SBOM Observer Docs logoSBOM Observer Docs

Components

Reference documentation for component data in SBOM Observer, including SBOM-sourced fields and user annotations.


Components are the basic building blocks of SBOMs containing information about software like applications, containers, or open source packages.

Component fields

Index fields (from SBOMs)

FieldTypeDescription
idstringInternal component identifier
packageUrlstringPackage URL (purl)
identifiersidentifier[]Alternative identifiers
typeComponentTypeComponent type
versionstringVersion string
namestringComponent name
groupstringNamespace or group
descriptionstringComponent description
hashesobjectCryptographic hashes (sha256, sha512, etc)
licenseslicense[]Licensing information
suppliersupplierSupplier information
manufacturersupplierManufacturer information
externalReferencesreference[]External links and documents
containerLayersstring[]Container layer identifiers
provenanceprovenanceSLSA provenance information
serviceserviceService-specific metadata
modelCardmodelCardML model card (CycloneDX 1.5+)
propertiesobjectKey-value properties

Annotation fields (user editable)

FieldTypeDescription
displayNamestringOverride display name
licensestringOverride license expression
lifecyclelifecycleLifecycle dates
supplierIdstringLink to a supplier annotation
manufacturerIdstringLink to a manufacturer annotation
businessCriticalitystringhigh, medium, or low
internalbooleanWhether the component is internally developed
propertiesobjectKey-value properties (and custom fields)
notesstringFree-form notes
tagsstring[]Categorization tags

Component types

ValueDescription
applicationApplication software
librarySoftware library
frameworkSoftware framework
containerContainer image
deviceHardware device
fileFile
firmwareDevice firmware
operating-systemOperating system
platformSoftware platform
serviceService
cryptographic-assetCryptographic asset
machine-learning-modelMachine learning model
sourceSource code collection (from SPDX)
unknownUnknown component type

Component identifiers

Components can have multiple identifiers beyond the primary Package URL.

FieldTypeDescription
idstringIdentifier value
typeRefTypeIdentifier type

RefType values

ValueDescription
purlPackage URL
cpe22CPE 2.2 identifier
cpe23CPE 2.3 identifier

License information

License data is represented as a union type — either an SPDX expression string or a license object.

FieldTypeDescription
expressionstringSPDX license expression
license.idstringSPDX license identifier
license.namestringLicense name
license.urlstringLicense URL

External references

FieldTypeDescription
typestringReference type (see values below)
urlstringReference URL
hashesobjectCryptographic hashes (sha256, sha512, etc)

Common external reference types

vcs, website, documentation, issue-tracker, license, build-system, release-notes, distribution, advisories, support, social, attestation, bom, security-contact, other

Lifecycle

Lifecycle dates track the support and availability status of a component. These can be set via annotations or sourced from enrichment data.

FieldTypeDescription
endOfDevelopmentdateEnd of active development
endOfSupportdateEnd of support
endOfLifedateEnd of life
endOfDistributiondateEnd of distribution

Provenance

SLSA provenance fields provide supply chain integrity information.

FieldTypeDescription
attestationstringAttestation data
provenanceUrlstringProvenance URL
slsaVersionstringSLSA version
slsaVersionUrlstringSLSA version specification URL
builderIdstringBuilder identifier
builderNamestringBuilder name
builderUrlstringBuilder URL
logIndexnumberTransparency log index
logEntryUrlstringTransparency log entry URL
logIntegratedTimenumberTransparency log integration timestamp
repositorystringSource repository
repositoryUrlstringSource repository URL
repositoryDigeststringSource repository digest
buildConfigUrlstringBuild configuration URL
buildConfigPathstringBuild configuration path
invocationIdstringBuild invocation identifier
invocationUrlstringBuild invocation URL

Model Card

ML model card metadata for machine-learning-model components (CycloneDX 1.5+). Present when the SBOM contains AI/ML Bill of Materials (AIBOM) data.

FieldTypeDescription
modelParametersobjectModel parameters (see below)
quantitativeAnalysisobjectPerformance metrics
considerationsobjectEthical and environmental considerations
propertiesobjectKey-value properties

Model parameters

FieldTypeDescription
approach.typestringLearning approach (e.g. supervised, unsupervised)
taskstringTask the model performs
architectureFamilystringArchitecture family (e.g. transformer)
modelArchitecturestringSpecific model architecture
inputsobject[]Input specifications (format)
outputsobject[]Output specifications (format)

Performance metrics

Each entry in quantitativeAnalysis.performanceMetrics:

FieldTypeDescription
typestringMetric type (e.g. accuracy, F1)
valuestringMetric value
slicestringData slice evaluated
confidenceIntervalobjectlowerBound and upperBound

Considerations

FieldTypeDescription
usersstring[]Intended users
useCasesstring[]Intended use cases
technicalLimitationsstring[]Known technical limitations
performanceTradeoffsstring[]Performance tradeoffs
ethicalConsiderationsobject[]Ethical risks (name, mitigationStrategy)
environmentalConsiderationsobjectEnergy and CO2 data
fairnessAssessmentsobject[]Fairness assessments (groupAtRisk, benefits, harms, mitigationStrategy)