cyclonedx / bom-examples Goto Github PK
View Code? Open in Web Editor NEWA repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
Home Page: https://cyclonedx.org
License: Creative Commons Zero v1.0 Universal
A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
Home Page: https://cyclonedx.org
License: Creative Commons Zero v1.0 Universal
Hello, I can't find examples of SBOM where the "component" type is "file" and some component has related components.
Could you please provide such examples?
in https://github.com/CycloneDX/bom-examples/tree/master/VEX/CISA-Use-Cases/Case-7 boms do not contain version of the software, but vex file affects sections contain versions or version ranges (i.e.
). So if I understand correctly, this vex should not apply to any bom as they do not specify any version, or the logic should be that if version is not specified then any matching bom with affects.ref is actually affected and in this case specifying version is irrelevant ?What is the point of having affects section specifying also component ref and versions, if component ref is unique ? Ot is it just additional information ?
As an enhancement, it would be useful to be publish SBOM examples for 2 versions of the same OSS project.
It does not really matter which project is chosen. Dropwizard would suit me because I use it!
The use cases are to allow for testing of tools that consume BOMs and which need to process changes in the BOM for a specific project:
I would like to use these examples in unit tests for some software I am developing.
Is there a license for the examples or any restrictions on its use?
I realize that some may argue some data can not be copyrighted. However, it would be nice to make it clear in the README and a LICENSE file how the data can be used.
CC-BY-4.0 is a common license for this type of data if you would like attribution and CC0-1.0 is a common license if you don't care about the attribution.
Many new fields (schema) were added to between v1.3 and v1.4 yet there are not examples that ref. v1.4.
In addition, we would like examples that exhibit the use of many of these new fields such as "releaseNotes" and "vulnerabilities" (and all their sub-schemas and even proper object signing using JSF) in order to inform SBOM generation tooling, best practices as well as downstream validation (and signing verification).
@stevespringett - thanks for putting this example together. When reviewing the vulnerability/analysis/response field, I saw that it contained "["will_not_fix", "update"]". Is this correct? According to the CycloneDX standard, this entry "Must be one of:" the options rather than an array. Let me know if I am reading that correctly.
I'm wondering that how to generate SaasBom, and I haven't found any details from the CycloneDX repository so far.
Can you please provide some example?
Thank you.
The repository contains examples beyond just sbom - for eg. saasbom/vex etc. Should we consider renaming the repository?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.