1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
<components>
<component type="library">
<publisher>Acme Inc</publisher>
<group>org.example</group>
<name>mylibrary</name>
<version>1.0.0</version>
<externalReferences>
<reference type="advisories">
<url>https://example.org/security/feed/csaf</url>
<comment>Security advisories from the vendor</comment>
</reference>
<reference type="bom">
<url>https://example.org/support/sbom/portal-server/1.0.0</url>
<comment>An external SBOM that describes what this component includes</comment>
<hashes>
<hash alg="SHA-256">708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313</hash>
</hashes>
</reference>
<reference type="documentation">
<url>https://example.org/support/documentation/portal-server/1.0.0</url>
<comment>Vendor provided documentation for the product</comment>
</reference>
</externalReferences>
</component>
<component type="application">
<name>dummy</name>
<description>this component has all external reference types possible</description>
<externalReferences>
<reference type="vcs"><url>http://example.com/extref/vcs</url></reference>
<reference type="issue-tracker"><url>http://example.com/extref/issue-tracker</url></reference>
<reference type="website"><url>http://example.com/extref/website</url></reference>
<reference type="advisories"><url>http://example.com/extref/advisories</url></reference>
<reference type="bom"><url>http://example.com/extref/bom</url></reference>
<reference type="mailing-list"><url>http://example.com/extref/mailing-list</url></reference>
<reference type="social"><url>http://example.com/extref/social</url></reference>
<reference type="chat"><url>http://example.com/extref/chat</url></reference>
<reference type="documentation"><url>http://example.com/extref/documentation</url></reference>
<reference type="support"><url>http://example.com/extref/support</url></reference>
<reference type="source-distribution"><url>http://example.com/extref/source-distribution</url></reference>
<reference type="distribution"><url>http://example.com/extref/distribution</url></reference>
<reference type="distribution-intake"><url>http://example.com/extref/distribution-intake</url></reference>
<reference type="license"><url>http://example.com/extref/license</url></reference>
<reference type="build-meta"><url>http://example.com/extref/build-meta</url></reference>
<reference type="build-system"><url>http://example.com/extref/build-system</url></reference>
<reference type="release-notes"><url>http://example.com/extref/release-notes</url></reference>
<reference type="security-contact"><url>http://example.com/extref/security-contact</url></reference>
<reference type="model-card"><url>http://example.com/extref/model-card</url></reference>
<reference type="log"><url>http://example.com/extref/log</url></reference>
<reference type="configuration"><url>http://example.com/extref/configuration</url></reference>
<reference type="evidence"><url>http://example.com/extref/evidence</url></reference>
<reference type="formulation"><url>http://example.com/extref/formulation</url></reference>
<reference type="attestation"><url>http://example.com/extref/attestation</url></reference>
<reference type="threat-model"><url>http://example.com/extref/threat-model</url></reference>
<reference type="adversary-model"><url>http://example.com/extref/adversary-model</url></reference>
<reference type="risk-assessment"><url>http://example.com/extref/risk-assessment</url></reference>
<reference type="vulnerability-assertion"><url>http://example.com/extref/vulnerability-assertion</url></reference>
<reference type="exploitability-statement"><url>http://example.com/extref/exploitability-statement</url></reference>
<reference type="pentest-report"><url>http://example.com/extref/pentest-report</url></reference>
<reference type="static-analysis-report"><url>http://example.com/extref/static-analysis-report</url></reference>
<reference type="dynamic-analysis-report"><url>http://example.com/extref/dynamic-analysis-report</url></reference>
<reference type="runtime-analysis-report"><url>http://example.com/extref/runtime-analysis-report</url></reference>
<reference type="component-analysis-report"><url>http://example.com/extref/component-analysis-report</url></reference>
<reference type="maturity-report"><url>http://example.com/extref/maturity-report</url></reference>
<reference type="certification-report"><url>http://example.com/extref/certification-report</url></reference>
<reference type="quality-metrics"><url>http://example.com/extref/quality-metrics</url></reference>
<reference type="codified-infrastructure"><url>http://example.com/extref/codified-infrastructure</url></reference>
<reference type="poam"><url>http://example.com/extref/poam</url></reference>
<reference type="electronic-signature"><url>http://example.com/extref/electronic-signature</url></reference>
<reference type="digital-signature"><url>http://example.com/extref/digital-signature</url></reference>
<reference type="rfc-9116"><url>http://example.com/extref/rfc-9116</url></reference>
<reference type="other"><url>http://example.com/extref/other</url></reference>
</externalReferences>
</component>
</components>
</bom>
|
