/ 
SBOM-CycloneDX-1.03
/ SBOM::CycloneDX::Component

NAME

SBOM::CycloneDX::Component - Component

SYNOPSIS

SBOM::CycloneDX::Component->new();

DESCRIPTION

SBOM::CycloneDX::Component

METHODS

SBOM::CycloneDX::Component inherits all methods from SBOM::CycloneDX::Base and implements the following new ones.

SBOM::CycloneDX::Component->new( %PARAMS )

Properties:

_purl_parse,
author, [Deprecated] This will be removed in a future version. Use "authors" or "manufacturer" methods instead. The person(s) or organization(s) that authored the component
authors, The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have "manufacturer" method instead.
components, A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains.
cpe, Asserts the identity of the component using CPE. The CPE must conform to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe. Refer to "evidence->identity" method to optionally provide evidence that substantiates the assertion of the component's identity.
crypto_properties, Cryptographic Properties
data, This object SHOULD be specified for any component of type `data` and must not be specified for other component types.
description, Specifies a description for the component
evidence, Provides the ability to document evidence collected through various forms of extraction or analysis.
external_references, External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
group, The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
hashes, The hashes of the component.
licenses, Component License(s)
manufacturer, The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.
mime_type, The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
model_card, AI/ML Model Card
modified, [Deprecated] This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
name, The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
omnibor_id, Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid. Refer to "evidence->identity" method to optionally provide evidence that substantiates the assertion of the component's identity.
pedigree, Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
properties, Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy (https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
publisher, The person(s) or organization(s) that published the component
purl, Asserts the identity of the component using package-url (purl). The purl, if specified, must be valid and conform to the specification defined at https://github.com/package-url/purl-spec). Refer to "evidence->identity" method to optionally provide evidence that substantiates the assertion of the component's identity.
release_notes, Specifies optional release notes.
scope, Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.
signature, Enveloped signature in JSON Signature Format (JSF) (https://cyberphone.github.io/doc/security/jsf.html).
supplier, The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.
swhid, Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: "/docs.softwareheritage.org/devel/swh-model/persistent-identifiers.h tml" in https:]. Refer to "evidence->identity" method to optionally provide evidence that substantiates the assertion of the component's identity.
swid, Asserts the identity of the component using ISO-IEC 19770-2 Software Identification (SWID) Tags (https://www.iso.org/standard/65666.html). Refer to "evidence->identity" method to optionally provide evidence that substantiates the assertion of the component's identity.
tags, Tags
type, Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
version, The component version. The version should ideally comply with semantic versioning but is not enforced.
$component->_purl_parse
$component->author
$component->authors
$component->bom_ref
$component->components
$component->copyright
$component->cpe
$component->crypto_properties
$component->data
$component->description
$component->evidence
$component->external_references
$component->group
$component->hashes
$component->licenses
$component->manufacturer
$component->mime_type
$component->model_card
$component->modified
$component->name
$component->omnibor_id
$component->pedigree
$component->properties
$component->publisher
$component->purl
$component->release_notes
$component->scope
$component->signature
$component->supplier
$component->swhid
$component->swid
$component->tags
$component->type
$component->version

SUPPORT

Bugs / Feature Requests

Please report any bugs or feature requests through the issue tracker at https://github.com/giterlizzi/perl-SBOM-CycloneDX/issues. You will be notified automatically of any progress on your issue.

Source Code

This is open source software. The code repository is available for public review and contribution under the terms of the license.

https://github.com/giterlizzi/perl-SBOM-CycloneDX

git clone https://github.com/giterlizzi/perl-SBOM-CycloneDX.git

AUTHOR

  • Giuseppe Di Terlizzi <gdt@cpan.org>

LICENSE AND COPYRIGHT

This software is copyright (c) 2025 by Giuseppe Di Terlizzi.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.