Components
Reference documentation for component data in SBOM Observer, including SBOM-sourced fields and user annotations.
Components are the basic building blocks of SBOMs containing information about software like applications, containers, or open source packages.
| Field | Type | Description |
|---|
id | string | Internal component identifier |
packageUrl | string | Package URL (purl) |
identifiers | identifier[] | Alternative identifiers |
type | ComponentType | Component type |
version | string | Version string |
name | string | Component name |
group | string | Namespace or group |
description | string | Component description |
hashes | object | Cryptographic hashes (sha256, sha512, etc) |
licenses | license[] | Licensing information |
supplier | supplier | Supplier information |
manufacturer | supplier | Manufacturer information |
externalReferences | reference[] | External links and documents |
containerLayers | string[] | Container layer identifiers |
provenance | provenance | SLSA provenance information |
service | service | Service-specific metadata |
modelCard | modelCard | ML model card (CycloneDX 1.5+) |
properties | object | Key-value properties |
| Field | Type | Description |
|---|
displayName | string | Override display name |
license | string | Override license expression |
lifecycle | lifecycle | Lifecycle dates |
supplierId | string | Link to a supplier annotation |
manufacturerId | string | Link to a manufacturer annotation |
businessCriticality | string | high, medium, or low |
internal | boolean | Whether the component is internally developed |
properties | object | Key-value properties (and custom fields) |
notes | string | Free-form notes |
tags | string[] | Categorization tags |
| Value | Description |
|---|
application | Application software |
library | Software library |
framework | Software framework |
container | Container image |
device | Hardware device |
file | File |
firmware | Device firmware |
operating-system | Operating system |
platform | Software platform |
service | Service |
cryptographic-asset | Cryptographic asset |
machine-learning-model | Machine learning model |
source | Source code collection (from SPDX) |
unknown | Unknown component type |
Components can have multiple identifiers beyond the primary Package URL.
| Field | Type | Description |
|---|
id | string | Identifier value |
type | RefType | Identifier type |
| Value | Description |
|---|
purl | Package URL |
cpe22 | CPE 2.2 identifier |
cpe23 | CPE 2.3 identifier |
License data is represented as a union type — either an SPDX expression string or a license object.
| Field | Type | Description |
|---|
expression | string | SPDX license expression |
license.id | string | SPDX license identifier |
license.name | string | License name |
license.url | string | License URL |
| Field | Type | Description |
|---|
type | string | Reference type (see values below) |
url | string | Reference URL |
hashes | object | Cryptographic hashes (sha256, sha512, etc) |
vcs, website, documentation, issue-tracker, license, build-system, release-notes, distribution, advisories, support, social, attestation, bom, security-contact, other
Lifecycle dates track the support and availability status of a component. These can be set via annotations or sourced from enrichment data.
| Field | Type | Description |
|---|
endOfDevelopment | date | End of active development |
endOfSupport | date | End of support |
endOfLife | date | End of life |
endOfDistribution | date | End of distribution |
SLSA provenance fields provide supply chain integrity information.
| Field | Type | Description |
|---|
attestation | string | Attestation data |
provenanceUrl | string | Provenance URL |
slsaVersion | string | SLSA version |
slsaVersionUrl | string | SLSA version specification URL |
builderId | string | Builder identifier |
builderName | string | Builder name |
builderUrl | string | Builder URL |
logIndex | number | Transparency log index |
logEntryUrl | string | Transparency log entry URL |
logIntegratedTime | number | Transparency log integration timestamp |
repository | string | Source repository |
repositoryUrl | string | Source repository URL |
repositoryDigest | string | Source repository digest |
buildConfigUrl | string | Build configuration URL |
buildConfigPath | string | Build configuration path |
invocationId | string | Build invocation identifier |
invocationUrl | string | Build invocation URL |
ML model card metadata for machine-learning-model components (CycloneDX 1.5+). Present when the SBOM contains AI/ML Bill of Materials (AIBOM) data.
| Field | Type | Description |
|---|
modelParameters | object | Model parameters (see below) |
quantitativeAnalysis | object | Performance metrics |
considerations | object | Ethical and environmental considerations |
properties | object | Key-value properties |
| Field | Type | Description |
|---|
approach.type | string | Learning approach (e.g. supervised, unsupervised) |
task | string | Task the model performs |
architectureFamily | string | Architecture family (e.g. transformer) |
modelArchitecture | string | Specific model architecture |
inputs | object[] | Input specifications (format) |
outputs | object[] | Output specifications (format) |
Each entry in quantitativeAnalysis.performanceMetrics:
| Field | Type | Description |
|---|
type | string | Metric type (e.g. accuracy, F1) |
value | string | Metric value |
slice | string | Data slice evaluated |
confidenceInterval | object | lowerBound and upperBound |
| Field | Type | Description |
|---|
users | string[] | Intended users |
useCases | string[] | Intended use cases |
technicalLimitations | string[] | Known technical limitations |
performanceTradeoffs | string[] | Performance tradeoffs |
ethicalConsiderations | object[] | Ethical risks (name, mitigationStrategy) |
environmentalConsiderations | object | Energy and CO2 data |
fairnessAssessments | object[] | Fairness assessments (groupAtRisk, benefits, harms, mitigationStrategy) |
