SBOM Management Data Model

Today’s applications are made up of many software parts that did not originate with the organization that created the application. These parts represent open source, third-party, and commercial components that make up the ingredients of the application, along with the proprietary code implemented by the organization’s engineering team. SBOM Management consists of two major elements in its data model—SBOM parts and buckets—to model these entities.

SBOM Parts

SBOM parts represent open-source, third-party, and commercial ingredients in a software application. An SBOM part can represent an operating system such as Linux with 60k+ files, individual files, a single binary, a source bundle for an open-source component, or even fragments of code. Parts within an SBOM, and even across multiple SBOMs, are related to each other via links of various types including dependencies, “found inside”, “related to”, and several others. SBOM parts have attributes (as do buckets) and all of these pieces are stitched together to create a unified document—the SBOM.

Buckets

Buckets are used to store a set of SBOM parts. They can represent an organization's entities such as business units and product families, as well as top-level applications and their elements such as modules and containers. Buckets can be nested under other buckets to form a hierarchy. You can think of a bucket as a collection of SBOM parts for a given context.