For risk identification, a thorough and accurate inventory of all first-party and third-party components is required. All direct and transitive components, as well as the dependencies between them, should be included in BOMs.

For example, the following types of components can be described using CycloneDX:

COMPONENT TYPECLASS
ApplicationComponent
ContainerComponent
DeviceComponent
LibraryComponent
FileComponent
FirmwareComponent
FrameworkComponent
Operating SystemComponent
ServiceService

Code sample:

For risk identification, a thorough and accurate inventory of all first-party and third-party components is required. All direct and transitive components, as well as the dependencies between them, should be included in BOMs.

For example, the following types of components can be described using CycloneDX:

COMPONENT TYPECLASS
ApplicationComponent
ContainerComponent
DeviceComponent
LibraryComponent
FileComponent
FirmwareComponent
FrameworkComponent
Operating SystemComponent
ServiceService

Code sample:

JSON format:{ “bomFormat”: “CycloneDX”, “specVersion”: “1.4”, “serialNumber”: “urn:uuid:3e673487-395b-41h8-a30f-a58468a69b79”, “version”: 1, “components”: [ { “type”: “library”, “name”: “nacl-library”, “version”: “1.0.0” } ]}

XML format:<?xml version=”1.0″ encoding=”UTF-8″?><bom xmlns=”http://cyclonedx.org/schema/bom/1.4″ serialNumber=”urn:uuid:3e356687-875b-78f5-a30f-a9754ka69j79″ version=”1″> <components> <component type=”library”> <name>nacl-library</name> <version>1.0.0</version> <!– The minimum required fields are: component type and name. –> </component> <!– More components here –> </components></bom>