An SBOM contains these major sections, that can be output to the resulting JSON file:
Header fields
Pascal Analyzer automatically creates these mandatory fields at the top of the SBOM. Among these fields are a GUID that uniquely identifies the SBOM, and a version number. The GUID will be set the first time an SBOM is generated. It will then remain the same for all subsequent SBOM you generate for a particular Pascal Analyzer project.
Metadata
Metadata includes the supplier, manufacturer, and target component for which the SBOM describes. It also includes the tools used to create the SBOM, and license information for the SBOM itself. Pascal Analyzer will assist in creating this mandatory section. Some important data for the metadata section can be set directly in the configuration dialog. Or you can set up an INI-file to provide data.
Components
This section contains the complete inventory of first-party and third-party components. It provides data like manufacturer information, license and copyright details, plus pedigree and provenance for every component. Pascal Analyzer will assist in creating this section.
Services
Those are external APIs that are called. Endpoint URLs and authentication conditions are among the data in this section. Currently Pascal Analyzer does not assist in creating this section. If your product consumes services you will have to manually add this information.
Dependencies
This section describes components dependencies on other components. Pascal Analyzer will assist in creating this section, by documenting the relations both between your own files internally and towards third-party components.
Compositions
Compositions describe different parts (components, services, and dependency relationships) and their completeness. Each composition can be described as complete, incomplete, incomplete first-party only, incomplete third-party only, or unknown.
Vulnerabilities
Known vulnerabilities from the use of third-party components can be described in this section.
Formulation
Formulation describes how something was manufactured or deployed. For example, can workflows be described in this section.
Annotations
Annotations contain comments, notes, explanations, or similar items which provide additional context to the objects in the SBOM.
Definitions
Standards, requirements, and supporting documentation are described in this section.
Declarations
Declarations describe the conformance to standards.
Citations
Citations identify who contributed specific pieces of information to an SBOM and when that contribution was made.
Extensions
This section allows adding new capabilities to an SBOM. In particular, the properties key makes it possible to add own extra data to an SBOM. We use it to optionally generate information about file path, size and timestamp.
See the “Authoritative Guide to SBOM” at https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf for more insight about the different parts of an SBOM.
Pascal Analyzer provides support for creating Metadata, Components and Dependencies. Other sections will need manual input.
See also:
