Legal pillar · v0.16.0
software-bill-of-materials SoftwareBillOfMaterials
SBOM record.
$id · https://corpospec.com/schemas/v0.16.0/software-bill-of-materials.schema.json
Fields
| Field | Type | Required | Description |
|---|---|---|---|
| components | SbomComponent[] | yes | |
| format | SbomFormat | yes | SBOM format standard. |
| generated_at | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| generator | string | yes | Tool that generated the SBOM (e.g. "syft@0.84.0", "cdxgen@10.0"). |
| id | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| signed | boolean | yes | Whether the SBOM has been digitally signed (cosign, etc.). |
| subject | PathRef | yes | PathRef to the subject (product, service, container image). |
| subject_version | string | yes | Subject version (SemVer or git SHA). |
| artefact_ref | PathRef? | — | PathRef to the raw SBOM artefact (SPDX JSON / CycloneDX XML). |
| signing_cert_ref | PathRef? | — | PathRef to the signing key / cert. |
Definitions
Shared types referenced within this schema.
ComponentHash
Hashes attached to a component.
type: object
ComponentIdKind
Identifier kind (CISA NTIA: PURL, CPE, SWID).
ComponentIdentifier
Component identifier.
type: object
HashAlgorithm
Cryptographic hash algorithm.
enum: "sha1", "sha256", "sha384", "sha512", "blake2b", "blake3"
IsoDate
ISO 8601 date (YYYY-MM-DD).
type: string
PathRef
Path-based cross-reference relative to .corpospec/ root.
Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`
pattern: ^[a-z0-9_-]+(/[a-z0-9_.-]+)+$
SbomComponent
One SBOM component.
type: object
SbomFormat
SBOM format standard.
Reference in your YAML
# yaml-language-server: $schema=https://corpospec.com/schemas/v0.16.0/software-bill-of-materials.schema.json