SBOM & Supply Chain Integration
SBOM & Supply Chain Integration
Section titled “SBOM & Supply Chain Integration”Link your Cryptographic Bill of Materials to your Software Bill of Materials using CycloneDX BOM-Link. Feed crypto data into existing supply chain security tools for complete transparency — from software dependencies to the cryptographic algorithms protecting them.
What It Does
Section titled “What It Does”The SBOM integration connects your cryptographic inventory to the broader software supply chain:
- Export CBOM as CycloneDX v1.6 — Industry-standard format for crypto bill of materials
- Generate BOM-Link URN — Unique identifier that links your SBOM to your CBOM
- Resolve links — Supply chain tools can follow the BOM-Link to access your crypto inventory
- Vendor transparency — Share crypto posture with customers and auditors via standard formats
How It Works
Section titled “How It Works”┌──────────────┐ ┌──────────────┐ ┌──────────────────┐│ Your SBOM │────▶│ BOM-Link │────▶│ Your CBOM ││ (Syft, │ │ URN │ │ (CycloneDX v1.6)││ Trivy) │ │ │ │ │└──────────────┘ └──────────────┘ └──────────────────┘- Export CBOM — Generate a CycloneDX v1.6 CBOM from the platform
- Generate BOM-Link — Call
/api/v1/bom-link/generateto get a unique URN - Add to SBOM — Insert the URN into your SBOM’s
externalReferences - Resolve — Any tool that supports BOM-Link can follow the URN to your CBOM
Generating a BOM-Link
Section titled “Generating a BOM-Link”API Call
Section titled “API Call”curl -X POST https://cbom.company.com/api/v1/bom-link/generate \ -H "Authorization: Bearer <api-key>" \ -H "Content-Type: application/json" \ -d '{ "bom_serial": "urn:uuid:f08a6ccd-4dce-4759-bd84-c626675d60a7", "version": 1 }'Response
Section titled “Response”{ "bom_link": "urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1", "resolve_url": "https://cbom.company.com/api/v1/bom-link/resolve/urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1", "created_at": "2025-03-14T10:00:00Z"}Adding BOM-Link to Your SBOM
Section titled “Adding BOM-Link to Your SBOM”Add the generated URN to your SBOM’s externalReferences section:
{ "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "components": [ ... ], "externalReferences": [ { "type": "bom", "url": "urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1", "comment": "Cryptographic Bill of Materials (CBOM)" } ]}CycloneDX CBOM Export
Section titled “CycloneDX CBOM Export”The platform exports a full CycloneDX v1.6 CBOM including:
Crypto Components
Section titled “Crypto Components”{ "type": "cryptographic-asset", "name": "api.example.com TLS Certificate", "cryptoProperties": { "assetType": "certificate", "algorithmProperties": { "algorithm": "RSA", "keySize": 2048, "mode": null, "padding": "PKCS1v15" }, "certificateProperties": { "subjectName": "CN=api.example.com", "issuerName": "CN=DigiCert Global G2", "notValidBefore": "2024-01-01T00:00:00Z", "notValidAfter": "2025-03-21T23:59:59Z", "signatureAlgorithm": "SHA256withRSA" } }}Quantum Risk Extensions
Section titled “Quantum Risk Extensions”CBOM adds quantum risk metadata as properties:
{ "properties": [ { "name": "cbom:quantum-risk", "value": "CRITICAL" }, { "name": "cbom:pqc-recommendation", "value": "ML-KEM-768" }, { "name": "cbom:nist-status", "value": "quantum-vulnerable" } ]}Compatible Tools
Section titled “Compatible Tools”| Tool | Integration | Description |
|---|---|---|
| Dependency-Track | BOM-Link resolve | View linked CBOM from SBOM dashboard |
| GUAC | CycloneDX ingest | Graph-based supply chain analysis with crypto data |
| Grype | CycloneDX scan | Vulnerability scanning with crypto context |
| Syft | SBOM generation | Generate SBOM, link to CBOM via external references |
| OWASP Dependency-Check | CycloneDX output | Combine dependency and crypto analysis |
| Trivy | CycloneDX output | Container + crypto scanning |
Workflow: Complete Supply Chain Transparency
Section titled “Workflow: Complete Supply Chain Transparency”┌─────────────┐ ┌─────────────┐ ┌─────────────┐│ Source Code │ │ Container │ │ Runtime ││ Scan (Syft)│ │ Scan │ │ Scan │└──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │ │ ▼ ▼ ▼┌─────────────────────────────────────────────────────┐│ SBOM ││ (software dependencies, licenses, vulnerabilities) ││ ││ externalReferences: ││ - type: bom ││ url: urn:cdx:f08a6ccd.../1 ──────────────┐ │└─────────────────────────────────────────────────┼───┘ │ ▼┌─────────────────────────────────────────────────────┐│ CBOM ││ (certificates, keys, algorithms, quantum risk) │└─────────────────────────────────────────────────────┘Use Cases
Section titled “Use Cases”- Complete supply chain transparency — Auditors and customers see both software dependencies (SBOM) and cryptographic posture (CBOM) in one linked view
- Vendor risk assessment — Share your CBOM with customers who need to assess your crypto hygiene
- Regulatory compliance — Meet emerging requirements for cryptographic transparency (EO 14028, NIST)
- Automated toolchain — CI/CD generates SBOM + CBOM, links them, and publishes to Dependency-Track
Related
Section titled “Related”- Integrations Overview — All available integrations
- Import/Export — CycloneDX export options
- CI/CD Integration — Automate CBOM generation in pipelines
- API Reference — BOM-Link API endpoints