This reference topic describes the BOM
structure you can use with Cartographer Conventions.
The BOM
is a structure wrapping a Software Bill of Materials (SBOM) that describes the software components and their dependencies.
The structure of the BOM
is defined as follows:
{
"name": "BOM-NAME",
"raw": "BYTE-ARRAY"
}
Where:
BOM-NAME
is the prefix cnb-sbom:
followed by the location of the BOM
definition in the layer for a Cloud Native Buildpack (CNB) SBOM. For example: cnb-sbom:/layers/sbom/launch/paketo-buildpacks_executable-jar/sbom.cdx.json
. For a non-CNB SBOM, the value of name
might be different.
BYTE-ARRAY
is the content of the BOM. The content can be in any format or encoding. Read the name to learn how the content is structured.
The convention controller forwards BOMs to the convention servers that it can detect from known sources, including CNB-SBOM.