SBOM Hub is capable of parsing both CycloneDX (XML/JSON) and SPDX (Tag/JSON) formats to populate some or all of the required minimal NTIA attributes for the package being described.
As far as possible SBOM Hub will extract the NTIA required metadata from the SBOM itself, ensuring faithful and accurate representation of the data.
However, differences in the various standards mean this is not always possible, and the metadata needs to be supplied separately in the SBOM upload through API parameters.
The following table describes how SBOM Hub maps each metadata attribute in CycloneDX and SPDX:
| NTIA Attribute | Description | CycloneDX 1.2/1.3/1.4 | SPDX 2.1/2.2 |
| Component Name | Name of the Software Package being described |
Automatically mapped from: bom => metadata => component => name |
User-input URL Parameter: &component=<component-name> |
| Version | Version of the Software Package being described |
Automatically mapped from: bom => metadata => component => version |
User-input URL Parameter: &version=<version> |
| SBOM Author | Author/Tool that generated the SBOM |
Automatically mapped from: bom => metadata => authors => author[0] => name |
Automatically mapped from: CreationInfo => CreatorPersons CreationInfo => CreatorOrganizations |
| Software Supplier | Publisher/Developer who wrote the Software |
Automatically mapped from: bom => metadata => component => publisher |
User-input URL Parameter: &supplier=<supplier> |
| Other Unique Identifiers/Hashes | Any associated unique identifiers for this release of the Software Package |
Automatically mapped from: bom => serialNumber |
User-input URL Parameter: &hash=<hashalg>:<hash>
|