Reference components, services, or vulnerabilities in BOMs from other systems or other BOMs
Software Bill of Materials
Vulnerability Exploitability Exchange
Hardware Bill of Materials
Operations Bill of Materials
Vulnerability Disclosure Report
Extensible Markup Language
With CycloneDX, it is possible to reference a component, service, or vulnerability inside a BOM from other systems or
other BOMs. This deep-linking capability is referred to as BOM-Link and is a
formally registered URN, governed by IANA,
and compliant with RFC-8141.
The unique serial number of the BOM. The serial number MUST conform to RFC-4122.
The version of the BOM. The default version is 1.
The unique identifier of the component, service, or vulnerability within the BOM.
There are many use cases that BOM-Link supports. Two common scenarios are to:
Reference one BOM from another BOM
Reference a specific component or service in one BOM from another BOM
Linking to External BOMs
External references provide a way to document systems, sites, and information that may be relevant but which are not
included with the BOM. External references can be applied to individual components, services, or to the BOM itself.
One external reference type is bom which can point to a URL of where the BOM is located, or BOM-Link URI that
references the precise serial number and version of the BOM.
Inventory described in a BOM (SBOM, SaaSBOM, etc) will typically remain static until such time the inventory changes.
However, vulnerability information is much more dynamic and subject to change. Therefore, it is recommended to decouple
the VEX from the BOM. This allows VEX information to be updated without having to create and track additional BOMs.
VEX is an integral part of the CycloneDX specification providing the convenience of leveraging a single format and tool chain.
In the following example, a vulnerability is identified in a component called Jackson Databind, and the VEX provides a
direct link to the precise component within a BOM.