EO 14028 checks
Minimum elements for an SBOM
Last updated
Minimum elements for an SBOM
Last updated
EO 14028 checks correspond to the minimum elements in an SBOM as described by https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
The table below lists the minimum elements. Some of these fields are at a SBOM level and the others are applicable for each component in the SBOM.
Data Field | Description |
---|---|
Below is a table mapping the NTIA minimum SBOM fields to SPDX and CycloneDX
SPDX | CycloneDX | |
---|---|---|
SBOM Timestamp
Record of the date and time of the SBOM data creation
SBOM Author
The name of the entity that creates the SBOM data for this component
SBOM dependencies
Characterizing the relationship that a component X is included in software Y
Component Name
Designation assigned to a unit of software defined by the original supplier
Component Version
Version assigned to a unit of software defined by the original supplier
Component Supplier Name
The name of an entity that creates, defines, and identifies components
Component Unique Identifiers
Identifiers that are used to identify a component (like PURL, BomRefId etc)
SBOM Timestamp
(2.9) Created:
metadata/timestamp
SBOM Author
(2.8) Creator:
metadata/authors/author
SBOM dependencies
(7.1) Relationship: DESCRIBES CONTAINS
Inherent in nested assembly/subassembly and/or dependency graphs
Component Name
(3.1) PackageName:
name
Component Version
(3.3) PackageVersion:
version
Component Supplier Name
(3.5) PackageSupplier:
Supplier publisher
Component Unique Ids
(2.5)SPDX Document Namespace (3.2) SPDXID:
bom/serialNumber component/bom-ref