github.com/CycloneDX/sbom-utility@v0.16.0/test/cyclonedx/1.6/specification/valid-evidence-1.6.json (about) 1 { 2 "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", 3 "bomFormat": "CycloneDX", 4 "specVersion": "1.6", 5 "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", 6 "version": 1, 7 "components": [ 8 { 9 "type": "application", 10 "group": "com.google.code.findbugs", 11 "name": "findbugs-project", 12 "version": "3.0.0", 13 "licenses": [ 14 { 15 "license": { 16 "id": "LGPL-3.0-or-later", 17 "url": "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" 18 } 19 } 20 ], 21 "purl": "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0", 22 "evidence": { 23 "identity": { 24 "field": "purl", 25 "confidence": 1, 26 "methods": [ 27 { 28 "technique": "filename", 29 "confidence": 0.1, 30 "value": "findbugs-project-3.0.0.jar" 31 }, 32 { 33 "technique": "ast-fingerprint", 34 "confidence": 0.9, 35 "value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" 36 }, 37 { 38 "technique": "hash-comparison", 39 "confidence": 0.7, 40 "value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" 41 } 42 ], 43 "tools": [ 44 "bom-ref-of-tool-that-performed-analysis" 45 ] 46 }, 47 "occurrences": [ 48 { 49 "bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079", 50 "location": "/path/to/component" 51 }, 52 { 53 "bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175", 54 "location": "/another/path/to/component" 55 } 56 ], 57 "callstack": { 58 "frames": [ 59 { 60 61 "package": "com.apache.logging.log4j.core", 62 "module": "Logger.class", 63 "function": "logMessage", 64 "parameters": [ 65 "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" 66 ], 67 "line": 150, 68 "column": 17, 69 "fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" 70 }, 71 { 72 "module": "HelloWorld.class", 73 "function": "main", 74 "line": 20, 75 "column": 12, 76 "fullFilename": "/path/to/HelloWorld.class" 77 } 78 ] 79 }, 80 "licenses": [ 81 { 82 "license": { 83 "id": "Apache-2.0", 84 "url": "http://www.apache.org/licenses/LICENSE-2.0" 85 } 86 }, 87 { 88 "license": { 89 "id": "LGPL-2.1-only", 90 "url": "https://opensource.org/licenses/LGPL-2.1" 91 } 92 } 93 ], 94 "copyright": [ 95 { 96 "text": "Copyright 2012 Google Inc. All Rights Reserved." 97 }, 98 { 99 "text": "Copyright (C) 2004,2005 Dave Brosius <dbrosius@users.sourceforge.net>" 100 }, 101 { 102 "text": "Copyright (C) 2005 William Pugh" 103 }, 104 { 105 "text": "Copyright (C) 2004,2005 University of Maryland" 106 } 107 ] 108 } 109 }, 110 { 111 "type": "application", 112 "group": "com.example", 113 "name": "example-project", 114 "version": "1.0.0", 115 "purl": "pkg:maven/com.example/example-project@1.0.0", 116 "evidence": { 117 "identity": [ 118 { 119 "field": "group", 120 "confidence": 0.1, 121 "concludedValue": "com.example", 122 "methods": [ 123 { 124 "technique": "filename", 125 "confidence": 0.1, 126 "value": "example-project-1.0.0.jar" 127 } 128 ] 129 }, 130 { 131 "field": "name", 132 "confidence": 0.1, 133 "concludedValue": "example-project", 134 "methods": [ 135 { 136 "technique": "filename", 137 "confidence": 0.1, 138 "value": "example-project-1.0.0.jar" 139 } 140 ] 141 }, 142 { 143 "field": "version", 144 "confidence": 0.1, 145 "concludedValue": "1.0.0", 146 "methods": [ 147 { 148 "technique": "filename", 149 "confidence": 0.1, 150 "value": "example-project-1.0.0.jar" 151 } 152 ] 153 } 154 ] 155 } 156 } 157 ] 158 }