You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Application | Component | A software application |
69
69
| Container | Component | A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. |
70
+
| Cryptographic Asset | Component | A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. |
70
71
| Data | Component | A collection of discrete values that convey information. |
71
72
| Device | Component | A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. |
72
73
| Device Driver | Component | A special type of software that operates or controls a particular type of device. |
73
74
| File | Component | A computer file. |
74
-
| Firmware | Component | A special type of software that provides low-level control over a device's hardware. |
75
+
| Firmware | Component | A special type of software that provides low-level control over a device's hardware. |
75
76
| Framework | Component | A software framework |
76
77
| Library | Component | A software library. Many third-party and open source reusable components are libraries. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED. |
77
78
| Machine Learning Model | Component | A model based on training data that can make predictions or decisions without being explicitly programmed to do so. |
@@ -86,8 +87,8 @@ CycloneDX is capable of describing the following types of components:
86
87
> the inventory of software and constituent parts.
87
88
88
89
89
-
Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods of identity
90
-
including:
90
+
Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods to assert
91
+
identity including:
91
92
92
93
- Coordinates: The combination of the group, name, and version fields form the coordinates of a component.
93
94
- Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located regardless of what vendor, project, or ecosystem the packages belongs to.
Copy file name to clipboardexpand all lines: SBOM/en/0x51-External-References.md
+8
Original file line number
Diff line number
Diff line change
@@ -23,6 +23,7 @@ External references provide an extensible and data-rich method of forming relati
23
23
| chat | Real-time chat platform |
24
24
| documentation | Documentation, guides, or how-to instructions |
25
25
| support | Community or commercial support |
26
+
| source-distribution | The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type. |
26
27
| distribution | Direct or repository download location |
27
28
| distribution-intake | The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary |
28
29
| license | The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness |
@@ -31,6 +32,10 @@ External references provide an extensible and data-rich method of forming relati
31
32
| release-notes | URL to release notes |
32
33
| security-contact | Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT |
33
34
| model-card | A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets |
35
+
| log | A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. |
36
+
| configuration | Parameters or settings that may be used by other components or services. |
37
+
| evidence | Information used to substantiate a claim. |
38
+
| formulation | Describes how a component or service was manufactured or deployed. |
34
39
| attestation | Human or machine-readable statements containing facts, evidence, or testimony |
35
40
| threat-model | An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format |
36
41
| adversary-model | The defined assumptions, goals, and capabilities of an adversary |
@@ -49,6 +54,9 @@ External references provide an extensible and data-rich method of forming relati
49
54
| evidence | Data collected through various forms of extraction or analysis |
50
55
| formulation | The observed or declared formulas for how components or services were manufactured or deployed |
51
56
| poam | Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". |
57
+
| electronic-signature | An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. |
58
+
| digital-signature | A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. |
59
+
| rfc-9116 | Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) |
52
60
| other | Use this if no other types accurately describe the purpose of the external reference |
53
61
54
62
The following are example external references applied to a component:
0 commit comments