github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/usecases/cdx-use-case-external-references.json (about)

     1  {
     2        "bomFormat":"CycloneDX",
     3        "specVersion":"1.4",
     4        "serialNumber":"urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
     5        "version":1,
     6        "components":[
     7            {
     8                "type":"application",
     9                "group":"org.example",
    10                "name":"portal-server",
    11                "version":"1.0.0",
    12                "externalReferences":[
    13                    {
    14                        "type":"advisories",
    15                        "url":"https://example.org/security/feed/csaf",
    16                        "comment":"Security advisories from the vendor"
    17                    },
    18                    {
    19                        "type":"bom",
    20                        "url":"https://example.org/support/sbom/portal-server/1.0.0",
    21                        "comment":"An external SBOM that describes what this component includes. Integrity verification should be performed to ensure the BOM has not been tampered with.",
    22                        "hashes":[
    23                            {
    24                                "alg":"SHA-256",
    25                                "content":"708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313"
    26                            },
    27                            {
    28                                "alg":"SHA-384",
    29                                "content":"d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad"
    30                            },
    31                            {
    32                                "alg":"SHA-512",
    33                                "content":"74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6"
    34                            }
    35                        ]
    36                    },
    37                    {
    38                        "type":"documentation",
    39                        "url":"https://example.org/support/documentation/portal-server/1.0.0",
    40                        "comment":"Vendor provided documentation for the product"
    41                    }
    42                ]
    43            },
    44            {
    45                "type":"library",
    46                "group":"org.example",
    47                "name":"persistence",
    48                "version":"5.2.0",
    49                "externalReferences":[
    50                    {
    51                        "type":"bom",
    52                        "url":"urn:uuid:bdd819e6-ee8f-42d7-a4d0-166ff44d51e8",
    53                        "comment":"Refers to a specific BOM with the specified serial number. Integrity verification should be performed to ensure the BOM has not been tampered with.",
    54                        "hashes":[
    55                            {
    56                                "alg":"SHA-256",
    57                                "content":"9048a24d72d3d4a1a0384f8f925566b44f133dd2a0194111a2daeb1cf9f7015b"
    58                            },
    59                            {
    60                                "alg":"SHA-384",
    61                                "content":"8640424aa9bf337678580c55d23e54b973703c6e586987d85700f24d5de383cd1add590ee5b98d1710a01aff212687f3"
    62                            },
    63                            {
    64                                "alg":"SHA-512",
    65                                "content":"45c6e3d03ec4207234e926063c484446d8b55f4bfce3f929f44cbc2320565290cc4b71de70c1d983792c6d63504f47f6b94513d09847dbae69c8f7cdd51ce980"
    66                            }
    67                        ]
    68                    }
    69                ]
    70            }
    71        ]
    72  }