OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
Currently, a component has a bom-ref, while the BOM has a serialNumber. Growing number of ASOC and Vulnerability Management platforms aggregate several components from across BOMs into a single database.
Identifying a component based on a deep BOM-Link becomes a three step process in such environments (Retrieve the BOM, parse, and identify the referred component). Further, the regex for a bomlink is quite broad ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$
The proposal is to add a new property bom-link to a component level. Generator tools can set this value to be serialNumber/bom-ref. This would simplify lookups and joins since the entirety of the BOM document need not be loaded.
Currently, a component has a bom-ref, while the BOM has a serialNumber. Growing number of ASOC and Vulnerability Management platforms aggregate several components from across BOMs into a single database.
Identifying a component based on a deep
BOM-Link
becomes a three step process in such environments (Retrieve the BOM, parse, and identify the referred component). Further, the regex for a bomlink is quite broad^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$
The proposal is to add a new property
bom-link
to a component level. Generator tools can set this value to beserialNumber/bom-ref
. This would simplify lookups and joins since the entirety of the BOM document need not be loaded.