EO 14028 checks

Minimum elements for an SBOM

Minimum fields

EO 14028 checks correspond to the minimum elements in an SBOM as described by https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf

The table below lists the minimum elements. Some of these fields are at a SBOM level and the others are applicable for each component in the SBOM.

Data Field
Description

SBOM Timestamp

Record of the date and time of the SBOM data creation

SBOM Author

The name of the entity that creates the SBOM data for this component

SBOM dependencies

Characterizing the relationship that a component X is included in software Y

Component Name

Designation assigned to a unit of software defined by the original supplier

Component Version

Version assigned to a unit of software defined by the original supplier

Component Supplier Name

The name of an entity that creates, defines, and identifies components

Component Unique Identifiers

Identifiers that are used to identify a component (like PURL, BomRefId etc)

Mapping of minimum fields

Below is a table mapping the NTIA minimum SBOM fields to SPDX and CycloneDX

SPDX
CycloneDX

SBOM Timestamp

(2.9) Created:

metadata/timestamp

SBOM Author

(2.8) Creator:

metadata/authors/author

SBOM dependencies

(7.1) Relationship: DESCRIBES CONTAINS

Inherent in nested assembly/subassembly and/or dependency graphs

Component Name

(3.1) PackageName:

name

Component Version

(3.3) PackageVersion:

version

Component Supplier Name

(3.5) PackageSupplier:

Supplier publisher

Component Unique Ids

(2.5)SPDX Document Namespace (3.2) SPDXID:

bom/serialNumber component/bom-ref

PreviousExisting SBOM As SourceNextManifest file As Source

Last updated