Skip to main content
Skip table of contents

SBOM Schema Import - CycloneDX

Overview

This document describes the mandatory schema requirements for CycloneDX SBOM files that can be successfully processed and imported by the Mend system. The schema applies to both JSON and XML formats and is based on the CycloneDX specification versions 1.4, 1.5, and 1.6, with specific requirements defined by Mend.io.

The system automatically detects the format (JSON or XML) and processes both using the same internal logic, ensuring consistent behavior regardless of the input format.

Mandatory Schema Requirements

The table below lists the fields that are mandatory for passing the CycloneDX validation.

Field

Type

Required

Description

Fallback Behavior

bomFormat

String

Must be "CycloneDX"

N/A

specVersion

String

CycloneDX specification version

N/A

version

Integer

BOM document version

Defaults to 1 if not specified

Metadata Section (Optional but Recommended)

When metadata is present, the following structure applies:

Field

Type

Required

Description

Fallback Behavior

metadata.timestamp

String (ISO 8601)

Creation timestamp

N/A

metadata.component

Object

Contains an identifier that groups all the direct dependencies to create a hierarchy

If unspecified, all packages are treated as direct dependencies

metadata.component.name

String

Root component name

N/A

metadata.component.type

String

Root component type

Falls back to “application”

metadata.component.group

String

Root component group

N/A

metadata.component.version

String

Root component version

N/A

metadata.component.bom-ref

String

Root component reference

If unspecified, all packages are treated as direct dependencies

Note: Only for the project element, metadata.component equal to “application” ("type" : "application") is processed. This occurs once per SBOM file.

Components Section (Required for Dependency Matching)

Note: For a list of languages and package managers supported by Mend SCA, please Refer to the support matrix.

Each component in the components array must have the following structure:

Field

Type

Required

Description

Fallback Behavior

components[].type

String

Component type

Must be "library"

N/A

components[].bom-ref

String

Unique component reference

Used for dependency mapping

N/A

components[].purl

String

Package URL
Used for matching

Required PURL structure:
pkg:type/namespace/name@version

Refer to this repository for more details on PURL specification.

When the PURL is absent, the matching algorithm will attempt to rely on components[].name, components[].version, and components[].group

components[].name

String

Component name

Used as artifactId

N/A

components[].version

String

Component version

N/A

components[].group

String

Component group

N/A

components[].hashes

Array

Component hashes

Used for SHA1 extraction

N/A

Component Type Filtering:
Only components with type equal to "library" are processed. Other component types are ignored.

Dependencies Section (Recommended)

If the dependencies array is present, the system builds a dependency tree starting from the root component.

Field

Type

Required

Description

Fallback Behavior

dependencies

Array

Dependency relationships

If missing, all components are treated as direct dependencies

dependencies[].ref

String

Component reference

Must match a component's bom-ref

N/A

dependencies[].dependsOn

Array

Array of dependency references

N/A

Example Valid SBOM

JSON Format Example

JSON 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
    "component": {
      "name": "my-project",
      "type": "application",
      "bom-ref": "root-component"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "example-library",
      "version": "1.0.0",
      "bom-ref": "lib-1",
      "purl": "pkg:maven/com.example/library@1.0.0"
    }
  ],
  "dependencies": [
    {
      "ref": "root-component",
      "dependsOn": ["lib-1"]
    },
    {
      "ref": "lib-1",
      "dependsOn": []
    }
  ]
}

XML Format Example

XML 
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5" 
     version="1" 
     serialNumber="urn:uuid:12345678-1234-1234-1234-123456789012">
  <metadata>
    <component type="application" bom-ref="root-component">
      <name>my-project</name>
    </component>
  </metadata>
  <components>
    <component type="library" bom-ref="lib-1">
      <name>example-library</name>
      <version>1.0.0</version>
      <purl>pkg:maven/com.example/library@1.0.0</purl>
    </component>
  </components>
  <dependencies>
    <dependency ref="root-component">
      <dependsOn>lib-1</dependsOn>
    </dependency>
    <dependency ref="lib-1">
      <dependsOn></dependsOn>
    </dependency>
  </dependencies>
</bom>
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close