github.com/CycloneDX/sbom-utility@v0.16.0/examples/README.md

github.com/CycloneDX/sbom-utility@v0.16.0/examples/README.md (about)

     1  # SBOM examples
     2  
     3  ## CycloneDX examples
     4  
     5  For convenience, examples are copied locally from:
     6  
     7  - https://github.com/CycloneDX/sbom-examples
     8  
     9  The are categorized by BOM type:
    10  
    11  | Name/Version | JSON | Type | bom-ref | Description |
    12  | :-- | :-- | :-- | :-- | :-- |
    13  | juice-shop v11.1.2 | [cyclonedx/BOM/juice-shop-11.1.2/bom.json](cyclonedx/BOM/juice-shop-11.1.2/bom.json) | library | `pkg:npm/juice-shop@11.1.2`| "Probably the most modern and sophisticated insecure web application" |
    14  | laravel v7.12.0 | [cyclonedx/BOM/laravel-7.12.0/bom.1.3.json](cyclonedx/BOM/laravel-7.12.0/bom.1.3.json) | application | `pkg:composer/cyclonedx/cyclonedx-php-composer-demo@dev-master` | "demo of cyclonedx/cyclonedx-php-composer with a pinned version of laravel/framework" |
    15  | API Gateway microservices application | [cyclonedx/SaaSBOM/apigateway-microservices-datastores/bom.json](cyclonedx/SaaSBOM/apigateway-microservices-datastores/bom.json) | application | `acme-application` | An application composed of services which are represented in the BOM. |
    16  
    17  ## CycloneDX use cases
    18  
    19  Canonical (CycloneDX v1.4, JSON format) use cases with sample code:
    20  
    21  - https://cyclonedx.org/use-cases
    22  
    23  | CDX Version | Use case | Test file (JSON) | Description |
    24  | :-- | :-- | :-- | :-- |
    25  | 1.4| [Inventory](https://cyclonedx.org/use-cases/#known-vulnerabilitiesServ) | [cyclonedx/usecases/cdx-use-case-inventory.json](cyclonedx/usecases/cdx-use-case-inventory.json) | Includes all supported component `type` values |
    26  | 1.4 | [Known vulnerabilities](https://cyclonedx.org/use-cases/#known-vulnerabilities) | [cyclonedx/usecases/cdx-use-case-component-known-vulnerabilities.json](cyclonedx/usecases/cdx-use-case-component-known-vulnerabilities.json) | Includes all supported component `type` values |
    27  | 1.4 | [Integrity verification](https://cyclonedx.org/use-cases/#integrity-verification) | [cyclonedx/usecases/cdx-use-case-integrity-verification.json](cyclonedx/usecases/cdx-use-case-integrity-verification.json) |  |
    28  | 1.4 | [Authenticity](https://cyclonedx.org/use-cases/#authenticity) (JSF) | [cyclonedx/usecases/cdx-use-case-authenticity-jsf.json](cyclonedx/usecases/cdx-use-case-authenticity-jsf.json) |  |
    29  | 1.4 | [Package evaluation](https://cyclonedx.org/use-cases/#package-evaluation) | [cyclonedx/usecases/cdx-use-case-package-evaluation.json](cyclonedx/usecases/cdx-use-case-package-evaluation.json) |  |
    30  | 1.4 | [License compliance](https://cyclonedx.org/use-cases/#license-compliance) | [cyclonedx/usecases/cdx-use-case-license-compliance.json](cyclonedx/usecases/cdx-use-case-license-compliance.json) |  |
    31  | 1.4 | [Assembly](https://cyclonedx.org/use-cases/#assembly) | [cyclonedx/usecases/cdx-use-case-assembly.json](cyclonedx/usecases/cdx-use-case-assembly.json) | |
    32  | 1.4 | [Dependency graph](https://cyclonedx.org/use-cases/#dependency-graph) | [cyclonedx/usecases/cdx-use-case-dependency-graph.json](cyclonedx/usecases/cdx-use-case-dependency-graph.json) |  |
    33  | 1.4 | [Provenance](https://cyclonedx.org/use-cases/#provenance) | [cyclonedx/usecases/cdx-use-case-provenance.json](cyclonedx/usecases/cdx-use-case-provenance.json) |  |
    34  | 1.4 | [Pedigree](https://cyclonedx.org/use-cases/#pedigree) | [cyclonedx/usecases/cdx-use-case-pedigree.json](cyclonedx/usecases/cdx-use-case-pedigree.json) |  |
    35  | 1.4 | [Service definition](https://cyclonedx.org/use-cases/#service-definition) | [cyclonedx/usecases/cdx-use-case-service-defn.json](cyclonedx/usecases/cdx-use-case-service-defn.json) | A complete v1.4 "service" definition |
    36  | 1.4 | [Properties](https://cyclonedx.org/use-cases/#properties--name-value-store) | [cyclonedx/usecases/cdx-use-case-provenance.json](cyclonedx/usecases/cdx-use-case-provenance.json) | name-value store |
    37  | 1.4 | [Packaging and distribution](https://cyclonedx.org/use-cases/#packaging-and-distribution) | [cyclonedx/usecases/cdx-use-case-packaging-and-distribution.json](cyclonedx/usecases/cdx-use-case-packaging-and-distribution.json) |  |
    38  | 1.4 | [Composition completeness](https://cyclonedx.org/use-cases/#composition-completeness) | [cyclonedx/usecases/cdx-use-case-composition-and-completeness.json](cyclonedx/usecases/cdx-use-case-composition-and-completeness.json) |  |
    39  | 1.4 | [OpenChain conformance](https://cyclonedx.org/use-cases/#openchain-conformance) | [cyclonedx/usecases/cdx-use-case-openchain-conformance.json](cyclonedx/usecases/cdx-use-case-openchain-conformance.json) |  |
    40  | 1.4 | [Vulnerability remediation](https://cyclonedx.org/use-cases/#vulnerability-remediation) | [cyclonedx/usecases/cdx-use-case-vulnerability-remediation.json](cyclonedx/usecases/cdx-use-case-vulnerability-remediation.json) |  |
    41  | 1.4 | [Vulnerability exploitability](https://cyclonedx.org/use-cases/#vulnerability-exploitability) | [cyclonedx/usecases/cdx-use-case-vulnerability-exploitability.json](cyclonedx/usecases/cdx-use-case-vulnerability-exploitability.json) |  |
    42  | 1.4 | [Security advisories](https://cyclonedx.org/use-cases/#security-advisories) | [cyclonedx/usecases/cdx-use-case-security-advisories.json](cyclonedx/usecases/cdx-use-case-security-advisories.json) |  |
    43  | 1.4 | [External references](https://cyclonedx.org/use-cases/#external-references) | [cyclonedx/usecases/cdx-use-case-external-references.json](cyclonedx/usecases/cdx-use-case-external-references.json) | |
    44  
    45  ### Use case ideas
    46  
    47  - bom-link (VEX, SaaSBOM)
    48  - Service "known vuln." use case **
    49  - SLSA Conformance (SPDX is looking into this)
    50  
    51  ---
    52  
    53  ## SPDX examples
    54  
    55  For convenience, examples are copied locally from:
    56  
    57  - https://github.com/spdx/spdx-examples
    58  
    59  | Name | SPDXID | Example (SBOM) | Description | Notes |
    60  | :-- | :-- | :-- | :-- | :-- |
    61  | "hello" | "SPDXRef-Package-hello" | [spdx/example1/example1.json](spdx/example1/example1.json) | SBOM for binary "/build/hello" from single, "C" source file |  |
    62  | "hello-src" | "SPDXRef-Package-hello-src" | [spdx/example2/example2-src.json](spdx/example2/example2-src.json.json) | "hello.c" with "Makefile" | |
    63  | "hello-bin" | "SPDXRef-Package-hello-bin" | [spdx/example2/example2-bin.json](spdx/example2/example2-bin.json.json) | "hello" ("C" language) binary only | |
    64  | "hello-go-src"| "SPDXRef-Package-hello-go-src" | [spdx/example5/example5-src.json](spdx/example5/example5-src.json.json) | "hello.go" with "Makefile" | |
    65  | "hello-go-bin" | "SPDXRef-Package-hello-go-bin" | [spdx/example5/example5-bin.json](spdx/example5/example5-bin.json.json) | "hello" ("Go" language) binary only | |
    66  | "hello-go-src" | "SPDXRef-Package-hello-go-src" | [spdx/example6/example6.json](spdx/example6/example6-src.json) | "hello.go" with "Makefile" | |
    67  | "hello-go-bin" | "SPDXRef-Package-hello-go-bin" | [spdx/example6/example6.json](spdx/example6/example6-bin.json) | "hello" ("Go" language) binary only | |
    68  | "go-lib" | "SPDXRef-Package-go.reflect" | [spdx/example6/example6.json](spdx/example6/example6-lib.json) | A "Go" package distribution containing other Go packages | This seems to be the unique aspect of Example 6. Source and binary seem to be there for completeness. |