Department of Commerce
The Minimum Elements for an SBOM
10
this is outside the scope of the initial SBOM discussion.
7
For these minimum elements, the
version is that offered by the supplier since that party has the ultimate responsibility for tracking
and maintaining the software in question, similar to the component name. The desired function
of a version string is to identify a specific code delivery. While there are versioning best
practices (e.g. semantic versioning
8
), they are by no means ubiquitous today.
Other unique identifiers support automated efforts to map data across data uses and ecosystems
and can reinforce certainty in instances of uncertainty. Examples of commonly used unique
identifiers are Common Platform Enumeration (CPE),
9
Software Identification (SWID) tags,
10
and Package Uniform Resource Locators (PURL).
11
These other identifiers may not be available
for every piece of software, but should be used if they exist.
Dependency relationship reflects the directional aspect of software inclusion, and it enables the
representation of transitivity from a piece of software to its component and a potential sub-
component. Lastly, the SBOM-specific metadata help with the tracking of the SBOM itself.
Author reflects the source of the metadata, which could come from the creator of the software
being described in the SBOM, the upstream component supplier, or some third party analysis
tool. Note that this is not the author of the software itself, just the source of the descriptive data.
Timestamp records when the data is assembled -- the point of the SBOM creation. These further
support the origin of the data, and help identify updated versions of the SBOM. These data fields
provide context to the SBOM data source, and can potentially be used to make trust
determinations.
Automation Support
Support for automation, including automatic generation and machine-readability, allows the
ability to scale across the software ecosystem, particularly across organizational boundaries.
Taking advantage of SBOM data will require tooling, which necessitates predictable
implementation and data formats. For example, some agencies may want to integrate this
capability into their existing vulnerability management practices; others might desire real-time
7
As more visibility emerges through SBOM use and consumption, we can expect further discussions, and
potentially greater convergence of diverse models, approaches, and schemas.
8
Semantic Versioning 2.0.0, https://semver.org/ (last visited July 1, 2021).
9
See Framing Working Group, Nat’l Telecomms. & Info. Admin., Software Identification Challenges and Guidance
(2021), https://www.ntia.gov/files/ntia/publications/ntia_sbom_software_identity-2021mar30.pdf; Official Common
Platform Enumeration (CPE) Dictionary, Nat’l Inst. Standards & Tech., https://nvd.nist.gov/products/cpe (last
visited July 2, 2021).
10
See Software Identification Challenges and Guidance, supra note 9; ISO/IET 19770-2:2015 Information
Technology–IT Asset Management—Part 2: Software Identification Tag, Int’l Standards Org.,
https://www.iso.org/standard/65666.html (last visited July 2, 2021).
11
See Software Identification Challenges and Guidance, supra note 9; Package-url/purl-spec, GitHub,
https://github.com/package-url/purl-spec (last visited July 2, 2021).