軟件物料清單必要字段、實(shí)例參考

附錄A

（資料性）

軟件物料清單必要字段軟件物料清單必要字段如表A.1所示。表A.1軟件物料清單必要字段元素名字段名字段描述字段類型軟件信息softwaresoftwareName軟件名稱stringsoftwareVersion軟件版本stringintegrityhashAlg雜湊算法stringmessageDigest消息摘要string清單信息documentformatName清單格式名稱stringformatVersion格式版本stringserialNumber清單標(biāo)識stringtimestamp時間戳stringauthors創(chuàng)建者string組件信息componentscomponentId組件標(biāo)識stringcomponentName組件名稱stringcomponentVersion組件版本stringselfDevelopedProportion自研比例enum（ofstring）licenseName許可證名稱arrayofstringintegrityhashAlg雜湊算法stringmessageDigest消息摘要string內(nèi)部依賴信息dependenciesidentityAId依賴標(biāo)識引用stringrelationship關(guān)系arrayofstringidentityBId被依賴標(biāo)識引用string生命周期維護(hù)中斷風(fēng)險disruptionsdisruptionId中斷標(biāo)識stringdisruptionType中斷類型stringaffectedObject影響對象string表A.1（續(xù)）元素名字段名字段描述字段類型生命周期維護(hù)中斷風(fēng)險disruptionsdescription風(fēng)險描述stringdisposal處置情況booleanestimatedTime預(yù)計中斷時間string簽名信息integritysignatureFile簽名文件stringdigitalCertificateFile數(shù)字證書文件string

附錄B

（資料性）

軟件物料清單實(shí)例參考B.1軟件信息JSON格式示例：定制化開發(fā)或商業(yè)采購軟件：{"software":{"softwareName":"MyApp","softwareVersion":"1.2.0","integrity":{"hashAlg":"MD5","messageDigest":"fc3aa394c8787e019eda27be38d65cdf"},"supplier":{"supplierName":"supplierA","supplierType":"agent","area":"China","developer":"developerA",}"licenseName":"CommercialAgreementA""authorizationTerm":"2024-11-11"}}開源軟件：{"software":{"softwareName":"MyApp","softwareVersion":"1.2.0","integrity":{"hashAlg":"MD5","messageDigest":"fc3aa394c8787e019eda27be38d65cdf"},"acquisitionChannel":"openSourceCommunity","licenseName":"Apache-2.0"}}B.2清單信息JSON格式示例：{"document":{"formatName":"SBOMDF","formatVersion":"1.0","serialNumber":"urn:uuid:f47ac10b-58cc-4372-a567-0e02b2c3d479","lifecycle":"commit","timestamp":"2024-01-1010:00:00","authors":"SBOMDFCreatorA","createTools":"AutomationToolv2.1","downloadUrl":"/download/sbom"}}B.3組件信息JSON格式示例：定制化開發(fā)或商業(yè)采購軟件：{"components":[{"componentId":"lib-001","componentName":"LoggingLibrary","componentVersion":"v2.5","componentDescription":"Libraryforapplicationlogging.","selfDevelopedProportion":"none","regIdentifier":"cpe:/a:microsoft:sql_server:6.5","importance":"核心組件","security":"經(jīng)過三方機(jī)構(gòu)安全檢測","supplier":{"supplierName":"supplierA","supplierType":"integrator","area":"China","developer":"developerA",}"language":"Java","licenseName":"CommercialAgreementB","downloadUrl":"/log-lib","homePgaeUrl":"","completeness":"known","integrity":{"hashAlg":"MD5","messageDigest":"d41d8cd98f00b204e9800998ecf8427e"}},]}開源軟件：{"components":[{"componentId":"lib-001","componentName":"LoggingLibrary","componentVersion":"v2.5","componentDescription":"Libraryforapplicationlogging.","selfDevelopedProportion":"none","regIdentifier":"cpe:/a:microsoft:sql_server:6.5","importance":"核心組件","security":"經(jīng)過開源社區(qū)安全審查","acquisitionChannel":"openSourceCommunity","language":"Java","licenseName":"ApacheLicense2.0","downloadUrl":"/log-lib","homePgae":"","completeness":"known","integrity":{"hashAlg":"MD5","messageDigest":"d41d8cd98f00b204e9800998ecf8427e"}},]}B.4文件信息JSON格式示例：{"files":[{"fileId":"file-001","fileName":"syslog.java","filePath":"/src/com/myapp/syslog.java","purpose":"實(shí)現(xiàn)軟件日志信息生成的源代碼文件","integrity":{"hashAlg":"MD5","messageDigest":"03ac674216f3e15c761ee1a5e255f067"}},]}B.5代碼片段信息JSON格式示例：{"snippets":[{"snippetId":"snippet-001","snippetFile":"/src/com/myapp/Main.java","byteStartPointer":100,"byteEndPointer":200,"lineStartPointer":10,"lineEndPointer":20,"snippetSource":"OpensourceprojectA","snippetUrl":"http://www.OpenSourceC/projectA/homepage","licenseName":"ApacheLicense2.0","integrity":{"hashAlg":"MD5","messageDigest":"a8a06469b6d584543e5619746e3d62d4"}},]}B.6內(nèi)部依賴信息JSON格式示例：{"dependencies":[{"identityAId":"lib-001","relationship":"dependsOn","identityBId":"lib-002"},{"identityAId":"file-001","relationship":"contains","identityBId":"snippet-001"},]}B.7外部網(wǎng)絡(luò)服務(wù)信息JSON格式示例：{"services":[{"serviceId":"service-001","serviceName":"AuthenticationService","substitutability":false,"supplier":{"supplierName":"paymentserviceprovider","area":"China",},"serviceUrl":"/api","serviceArea":"國內(nèi)計算環(huán)境","serviceProtocol":"http","dataDescription":"包含電話、身份證、銀行卡號等個人隱私信息"},]}B.8基礎(chǔ)環(huán)境信息JSON格式示例：{"platform":[{"assetId":"java-runtime","assetName":"JavaRuntimeEnvironment","assetVersion":"v8.0","substitutability":false,"source":"","supplier":{"supplierName":"Javaprovider","area":"China"},},]}B.9開發(fā)工具信息JSON格式示例：{"developmentTools":[{"toolId":"tool-001","toolName":"IDE","toolType":"代碼編輯器","toolVersion":"v5.3","purpose":"編輯源代碼",},]}B.10網(wǎng)絡(luò)服務(wù)接口信息JSON格式示例：{"interfaces":[{"interfaceId":"INT-001","interfaceType":"Restful","description":"這是一個對外提供遠(yuǎn)程更新服務(wù)的外部接口","necessity":false,"requestMethod":"GET","interfaceAddress":"27/api/update","method":"update"},]}B.11補(bǔ)丁信息JSON格式示例：{"patches":[{"patchId":"patch-001","patchName":"SecurityUpdate","releaseDate":"2023-03-15","originalId":"software_patch_v1.0","patchAddress":"/patch/download","perpose":"修復(fù)軟件登錄模塊安全漏洞","patchSbom":"patch.SBOMDF.json"},]}B.12許可證信息開源許可證：{"licenses":[{"licenseId":"License-001","licenseName":LGPL-3.0","downloadUrl":"/licenses/","content":"Thislicensetextincludesawarrantydisclaimer.","scope":"Global","patent":"有專利權(quán)"，"riskDescription":"該協(xié)議為強(qiáng)傳染性協(xié)議"},]}商業(yè)許可證：{"licenses":[{"licenseId":"License-002","licenseName":"CommercialLicenseA","downloadUrl":"/licenses/","licensor":"CompanyA","licensee":"CompanyB","term":"2024-05-01","content":"Thislicensetextincludesawarrantydisclaimer."},]}B.13安全漏洞{"vulnerabilities":[{"vulnerabilityId":"vul-001","vulnerabilityName":"心臟滴血","affectedObject":"lib-001","number":[