Skip to content

Bill of Material

What is a Bill of Material?

A Bill of Materials (BOM) is a machine-readable inventory of all components within a system. This can be conceptualized as a digital inventory of components for one's entire information technology infrastructure. In contrast to a conventional SBOM (Software Bill of Materials) that prioritizes software components, our BOM encompasses a more extensive range of elements, including open-source libraries, commercial software, operating systems, containers, firmware, and hardware. This comprehensive scope is the basis for its designation as a BOM, signifying its application across both software and hardware domains.

Export your BOM

Versio.io automates the inventorying of your entire IT landscape - including hardware, operating systems, software products and software libraries - to create a complete digital twin of your IT and OT landscape. With its export feature, you can generate a complete BOM directly from this inventoried data. The Versio.io BOM is compatible with CycloneDX v1.6 and is fully compliant with the regulatory requirements from the German BSI and US NTIA.

Follow this three steps to export your BOM:

  1. Open the Lifecycle & Vulnerability Dashboard
  2. Optional: Filter the data scope to a specific workspace and/or topology.
  3. Open the context menu and select Download BOM. A file named bom-<environment>-<date>.json will be downloaded, which you can then process further.

The animated GIF image shows how the BOM can be generated in the Versio.io user interface:

Video: Export the Bill of Materials in the Livecycle & Vulnerability Dashboard

Comprehensive data at a glance

The exported file contains structured component data and rich metadata, including key details that matter for security and compliance:

Field Description
type, name, version Identifies each component (e.g., OS, application, firmware).
publisher, manufacturer Supplier or vendor details.
licenses License type (e.g., GPL, Commercial).
cpe, purl Standardized component identifiers.
tags Categories like "Operating system", "Database".
tags[].versioLifecycleStatusCompliant Indicates compliance with lifecycle policies.
tags[].versioSecurityStatusCompliant Indicates compliance with security policies.
tags[].versioRecommendedTask Suggested upgrade versions (if applicable).

Additional information is provided for each component within the tag property, thereby enriching the BOM.

Example BOM Snippet

{
  "bomFormat": "CycloneDX", // REQUIRED. Specifies the format of the BOM. Fixed value.
  "specVersion": "1.6",     // REQUIRED. Specifies the version of the CycloneDX specification. Fixed value.
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", // OPTIONAL. Unique identifier for the BOM (UUID URN).
  "version": 1,             // REQUIRED. The version of the BOM itself (not the software). Incremented on content changes.
  "metadata": {
    "timestamp": "2025-07-22T08:57:00.000Z", // REQUIRED. Date and time the BOM was created.
    "authors": "john.doe@my-company.com", // OPTIONAL. The person(s) who created the BOM.
    "tools": [
      {
        "vendor": "OWASP Foundation", // REQUIRED. Vendor of the tool used.
        "name": "CycloneDX CLI",     // REQUIRED. Name of the tool used.
        "version": "4.11.0"          // OPTIONAL. Version of the tool used.
      }
    ],
    "component": { // OPTIONAL. Describes the top-level application the BOM is for.
      "type": "application", // REQUIRED. Type of component (e.g., application, library, operating-system).
      "bom-ref": "pkg:npm/my-awesome-app@1.0.0", // REQUIRED. Unique identifier for this component within the BOM.
      "name": "MyAwesomeApp",    // REQUIRED. Name of the component.
      "version": "1.0.0",        // OPTIONAL. Version of the component.
      "purl": "pkg:npm/my-awesome-app@1.0.0" // OPTIONAL. Package URL (PURL).
    }
  },
  "components": [ // REQUIRED. List of all components (libraries, modules, etc.).
    {
      "type": "library", // REQUIRED. Type of component (e.g., 'library' for npm packages).
      "bom-ref": "pkg:npm/lodash@4.17.21", // REQUIRED. Unique identifier for this component.
      // Alternatively: "bom-ref": "0a39c000-388e-4c5e-b59e-1b39510cee86",
      "name": "lodash",      // REQUIRED. Name of the component.
      "version": "4.17.21",  // REQUIRED. Version of the component.
      "description": "Lodash modular utilities.", // OPTIONAL. Description of the component.
      "purl": "pkg:npm/lodash@4.17.21", // REQUIRED. Package URL (PURL).
      "licenses": [ // REQUIRED. Information about applicable licenses.
        {
          "license": { // REQUIRED. Details about the license.
            "id": "MIT", // OPTIONAL. SPDX license ID.
            "name": "MIT License", // REQUIRED. Common name of the license.
            "url": "[https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)" // OPTIONAL. URL to the license text.
          }
        }
      ],
      "supplier": { // REQUIRED. Information about the supplier.
        "name": "Lodash Team", // REQUIRED. Name of the supplier.
        "url": [ // OPTIONAL. URL(s) for the supplier.
          "[https://lodash.com/](https://lodash.com/)"
        ]
      }
    }
  ],
}

References

  1. CycloneDX v1.6 JSON Reference
  2. CycloneDX releases API
  3. Known PURL Types
  4. How to build purl string from its components (type is required)