SBOM Field Coverage (SPDX & CycloneDX)

spdxVersion

SPDX schema version used for validation and tooling compatibility.

"SPDX-2.3"

SPDXID

Unique identifier for a document or package. Used in relationships to reference entities.

"SPDXRef-Package-finalhandler-1.1.2.tgz"

documentNamespace

Unique namespace for the SBOM instance, ensuring ID uniqueness across systems.

"https://mend.io/spdx/doc/..."

creationInfo.created

Timestamp when the SBOM was generated.

"2025-10-12T13:12:04Z"

creationInfo.creators

Lists entities that created the SBOM (organization, tool, user).

"Tool: Mend SPDX Report Generator"

documentDescribes

Links the document to the top-level application it describes.

"SPDXRef-Application-..."

packages[]

Array of all detected packages/components.

[ {...}, {...} ]

packages[].name

Package name.

"minimatch"

packages[].versionInfo

Package version.

"3.0.4"

packages[].downloadLocation

URL where the package was retrieved.

"https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz"

packages[].homepage

Homepage or project site.

"https://github.com/isaacs/minimatch"

packages[].description

Text description of the component.

"Glob matching utility for node.js"

packages[].licenseDeclared

License as declared by the package.

"ISC"

packages[].licenseConcluded

Mend.io’s normalized license interpretation.

"ISC"

packages[].checksums

Hash values to verify package integrity.

"SHA1": "0d055d53f5052..."

packages[].filesAnalyzed

Boolean indicating whether file-level analysis was done. Mend.io sets false.

false

packages[].primaryPackagePurpose

Categorizes the package’s role (e.g., LIBRARY, APPLICATION).

"LIBRARY"

packages[].supplier / originator

The entity that supplied or authored the software. Often "NOASSERTION".

"NOASSERTION"

packages[].attributionTexts

Mend.io’s internal metadata (e.g., PkgUuid, PkgType) for internal traceability.

"PkgUuid: 93771849-..."

packages[].externalRefs

External identifiers or references (package URLs, repos, advisories).

See below

externalRefs[].referenceCategory

Type of external reference ("SECURITY", "PACKAGE-MANAGER", etc.).

"SECURITY"

externalRefs[].referenceType

Kind of reference ("advisory", "purl", "repository").

"advisory"

externalRefs[].referenceLocator

URL or identifier of the external resource.

"https://nvd.nist.gov/vuln/detail/CVE-2022-3517"

relationships[].spdxElementId

The “parent” component (the one declaring the dependency).

"SPDXRef-Package-finalhandler-1.1.2.tgz"

relationships[].relationshipType

Type of relationship ("DEPENDS_ON", "CONTAINS", "DESCRIBES").

"DEPENDS_ON"

relationships[].relatedSpdxElement

The component being depended upon.

"SPDXRef-Package-unpipe-1.0.0.tgz"

bomFormat

Identifies the SBOM format — always "CycloneDX". Ensures parsers can distinguish between formats.

"CycloneDX"

specVersion

The CycloneDX schema version. Used for compatibility with validation tools and schema parsers.

"1.5"

serialNumber

A globally unique identifier (UUID) for this SBOM instance. Useful for traceability and deduplication.

"urn:uuid:9c07272d-c19d-4fe9-b98a-47c2ca4aba34"

version

Integer representing the revision number of the document.

1

metadata

Root metadata describing the report: authoring tools, organization, timestamp, and context.

{ "timestamp": "...", "tools": {...}, "authors": [...] }

metadata.timestamp

Date and time when the SBOM was generated. Helps with audit trail and data freshness validation.

"2025-10-12T13:11:20Z"

metadata.tools

Identifies the tool used to produce the SBOM. Mend.io lists "CycloneDX Report Generator".

"Mend CycloneDX Report Generator"

metadata.authors

Names of individuals or organizations responsible for creating the SBOM.

"Organization: Mend on Mend"

metadata.component

Describes the top-level application or system for which this SBOM was generated.

"GH_ReachabilityGraphGeneratorJS"

components

List of all detected dependencies (packages, libraries, etc.) with their attributes.

[ {...}, {...} ]

components.type

Classifies the component (e.g., "library", "application", "framework").

"library"

components.group

Optional namespace or group identifier (e.g., NPM scope).

"@babel/core"

components.name

The canonical package name.

"lodash"

components.version

The exact version detected.

"4.17.21"

components.description

Short human-readable explanation of the component.

"Utility library for JavaScript"

components.licenses

Declared software license(s). Mend.io normalizes them into SPDX license IDs.

"MIT"

components.copyright

Copyright statement from package metadata.

"Copyright JS Foundation and contributors"

components.hashes

One or more file checksums (e.g., SHA-1, SHA-256). Used for integrity verification.

"SHA-1": "3a1ace45e6f88b1b..."

components.purl

Package URL (purl spec). Enables unique and language-agnostic package identification.

"pkg:npm/lodash@4.17.21"

components.externalReferences

URLs related to the component (repository, documentation, homepage, distribution).

"https://github.com/lodash/lodash"

components.properties

Mend.io-specific metadata such as pkgUuid and pkgType. These link SBOM components to internal Mend.io records.

{ "pkgUuid": "...", "pkgType": "NODE_PACKAGED_MODULE" }

dependencies

Captures direct dependency relationships (dependsOn arrays) forming a graph structure.

{ "ref": "pkg:npm/express", "dependsOn": [...] }

vulnerabilities

Embedded security findings per CycloneDX Vulnerability Extension. Each entry lists CVE IDs, severity, CVSS metrics, exploitability state, and affected components.

See below

vulnerabilities[].id

CVE or advisory identifier.

"CVE-2022-3517"

vulnerabilities[].source.name

Source of the vulnerability data (e.g., "NVD", "GitHub").

"NVD"

vulnerabilities[].ratings[].score

Numeric severity (CVSS).

7.5

vulnerabilities[].ratings[].severity

Qualitative severity level.

"HIGH"

vulnerabilities[].ratings[].method

Scoring method (e.g., "CVSSv3").

"CVSSv3"

vulnerabilities[].affects[].ref

Reference to affected component (by bom-ref or purl).

"pkg:npm/minimatch@3.0.4"

vulnerabilities[].analysis.state

Indicates exploitability ("exploitable", "in_triage", etc.).

"exploitable"

Patch Status

Mend.io tracks patching separately in vulnerability reports, not in SBOMs.

Release Date

Not available in upstream package metadata.

End-of-Life (EOL) Date

Out of scope for SBOM standards; managed via asset intelligence sources.

Criticality

Internal risk attribute, not in SBOM export.

Usage Restrictions

Already covered via license declarations.

Executable / Archive Properties

No binary packaging metadata included.