cyclonedx / bom-examples Goto Github PK

Hello, I can't find examples of SBOM where the "component" type is "file" and some component has related components.
Could you please provide such examples?

in https://github.com/CycloneDX/bom-examples/tree/master/VEX/CISA-Use-Cases/Case-7 boms do not contain version of the software, but vex file affects sections contain versions or version ranges (i.e.

What is the point of having affects section specifying also component ref and versions, if component ref is unique ? Ot is it just additional information ?

As an enhancement, it would be useful to be publish SBOM examples for 2 versions of the same OSS project.

It does not really matter which project is chosen. Dropwizard would suit me because I use it!

The use cases are to allow for testing of tools that consume BOMs and which need to process changes in the BOM for a specific project:

• Comparison of two BOMs. ie, has the component inventory changed (versions, count of components, etc)
• Impact of change on auditing/triage.
• Notifications
• etc

I would like to use these examples in unit tests for some software I am developing.

Is there a license for the examples or any restrictions on its use?

I realize that some may argue some data can not be copyrighted. However, it would be nice to make it clear in the README and a LICENSE file how the data can be used.

CC-BY-4.0 is a common license for this type of data if you would like attribution and CC0-1.0 is a common license if you don't care about the attribution.

Many new fields (schema) were added to between v1.3 and v1.4 yet there are not examples that ref. v1.4.

In addition, we would like examples that exhibit the use of many of these new fields such as "releaseNotes" and "vulnerabilities" (and all their sub-schemas and even proper object signing using JSF) in order to inform SBOM generation tooling, best practices as well as downstream validation (and signing verification).

@stevespringett - thanks for putting this example together. When reviewing the vulnerability/analysis/response field, I saw that it contained "["will_not_fix", "update"]". Is this correct? According to the CycloneDX standard, this entry "Must be one of:" the options rather than an array. Let me know if I am reading that correctly.

I'm wondering that how to generate SaasBom, and I haven't found any details from the CycloneDX repository so far.
Can you please provide some example?
Thank you.

The repository contains examples beyond just sbom - for eg. saasbom/vex etc. Should we consider renaming the repository?