软件物料清单必要字段、实例参考.docx

1、附录A（资料性）软件物料清单必要字段软件物料清单必要字段如表A.1所示。表AJ软件物料清单必要字段元素名字段名字段描述字段类型软件信息softwaresoftWareName软件名称stringSoftwareVersion软件版本stringintegrityhashAlg杂凑算法stringHiessageDigest消息摘要string清单信息documentCormatName清单格式名称stringformatVersion格式版本stringSerialNumber清单标识stringtimestamp时间戳stringauthors创建者string组件信息componentsC

2、omponentId组件标识stringcomponentName组件名称stringComponcntVersion组件版本stringseifDeve1OpedProportion自研比例enum(ofstring)1IcenseName许可证名称arrayofstringintegrityhashAlg杂凑算法stringmessageDigest消息摘要string内部依赖信息dependenciesi(IentityAId依赖标识引用stringrelationship关系arrayofstringidentityBId被依赖标识引用string生命周期维护中断风险disruptio

3、nsdisruptionld中断标识stringUisruptionType中断类型stringaffectedbject影响对象string表A.1（续）元素名字段名字段描述字段类型生命周期维护中断风险disruptionsdescription风险描述stringdisposal处置情况booleanestimatedTime预计中断时间string签名信息integritySignatureFile签名文件stringHigitalCertificateFiIe数字证书文件string附录B(资料性)软件物料清单实例参考B.1软件信息JSON格式示例：a)定制化开发或商业采购软件：(“s

4、oftware”:“SoftwareName:MyApp”,“SoftwareYersion:1.2.0”,“integrity”:hashAlg:MD5,z，messageDigest，/：z/fc3aa394c8787e019eda27be38d65cdfzz),“supplier”:“supplierName:supplierA”,supplerType:agent,area:China,“developer”:z,developerAz,)“IicenseName:CommercialAgreementA”“authorizationTerm:2024T171”)b)开源软件：(“so

5、ftware”:“softwareName:UyApp”,“softwareVersion:1.2.0,“integrity”:hashAlg:MD5,messageDigest:fc3aa394c8787e019eda27be38d65cdf”),“acquisitionchannel”:z,openSourceCommunityz,“IicenseName”:,Apache-2.O”)JSON格式示例：(“document”:formatName:SBOMDF”,“formatVersion:1.0，serialNumbcrzz:urn:uuid:f47acl0b-58cc-4372-a5

6、67-0e02b2c3d479,lifecycle:commit,timestamp:2024-01-1010:00:00,authors”:*SBOMDFCreatorA*,z,createToolsz,:AutomationToolv2.1”,z,downloadUrlz,:“httpsB.3组件信息JSON格式示例：a)定制化开发或商业采购软件：“components”:(componentId:lib-001”,“ComponentName:1.ogging1.ibrary”,yzComponentVersionzr:25”,z,componentDescription:1.ibrar

7、yforapplicationlogging.z,yzSelfDevelopedProportionz,:none,“regidentifier:cpe:/a:microsoft:SqlSerVer:6.5，importance”:核心组件”，“security”:经过三方机构安全检测”，“supplier”:zSupplierNamezr:supplierA”,“supplierType:integrator”,“Marea:China,“developer:developerA”,)language:Java,“IicenseName:CommercialAgreementB”,“down

8、IoadUrl”:*https:/logcorp.COnI/1OgTib”,“homePgaeUrl”:z,https:/logcorp.COn,“completeness:known”,integrity:hashAlg:MD5”,messageDigestz,:z,d41d8cd98f00b204e9800998ecf8427ez,),)b)开源软件：(components*:(“componentId:lib-001”,componentName,“1.ogging1.ibrary,“componentversion:25”,z,componentDescriptionz,:“1.ibr

9、aryforapplicationlogging.*,z,SelfDeveIopedProportion:none,“regidentifier”:z,cpe:/a:microsoft:sq1_server:6.5”,z,importance*:核心组件”，security:经过开源社区安全审查”，“acquisitionchannel:openSourceCommunity”,language:Java,“IicenseName”:zzApache1.icense2.0”,downIoadUrlzr:*https:/logcorp.COm/1OgTib”,“homePgae:https:/l

10、ogcorp,com”,“completeness:known”,“integrity”:hashAlg:MD5,“messageDigest:d41d8cd98f00b204e9800998ecf8427e),)B.4文件信息JSON格式示例：(“files:(fileld:file-00,IileNanie:syslog.java,“fiIePath”:/src/com/myappsyslog.java”,zpurpose：实现软件日志信息生成的源代码文件”，“integrity”:hashAlg：MD5”,“messageDigest:03ac674216f3el5c761eela5e2

11、55f067”),B.5代码片段信息JSON格式示例：(4厂snippets:1.(“snippetld:snippet-001”,“snippetFile:*/srccom/myapp/Main.java”,zbyteStartPointerz,:100,zbyteEndPointerz,:200,IineStartPointer”:10,IineEndPointerz,:20,“snippetSource:OpensourceprojectA”,“snippetUrl:http:WWw.0penSourceCommunity.orgprojectA/homepage*,“IicenseNa

12、me:Apache1.icense2.0，integrity:hashAlg:MD5,“messageDigest”:z,a8a06469b6d584543e5619746e3d62cl4zz),)B.6内部依赖信息JSON格式示例：(“dependencies”:(*identityAId*:lib-001”,“relationship:dependsn”,“identityBId:lib-002),(*identityAId:file-001，“relationship:contains”,identityBId:snipPet-Oo1”),)B.7外部网络服务信息JSON格式示例：(”s

13、ervices:1.(“serviceld:service-Oo1”,“serviceNam。”：AuthenticationService”,“substitutability”:false,“supplier”:z,supplierName:paymentserviceprovider*,area:China,),“serviceUrl:https:auth.servicecorp.COnlapi”,serviceArea”:国内计算环境”，z,serviceProtocolz,:http,“dataDescription”:包含电话、身份证、银行卡号等个人隐私信息”,)B.8基础环境信息

14、JSoN格式示例：(“platform”:(“assetld”:,java-runtime*,“assetName”:,JavaRuntimeEnvironment*,“assetVersion:v8.0,“substitutability”:false,“source:https:java,com”,“supplier”:*supplierNamez,:“Javaprovider*,area:China,)JSON格式示例：(“dcvelopmcntTools”:(toolld:tool-001，z,toolNamez,:IDE”,“toolTypc”:代码编辑器，z,toolVcrsion

15、v5.3,purpose:编辑源代码”，),B.10网络服务接口信息JSON格式示例：(“interfaces”:(interfaced”:INT-00,“interfaceType:Restful”,description”:这是一个对外提供远程更新服务的外部接口,“necessity”:false,requestMethod:GET,interfaceAddress:xhttp:/192.168.1.127apiupdate,z,“method:update”),)B.11补丁信息JSON格式示例：(“patches”:(patchld:patch-Oo1”,“patchName:Sec

16、urityUpdate”,reIeaseDate:2023-03-15*,“originalId:software.PatCh一vl.0，“patchAddress:http:WWpany.Org/patch/download”,“perpose”:修复软件登录模块安全漏洞“，“palchSbo11:patch.SBOMDF.jsonz,),)B.12许可证信息a)开源许可证：(licenses:1.(“IicenseId:1.icense-OOl*,“IicenseName”:1.GP1.-3.0”,“downIoadUrl:http:Www.apache,org/licenses/*,“c

17、ontent”:,Thislicensetextincludesawarrantydisclaimer.”,scope:Global,“patent”:有专利权”，,riskDescription:该协议为强传染性协议,)b)商业许可证：(“licenses”:(“IicenseId:1.iCenSe-002”,“IicenseName”:Commercial1.icenseA”,“downIoadUrl”:http:Www.apache.Org/licenses/”,“licensor:CompanyA”,licensee:CompanyB,term:2024-05-0z,“content:

18、Thislicensetextincludesawarrantydisclaimer.),)B.13安全漏洞“vulnerabilities”:“vulnerabilityId:vul-001，vulnerabilityName:心脏滴血，*affectedObject*:“lib-001”,“nu11ber”:“CVE-2014-0160”,CNVD-2014-31337,z,“repairSituation:codelevel”,）,B.14配置风险JSON格式示例：“configRisks”:（*configRiskId*:con-001”,configRiskName:“数据安全风险”

19、ConfigRiSkItem：”数据库远程访问功能设置为开启”,“suggestion”:该配置可能导致数据泄露。”，*testingTool7z:ToolA”,*relatedUrl*:https:ConfigUratiOn.risk,com”）,）B.15生命周期维护中断风险（disruptionRisks*:（z,disruptionldz,:“Drp-001”,disruptionType”:组件停止更新”，affectedbject:lib-003”,description:由于知识产权纠纷,该组件已停止更新”,estimatedTime:2023-06-1009:30:00，“diposal”:false,）signature”:wSignatureFilew:rtValue.txtw,:wcertification.pemn,