Data Model

The main concepts of the SBOM Observer data model are:

• Namespace all data in SBOM Observer is stored in a namespace, including configuration such as policies.
• SBOMs (and other attestations) this is the main source of data. SBOM Observer keeps an archive of all the imported SBOMs and tracks which are currently in use (not archived).
• Components are the basic building blocks of an SBOM and contain information about a piece of software like an application, container or open source package.
• Suppliers represent organizations or individuals that are suppliers, manufacturers, vendors of components.
• The Index is created when importing ("indexing") SBOMs and other attestations into the namespace. The index itself is a graph-like structure with references between components (i.e. dependencies) and between components and their sources (SBOMs). The index is used for all types of analysis, including policy evaluation. Besides components the index also connects other pieces of supply chain data like suppliers, advisories and VEX analysis.
• Annotations are user-supplied, editable, pieces of information attached to items in the index (components, suppliers, advisories etc). Separating annotations from the SBOM-provided data ensures that you can enrich data with organizational context while maintaining the integrity of the original SBOM data for compliance and verification.
• Mappings are transformations applied during indexing (importing SBOMs).

In addition data is also provided by various internal datasets to enrich the indexed data with vulnerabilities, open source package information, end-of-life information and much more.