1、附录A(资料性)软件物料清单必要字段软件物料清单必要字段如表A.1所示。表AJ软件物料清单必要字段元素名字段名字段描述字段类型软件信息softwaresoftWareName软件名称stringSoftwareVersion软件版本stringintegrityhashAlg杂凑算法stringHiessageDigest消息摘要string清单信息documentCormatName清单格式名称stringformatVersion格式版本stringSerialNumber清单标识stringtimestamp时间戳stringauthors创建者string组件信息componentsC
2、omponentId组件标识stringcomponentName组件名称stringComponcntVersion组件版本stringseifDeve1OpedProportion自研比例enum(ofstring)1IcenseName许可证名称arrayofstringintegrityhashAlg杂凑算法stringmessageDigest消息摘要string内部依赖信息dependenciesi(IentityAId依赖标识引用stringrelationship关系arrayofstringidentityBId被依赖标识引用string生命周期维护中断风险disruptio
3、nsdisruptionld中断标识stringUisruptionType中断类型stringaffectedbject影响对象string表A.1(续)元素名字段名字段描述字段类型生命周期维护中断风险disruptionsdescription风险描述stringdisposal处置情况booleanestimatedTime预计中断时间string签名信息integritySignatureFile签名文件stringHigitalCertificateFiIe数字证书文件string附录B(资料性)软件物料清单实例参考B.1软件信息JSON格式示例:a)定制化开发或商业采购软件:(“s
4、oftware”:“SoftwareName:MyApp”,“SoftwareYersion:1.2.0”,“integrity”:hashAlg:MD5,z,messageDigest,/:z/fc3aa394c8787e019eda27be38d65cdfzz),“supplier”:“supplierName:supplierA”,supplerType:agent,area:China,“developer”:z,developerAz,)“IicenseName:CommercialAgreementA”“authorizationTerm:2024T171”)b)开源软件:(“so
5、ftware”:“softwareName:UyApp”,“softwareVersion:1.2.0,“integrity”:hashAlg:MD5,messageDigest:fc3aa394c8787e019eda27be38d65cdf”),“acquisitionchannel”:z,openSourceCommunityz,“IicenseName”:,Apache-2.O”)JSON格式示例:(“document”:formatName:SBOMDF”,“formatVersion:1.0,serialNumbcrzz:urn:uuid:f47acl0b-58cc-4372-a5
6、67-0e02b2c3d479,lifecycle:commit,timestamp:2024-01-1010:00:00,authors”:*SBOMDFCreatorA*,z,createToolsz,:AutomationToolv2.1”,z,downloadUrlz,:“httpsB.3组件信息JSON格式示例:a)定制化开发或商业采购软件:“components”:(componentId:lib-001”,“ComponentName:1.ogging1.ibrary”,yzComponentVersionzr:25”,z,componentDescription:1.ibrar
7、yforapplicationlogging.z,yzSelfDevelopedProportionz,:none,“regidentifier:cpe:/a:microsoft:SqlSerVer:6.5,importance”:核心组件”,“security”:经过三方机构安全检测”,“supplier”:zSupplierNamezr:supplierA”,“supplierType:integrator”,“Marea:China,“developer:developerA”,)language:Java,“IicenseName:CommercialAgreementB”,“down
8、IoadUrl”:*https:/logcorp.COnI/1OgTib”,“homePgaeUrl”:z,https:/logcorp.COn,“completeness:known”,integrity:hashAlg:MD5”,messageDigestz,:z,d41d8cd98f00b204e9800998ecf8427ez,),)b)开源软件:(components*:(“componentId:lib-001”,componentName,“1.ogging1.ibrary,“componentversion:25”,z,componentDescriptionz,:“1.ibr
9、aryforapplicationlogging.*,z,SelfDeveIopedProportion:none,“regidentifier”:z,cpe:/a:microsoft:sq1_server:6.5”,z,importance*:核心组件”,security:经过开源社区安全审查”,“acquisitionchannel:openSourceCommunity”,language:Java,“IicenseName”:zzApache1.icense2.0”,downIoadUrlzr:*https:/logcorp.COm/1OgTib”,“homePgae:https:/l
10、ogcorp,com”,“completeness:known”,“integrity”:hashAlg:MD5,“messageDigest:d41d8cd98f00b204e9800998ecf8427e),)B.4文件信息JSON格式示例:(“files:(fileld:file-00,IileNanie:syslog.java,“fiIePath”:/src/com/myappsyslog.java”,zpurpose:实现软件日志信息生成的源代码文件”,“integrity”:hashAlg:MD5”,“messageDigest:03ac674216f3el5c761eela5e2
11、55f067”),B.5代码片段信息JSON格式示例:(4厂snippets:1.(“snippetld:snippet-001”,“snippetFile:*/srccom/myapp/Main.java”,zbyteStartPointerz,:100,zbyteEndPointerz,:200,IineStartPointer”:10,IineEndPointerz,:20,“snippetSource:OpensourceprojectA”,“snippetUrl:http:WWw.0penSourceCommunity.orgprojectA/homepage*,“IicenseNa
12、me:Apache1.icense2.0,integrity:hashAlg:MD5,“messageDigest”:z,a8a06469b6d584543e5619746e3d62cl4zz),)B.6内部依赖信息JSON格式示例:(“dependencies”:(*identityAId*:lib-001”,“relationship:dependsn”,“identityBId:lib-002),(*identityAId:file-001,“relationship:contains”,identityBId:snipPet-Oo1”),)B.7外部网络服务信息JSON格式示例:(”s
13、ervices:1.(“serviceld:service-Oo1”,“serviceNam。”:AuthenticationService”,“substitutability”:false,“supplier”:z,supplierName:paymentserviceprovider*,area:China,),“serviceUrl:https:auth.servicecorp.COnlapi”,serviceArea”:国内计算环境”,z,serviceProtocolz,:http,“dataDescription”:包含电话、身份证、银行卡号等个人隐私信息”,)B.8基础环境信息
14、JSoN格式示例:(“platform”:(“assetld”:,java-runtime*,“assetName”:,JavaRuntimeEnvironment*,“assetVersion:v8.0,“substitutability”:false,“source:https:java,com”,“supplier”:*supplierNamez,:“Javaprovider*,area:China,)JSON格式示例:(“dcvelopmcntTools”:(toolld:tool-001,z,toolNamez,:IDE”,“toolTypc”:代码编辑器,z,toolVcrsion
15、v5.3,purpose:编辑源代码”,),B.10网络服务接口信息JSON格式示例:(“interfaces”:(interfaced”:INT-00,“interfaceType:Restful”,description”:这是一个对外提供远程更新服务的外部接口,“necessity”:false,requestMethod:GET,interfaceAddress:xhttp:/192.168.1.127apiupdate,z,“method:update”),)B.11补丁信息JSON格式示例:(“patches”:(patchld:patch-Oo1”,“patchName:Sec
16、urityUpdate”,reIeaseDate:2023-03-15*,“originalId:software.PatCh一vl.0,“patchAddress:http:WWpany.Org/patch/download”,“perpose”:修复软件登录模块安全漏洞“,“palchSbo11:patch.SBOMDF.jsonz,),)B.12许可证信息a)开源许可证:(licenses:1.(“IicenseId:1.icense-OOl*,“IicenseName”:1.GP1.-3.0”,“downIoadUrl:http:Www.apache,org/licenses/*,“c
17、ontent”:,Thislicensetextincludesawarrantydisclaimer.”,scope:Global,“patent”:有专利权”,,riskDescription:该协议为强传染性协议,)b)商业许可证:(“licenses”:(“IicenseId:1.iCenSe-002”,“IicenseName”:Commercial1.icenseA”,“downIoadUrl”:http:Www.apache.Org/licenses/”,“licensor:CompanyA”,licensee:CompanyB,term:2024-05-0z,“content:
18、Thislicensetextincludesawarrantydisclaimer.),)B.13安全漏洞“vulnerabilities”:“vulnerabilityId:vul-001,vulnerabilityName:心脏滴血,*affectedObject*:“lib-001”,“nu11ber”:“CVE-2014-0160”,CNVD-2014-31337,z,“repairSituation:codelevel”,),B.14配置风险JSON格式示例:“configRisks”:(*configRiskId*:con-001”,configRiskName:“数据安全风险”
19、ConfigRiSkItem:”数据库远程访问功能设置为开启”,“suggestion”:该配置可能导致数据泄露。”,*testingTool7z:ToolA”,*relatedUrl*:https:ConfigUratiOn.risk,com”),)B.15生命周期维护中断风险(disruptionRisks*:(z,disruptionldz,:“Drp-001”,disruptionType”:组件停止更新”,affectedbject:lib-003”,description:由于知识产权纠纷,该组件已停止更新”,estimatedTime:2023-06-1009:30:00,“diposal”:false,)signature”:wSignatureFilew:rtValue.txtw,:wcertification.pemn,
免费区 
