.
- Enhance Security: Facilitate vulnerability management by offering detailed metadata, including CPEs and PURLs for components.
- Support Software Lifecycle Management: Enable effective tracking of tools and processes involved in the software's creation and maintenance.
By adopting this schema, organisations can create detailed and reliable SBOMs, ensuring transparency, traceability, and security throughout the software development lifecycle.
Schemas
- yaml
- json
- markdown
$id: https://github.com/nqminds/Trusted-AI-BOM/blob/main/packages/schemas/src/taibom-schemas/30-sbom.v1.0.0.schema.yaml
$schema: https://json-schema.org/draft/2019-09/schema
title: SBOM
description: A software bill of materials (SBOM) generated for the project.
type: object
properties:
bomFormat:
type: string
description: Format of the SBOM.
specVersion:
type: string
description: Version of the SBOM specification.
serialNumber:
type: string
description: Unique serial number for the SBOM.
version:
type: integer
description: Version number of the SBOM.
metadata:
type: object
description: Metadata related to the SBOM generation.
properties:
timestamp:
type: string
format: date-time
description: Timestamp when the SBOM was generated.
tools:
type: object
description: Tools used to generate the SBOM.
properties:
components:
type: array
description: List of tools and their metadata.
items:
type: object
properties:
type:
type: string
description: Type of tool (e.g., application).
author:
type: string
description: Author of the tool.
name:
type: string
description: Name of the tool.
version:
type: string
description: Version of the tool.
component:
type: object
description: Component information of the project.
properties:
bom-ref:
type: string
description: Unique reference for the component.
type:
type: string
description: Type of the component (e.g., file, library).
name:
type: string
description: Name of the component.
components:
type: array
description: List of components in the SBOM.
items:
type: object
properties:
bom-ref:
type: string
description: Unique reference for the component.
type:
type: string
description: Type of the component (e.g., library).
name:
type: string
description: Name of the component.
version:
type: string
description: Version of the component.
cpe:
type: string
description: Common Platform Enumeration (CPE) for the component.
purl:
type: string
description: Package URL (PURL) for the component.
properties:
type: array
description: Additional metadata for the component.
items:
type: object
properties:
name:
type: string
description: Property name.
value:
type: string
description: Property value.
required:
- bomFormat
- specVersion
- serialNumber
- version
- metadata
- components
{
"$id": "https://github.com/nqminds/Trusted-AI-BOM/blob/main/packages/schemas/src/taibom-schemas/30-sbom.v1.0.0.schema.yaml",
"$schema": "https://json-schema.org/draft/2019-09/schema",
"title": "SBOM",
"description": "A software bill of materials (SBOM) generated for the project.",
"type": "object",
"properties": {
"bomFormat": {
"type": "string",
"description": "Format of the SBOM."
},
"specVersion": {
"type": "string",
"description": "Version of the SBOM specification."
},
"serialNumber": {
"type": "string",
"description": "Unique serial number for the SBOM."
},
"version": {
"type": "integer",
"description": "Version number of the SBOM."
},
"metadata": {
"type": "object",
"description": "Metadata related to the SBOM generation.",
"properties": {
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the SBOM was generated."
},
"tools": {
"type": "object",
"description": "Tools used to generate the SBOM.",
"properties": {
"components": {
"type": "array",
"description": "List of tools and their metadata.",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Type of tool (e.g., application)."
},
"author": {
"type": "string",
"description": "Author of the tool."
},
"name": {
"type": "string",
"description": "Name of the tool."
},
"version": {
"type": "string",
"description": "Version of the tool."
}
}
}
}
}
},
"component": {
"type": "object",
"description": "Component information of the project.",
"properties": {
"bom-ref": {
"type": "string",
"description": "Unique reference for the component."
},
"type": {
"type": "string",
"description": "Type of the component (e.g., file, library)."
},
"name": {
"type": "string",
"description": "Name of the component."
}
}
}
}
},
"components": {
"type": "array",
"description": "List of components in the SBOM.",
"items": {
"type": "object",
"properties": {
"bom-ref": {
"type": "string",
"description": "Unique reference for the component."
},
"type": {
"type": "string",
"description": "Type of the component (e.g., library)."
},
"name": {
"type": "string",
"description": "Name of the component."
},
"version": {
"type": "string",
"description": "Version of the component."
},
"cpe": {
"type": "string",
"description": "Common Platform Enumeration (CPE) for the component."
},
"purl": {
"type": "string",
"description": "Package URL (PURL) for the component."
},
"properties": {
"type": "array",
"description": "Additional metadata for the component.",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Property name."
},
"value": {
"type": "string",
"description": "Property value."
}
}
}
}
}
}
}
},
"required": [
"bomFormat",
"specVersion",
"serialNumber",
"version",
"metadata",
"components"
]
}
SBOM
A software bill of materials (SBOM) generated for the project.
The schema defines the following properties:
bomFormat (string, required)
Format of the SBOM.
specVersion (string, required)
Version of the SBOM specification.
serialNumber (string, required)
Unique serial number for the SBOM.
version (integer, required)
Version number of the SBOM.
metadata (object, required)
Metadata related to the SBOM generation.
Properties of the metadata object:
timestamp (string)
Timestamp when the SBOM was generated.
tools (object)
Tools used to generate the SBOM.
Properties of the tools object:
components (array)
List of tools and their metadata.
The object is an array with all elements of the type object.
The array object has the following properties:
type (string)
Type of tool (e.g., application).
author (string)
Author of the tool.
name (string)
Name of the tool.
version (string)
Version of the tool.
component (object)
Component information of the project.
Properties of the component object:
bom-ref (string)
Unique reference for the component.
type (string)
Type of the component (e.g., file, library).
name (string)
Name of the component.
components (array, required)
List of components in the SBOM.
The object is an array with all elements of the type object.
The array object has the following properties:
bom-ref (string)
Unique reference for the component.
type (string)
Type of the component (e.g., library).
name (string)
Name of the component.
version (string)
Version of the component.
cpe (string)
Common Platform Enumeration (CPE) for the component.
purl (string)
Package URL (PURL) for the component.
properties (array)
Additional metadata for the component.
The object is an array with all elements of the type object.
The array object has the following properties:
name (string)
Property name.
value (string)
Property value.
Examples
- table
- json
| bom Format | spec Version | serial Number | version | metadata | components |
|---|---|---|---|---|---|
| CycloneDX | 1.6 | urn:uuid:e865fb76-fb02-4554-bad7-7a92344317fe | 1 | [object Object] | [object Object] |
[
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:e865fb76-fb02-4554-bad7-7a92344317fe",
"version": 1,
"metadata": {
"timestamp": "2024-10-18T15:15:51Z",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "syft",
"version": "1.14.1"
}
]
},
"component": {
"bom-ref": "51f6561dc978bfb7",
"type": "file",
"name": "/project"
}
},
"components": [
{
"bom-ref": "pkg:pypi/absl-py@1.4.0?package-id=3ca3d32070abe037",
"type": "library",
"name": "absl-py",
"version": "1.4.0",
"cpe": "cpe:2.3:a:python-absl-py:python-absl-py:1.4.0:*:*:*:*:*:*:*",
"purl": "pkg:pypi/absl-py@1.4.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "python-package-cataloger"
},
{
"name": "syft:package:language",
"value": "python"
},
{
"name": "syft:package:type",
"value": "python"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:absl-py:python-absl-py:1.4.0:*:*:*:*:*:*:*"
}
]
}
]
}
]