/ 
SBOM-CycloneDX-1.03
/ SBOM::CycloneDX

NAME

SBOM::CycloneDX - CycloneDX Perl Library

SYNOPSIS

my $bom = SBOM::CycloneDX->new;

my $root_component = SBOM::CycloneDX::Component->new(
    type     => 'application',
    name     => 'MyApp',
    licenses => [SBOM::CycloneDX::License->new('Artistic-2.0')],
    bom_ref  => 'MyApp'
);

my $metadata = $bom->metadata;

$metadata->tools->add(cyclonedx_tool);

$metadata->component($root_component);

my $component1 = SBOM::CycloneDX::Component->new(
    type     => 'library',
    name     => 'some-component',
    group    => 'acme',
    version  => '1.33.7-beta.1',
    licenses => [SBOM::CycloneDX::License->new(name => '(c) 2021 Acme inc.')],
    bom_ref  => 'myComponent@1.33.7-beta.1',
    purl     => URI::PackageURL->new(
        type      => 'generic',
        namespace => 'acme',
        name      => 'some-component',
        version   => '1.33.7-beta.1'
    ),
);

$bom->components->add($component1);
$bom->add_dependency($root_component, [$component1]);

my $component2 = SBOM::CycloneDX::Component->new(
    type     => 'library',
    name     => 'some-library',
    licenses => [SBOM::CycloneDX::License->new(expression => 'GPL-3.0-only WITH Classpath-exception-2.0')],
    bom_ref  => 'some-lib',
);

$bom->components->add($component2);
$bom->add_dependency($root_component, [$component2]);

my @errors = $bom->validate;

if (@errors) {
    say $_ for (@errors);
    Carp::croak 'Validation error';
}

say $bom->to_string;

DESCRIPTION

SBOM::CycloneDX is a library for generate valid CycloneDX BOM file.

CycloneDX is a modern standard for the software supply chain. At its core, CycloneDX is a general-purpose Bill of Materials (BOM) standard capable of representing software, hardware, services, and other types of inventory. The CycloneDX standard began in 2017 in the Open Worldwide Application Security Project (OWASP) community. CycloneDX is an OWASP flagship project, has a formal standardization process and governance model, and is supported by the global information security community.

CycloneDX far exceeds the Minimum Elements for Software Bill of Materials as defined by the National Telecommunications and Information Administration (NTIA) in response to U.S. Executive Order 14028.

CycloneDX provides advanced supply chain capabilities for cyber risk reduction. Among these capabilities are:

Software Bill of Materials (SBOM)
Software-as-a-Service Bill of Materials (SaaSBOM)
Hardware Bill of Materials (HBOM)
Machine Learning Bill of Materials (ML-BOM)
Cryptography Bill of Materials (CBOM)
Operations Bill of Materials (OBOM)
Manufacturing Bill of Materials (MBOM)
Bill of Vulnerabilities (BOV)
Vulnerability Disclosure Report (VDR)
Vulnerability Exploitability eXchange (VEX)
CycloneDX Attestations (CDXA)
Common Release Notes Format

https://www.cyclonedx.org

MODELS

SBOM::CycloneDX
SBOM::CycloneDX::Advisory
SBOM::CycloneDX::Annotation
SBOM::CycloneDX::Annotation::Annotator
SBOM::CycloneDX::Attachment
SBOM::CycloneDX::Component
SBOM::CycloneDX::Component::Commit
SBOM::CycloneDX::Component::ConfidenceInterval
SBOM::CycloneDX::Component::Diff
SBOM::CycloneDX::Component::Graphic
SBOM::CycloneDX::Component::GraphicsCollection
SBOM::CycloneDX::Component::ModelCard
SBOM::CycloneDX::Component::Patch
SBOM::CycloneDX::Component::Pedigree
SBOM::CycloneDX::Component::PerformanceMetric
SBOM::CycloneDX::Component::QuantitativeAnalysis
SBOM::CycloneDX::Component::SWID
SBOM::CycloneDX::CryptoProperties
SBOM::CycloneDX::CryptoProperties::AlgorithmProperties
SBOM::CycloneDX::CryptoProperties::CertificateProperties
SBOM::CycloneDX::CryptoProperties::CipherSuite
SBOM::CycloneDX::CryptoProperties::Ikev2TransformType
SBOM::CycloneDX::CryptoProperties::ProtocolProperties
SBOM::CycloneDX::CryptoProperties::RelatedCryptoMaterialProperties
SBOM::CycloneDX::CryptoProperties::SecuredBy
SBOM::CycloneDX::DataGovernance
SBOM::CycloneDX::DataGovernanceResponsibleParty
SBOM::CycloneDX::Declarations
SBOM::CycloneDX::Declarations::Affirmation
SBOM::CycloneDX::Declarations::Assessor
SBOM::CycloneDX::Declarations::Attestation
SBOM::CycloneDX::Declarations::Claim
SBOM::CycloneDX::Declarations::Confidence
SBOM::CycloneDX::Declarations::Conformance
SBOM::CycloneDX::Declarations::Contents
SBOM::CycloneDX::Declarations::Data
SBOM::CycloneDX::Declarations::Evidence
SBOM::CycloneDX::Declarations::Map
SBOM::CycloneDX::Declarations::Signatory
SBOM::CycloneDX::Declarations::Targets
SBOM::CycloneDX::Definitions
SBOM::CycloneDX::Dependency
SBOM::CycloneDX::ExternalReference
SBOM::CycloneDX::Formulation
SBOM::CycloneDX::Hash
SBOM::CycloneDX::IdentifiableAction
SBOM::CycloneDX::Issue
SBOM::CycloneDX::Issue::Source
SBOM::CycloneDX::License
SBOM::CycloneDX::License::Licensee
SBOM::CycloneDX::License::Licensing
SBOM::CycloneDX::License::Licensor
SBOM::CycloneDX::License::Purchaser
SBOM::CycloneDX::Metadata
SBOM::CycloneDX::Metadata::Lifecycle
SBOM::CycloneDX::Note
SBOM::CycloneDX::OrganizationalContact
SBOM::CycloneDX::OrganizationalEntity
SBOM::CycloneDX::PostalAddress
SBOM::CycloneDX::Property
SBOM::CycloneDX::ReleaseNotes
SBOM::CycloneDX::Schema
SBOM::CycloneDX::Service
SBOM::CycloneDX::Standard
SBOM::CycloneDX::Standard::Level
SBOM::CycloneDX::Standard::Requirement
SBOM::CycloneDX::Tool
SBOM::CycloneDX::Tools
SBOM::CycloneDX::Version
SBOM::CycloneDX::Vulnerability
SBOM::CycloneDX::Vulnerability::Affect
SBOM::CycloneDX::Vulnerability::Analysis
SBOM::CycloneDX::Vulnerability::Credits
SBOM::CycloneDX::Vulnerability::ProofOfConcept
SBOM::CycloneDX::Vulnerability::Rating
SBOM::CycloneDX::Vulnerability::Reference
SBOM::CycloneDX::Vulnerability::Source

HELPERS

SBOM::CycloneDX::BomRef
SBOM::CycloneDX::Enum
SBOM::CycloneDX::List
SBOM::CycloneDX::Timestamp
SBOM::CycloneDX::Util

METHODS

SBOM::CycloneDX inherits all methods from SBOM::CycloneDX::Base and implements the following new ones.

SBOM::CycloneDX->new( %PARAMS )
$bom->version

Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.

$bom->metadata

Provides additional information about a BOM.

See SBOM::CycloneDX::Metadata.

$bom->components

A list of software and hardware components.

$bom->components->add($component);

See SBOM::CycloneDX::Component.

$sbom->services

A list of services. This may include microservices, function-as-a- service, and other types of network or intra-process services.

$bom->services->add($service);

See SBOM::CycloneDX::Service.

$bom->external_references

External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.

$bom->external_references->add($external_reference);

See SBOM::CycloneDX::ExternalReferences.

$bom->dependencies

Provides the ability to document dependency relationships including provided & implemented components.

$bom->dependencies->add($dependency);

# or

$bom->add_dependency($parent_component, [$component1, component2])

See SBOM::CycloneDX::Dependency.

$bom->compositions

Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.

$bom->compositions->add($composition);

See SBOM::CycloneDX::Composition.

$bom->vulnerabilities

Vulnerabilities identified in components or services.

$bom->vulnerabilities->add($vulnerability);

See SBOM::CycloneDX::Vulnerability.

$bom->annotations

Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed.

$bom->annotations->add($annotation);

See SBOM::CycloneDX::Annotation.

$bom->formulation

Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process.

$bom->formulation->add($formulation);

See SBOM::CycloneDX::Formulation.

$bom->declarations

The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.

See SBOM::CycloneDX::Declarations.

$bom->definitions

A collection of reusable objects that are defined and may be used elsewhere in the BOM.

$bom->definitions->add($definition);

See SBOM::CycloneDX::Definition.

$bom->properties

Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy (https://github.com/CycloneDX/cyclonedx-property-taxonomy).

Formal registration is optional.

$bom->definitions->add($property);

See SBOM::CycloneDX::Property.

$bom->signature

Enveloped signature in JSON Signature Format (JSF) https://cyberphone.github.io/doc/security/jsf.html.

HELPERS

$bom->add_dependency($parent, [$components...])

Adds a relationship between one or more components.

$bom->add_dependency($parent_component, [$component1]);
$bom->add_dependency($parent_component, [$component1, component2]);
$bom->get_component_by_purl($purl)

Return the component with specific PURL string.

if ($bom->get_component_by_purl($purl)) {
    say "Found component with $purl PURL";
}
$bom->get_component_by_bom_ref($ref)

Return the component with specific BOM-Ref string.

if ($bom->get_component_by_bom_ref($bom_ref)) {
    say "Found component with $bom_ref BOM-Ref";
}
$bom->get_vulnerabilities_for_bom_ref($bom_ref)

Return SBOM::CycloneDX::List with a list of vulnerabilities with the same bom_ref.

$bom->get_affected_components_by_cve ($cve_id)

Return SBOM::CycloneDX::List with a list of components affected with the same cve_id.

say $_->bom_ref for($bom->get_affected_components_by_cve('CVE-2025-1234')->list);
$bom->validate

Validates BOM file with the JSON Schema and return the JSON::Validator errors.

my @errors = $bom->validate;

if (@errors) {
    say $_ for @errors;
    Carp::croak "Invalid BOM";
}

See SBOM::CycloneDX::Schema.

$bom->to_string

Encode in JSON.

say $bom->to_string;

# or

say "$bom";
$bom->TO_JSON

Encode in JSON.

say encode_json($bom);

SUPPORT

Bugs / Feature Requests

Please report any bugs or feature requests through the issue tracker at https://github.com/giterlizzi/perl-SBOM-CycloneDX/issues. You will be notified automatically of any progress on your issue.

Source Code

This is open source software. The code repository is available for public review and contribution under the terms of the license.

https://github.com/giterlizzi/perl-SBOM-CycloneDX

git clone https://github.com/giterlizzi/perl-SBOM-CycloneDX.git

AUTHOR

  • Giuseppe Di Terlizzi <gdt@cpan.org>

LICENSE AND COPYRIGHT

This software is copyright (c) 2025 by Giuseppe Di Terlizzi.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.