EO 14028 checks
Minimum elements for an SBOM
Minimum fields
EO 14028 checks correspond to the minimum elements in an SBOM as described by https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
The table below lists the minimum elements. Some of these fields are at a SBOM level and the others are applicable for each component in the SBOM.
| Data Field | Description |
|---|---|
SBOM Timestamp | Record of the date and time of the SBOM data creation |
SBOM Author | The name of the entity that creates the SBOM data for this component |
SBOM dependencies | Characterizing the relationship that a component X is included in software Y |
Component Name | Designation assigned to a unit of software defined by the original supplier |
Component Version | Version assigned to a unit of software defined by the original supplier |
Component Supplier Name | The name of an entity that creates, defines, and identifies components |
Component Unique Identifiers | Identifiers that are used to identify a component (like PURL, BomRefId etc) |
Mapping of minimum fields
Below is a table mapping the NTIA minimum SBOM fields to SPDX and CycloneDX
| SPDX | CycloneDX | |
|---|---|---|
SBOM Timestamp | (2.9) Created: | metadata/timestamp |
SBOM Author | (2.8) Creator: | metadata/authors/author |
SBOM dependencies | (7.1) Relationship: DESCRIBES CONTAINS | Inherent in nested assembly/subassembly and/or dependency graphs |
Component Name | (3.1) PackageName: | name |
Component Version | (3.3) PackageVersion: | version |
Component Supplier Name | (3.5) PackageSupplier: | Supplier publisher |
Component Unique Ids | (2.5)SPDX Document Namespace (3.2) SPDXID: | bom/serialNumber component/bom-ref |
Last updated