软件物料清单必要字段、实例参考.docx

附录A（资料性）软件物料清单必要字段软件物料清单必要字段如表A.1所示。表AJ软件物料清单必要字段元素名字段名字段描述字段类型软件信息softwaresoftWareName软件名称stringSoftwareVersion软件版本stringintegrityhashAlg杂凑算法stringHiessageDigest消息摘要string清单信息documentCormatName清单格式名称stringformatVersion格式版本stringSerialNumber清单标识stringtimestamp时间戳stringauthors创建者string组件信息componentsComponentId组件标识stringcomponentName组件名称stringComponcntVersion组件版本stringseifDeve1OpedProportion自研比例enum(ofstring)1IcenseName许可证名称arrayofstringintegrityhashAlg杂凑算法stringmessageDigest消息摘要string内部依赖信息dependenciesi(IentityAId依赖标识引用stringrelationship关系arrayofstringidentityBId被依赖标识引用string生命周期维护中断风险disruptionsdisruptionld中断标识stringUisruptionType中断类型stringaffectedbject影响对象string表A.1（续）元素名字段名字段描述字段类型生命周期维护中断风险disruptionsdescription风险描述stringdisposal处置情况booleanestimatedTime预计中断时间string签名信息integritySignatureFile签名文件stringHigitalCertificateFiIe数字证书文件string附录B(资料性)软件物料清单实例参考B.1软件信息JSON格式示例：a)定制化开发或商业采购软件：(“software”:“SoftwareName":"MyApp”,“SoftwareYersion":"1.2.0”,“integrity”:"hashAlg":"MD5",z，messageDigest，/：z/fc3aa394c8787e019eda27be38d65cdfzz),“supplier”:“supplierName":"supplierA”,supplerType:agent,area:China,“developer”:z,developerAz,)“IicenseName":"CommercialAgreementA”“authorizationTerm":"2024T171”)b)开源软件：(“software”:“softwareName":"UyApp”,“softwareVersion":"1.2.0",“integrity”:"hashAlg":"MD5","messageDigest":"fc3aa394c8787e019eda27be38d65cdf”),“acquisitionchannel”:z,openSourceCommunity'z,“IicenseName”:,Apache-2.O”)JSON格式示例：(“document”:"formatName":"SBOMDF”,“formatVersion":"1.0，"serialNumbcrzz:"urn:uuid:f47acl0b-58cc-4372-a567-0e02b2c3d479",lifecycle:commit,"timestamp":"2024-01-1010:00:00","authors”:*SBOMDFCreatorA*,z,createToolsz,:"AutomationToolv2.1”,z,downloadUrlz,:“https"B.3组件信息JSON格式示例：a)定制化开发或商业采购软件：“components”:("componentId":"lib-001”,“ComponentName":"1.ogging1.ibrary”,yzComponentVersionzr:25”,z,componentDescription:"1.ibraryforapplicationlogging.z,yzSelfDevelopedProportionz,:"none",“regidentifier":"cpe:/a:microsoft:SqlSerVer:6.5，"importance”:核心组件”，“security”:经过三方机构安全检测”，“supplier”:"zSupplierNamezr:"supplierA”,“supplierType":"integrator”,“Marea:China,“developer":"developerA”,)language:Java,“IicenseName":"CommercialAgreementB”,“downIoadUrl”:*https:/logcorp.COnI/1OgTib”,“homePgaeUrl”:z,https:/logcorp.COn,“completeness":"known”,integrity:"hashAlg":"MD5”,messageDigestz,:z,d41d8cd98f00b204e9800998ecf8427ez,),)b)开源软件：(components*:(“componentId":"lib-001”,componentName,“1.ogging1.ibrary",“componentversion":"25”,z,componentDescriptionz,:“1.ibraryforapplicationlogging.*,z,SelfDeveIopedProportion:"none",“regidentifier”:z,cpe:/a:microsoft:sq1_server:6.5”,z,importance*:"核心组件”，"security":"经过开源社区安全审查”，“acquisitionchannel":"openSourceCommunity”,language:Java,“IicenseName”:zzApache1.icense2.0”,downIoadUrlzr:*https:/logcorp.COm/1OgTib”,“homePgae":"https:/logcorp,com”,“completeness":"known”,“integrity”:"hashAlg":"MD5",“messageDigest":"d41d8cd98f00b204e9800998ecf8427e"),)B.4文件信息JSON格式示例：(“files":("fileld':"file-00,IileNanie:syslog.java,“fiIePath”:/src/com/myappsyslog.java”,zpurpose：实现软件日志信息生成的源代码文件”，“integrity”:"hashAlg：MD5”,“messageDigest":"03ac674216f3el5c761eela5e255f067”),B.5代码片段信息JSON格式示例：(4厂snippets:1.(“snippetld":"snippet-001”,“snippetFile":*/srccom/myapp/Main.java”,zbyteStartPointerz,:100,zbyteEndPointerz,:200,"IineStartPointer”:10,IineEndPointerz,:20,“snippetSource":"OpensourceprojectA”,“snippetUrl":"http:WWw.0penSourceCommunity.orgprojectA/homepage*,“IicenseName":"Apache1.icense2.0，integrity:"hashAlg":"MD5",“messageDigest”:z,a8a06469b6d584543e5619746e3d62cl4zz),)B.6内部依赖信息JSON格式示例：(“dependencies”:(*identityAId*:"lib-001”,“relationship":"dependsn”,“identityBId":"lib-002"),(*identityAId":"file-001，“relationship":"contains”,"identityBId":"snipPet-Oo1”),)B.7外部网络服务信息JSON格式示例：(”services:1.(“serviceld":"service-Oo1”,“serviceNam。”：AuthenticationService”,“substitutability”:false,“supplier”:z,supplierName:"paymentserviceprovider*,area:China,),“serviceUrl":"https:auth.servicecorp.COnlapi”,"serviceArea”:国内计算环境”，z,serviceProtocolz,:"http",“dataDescription”:包含电话、身份证、银行卡号等个人隐私信息”,)B.8基础环境信息JSoN格式示例：(“platform”:(“assetld”:,java-runtime*,“assetName”:,JavaRuntimeEnvironment*,“assetVersion":"v8.0",“substitutability”:false,“source":"https:java,com”,“supplier”:*supplierNamez,:“Javaprovider*,area:China,)JSON格式示例：(“dcvelopmcntTools”:("toolld":"tool-001，z,toolNamez,:"IDE”,“toolTypc”:代码编辑器，z,toolVcrsion:"v5.3","purpose":"编辑源代码”，),B.10网络服务接口信息JSON格式示例：(“interfaces”:("interfaced”:INT-00,“interfaceType":"Restful”,"description”:这是一个对外提供远程更新服务的外部接口,“necessity”:false,"requestMethod":"GET","interfaceAddress":"xhttp:/192.168.1.127apiupdate,z,“method":"update”),)B.11补丁信息JSON格式示例：(“patches”:("patchld":"patch-Oo1”,“patchName":"SecurityUpdate”,"reIeaseDate":"2023-03-15*,“originalId":"software.PatCh一vl.0，“patchAddress":"http:WWpany.Org/patch/download”,“perpose”:修复软件登录模块安全漏洞“，“palchSbo11:"patch.SBOMDF.jsonz,),)B.12许可证信息a)开源许可证：(licenses:1.(“IicenseId":"1.icense-OOl*,“IicenseName”:1.GP1.-3.0”,“downIoadUrl":"http:Www.apache,org/licenses/*,“content”:,Thislicensetextincludesawarrantydisclaimer.”,scope:Global,“patent”:有专利权”，,riskDescription":该协议为强传染性协议,)b)商业许可证：(“licenses”:(“IicenseId":"1.iCenSe-002”,“IicenseName”:Commercial1.icenseA”,“downIoadUrl”:http:Www.apache.Org/licenses/”,“licensor":"CompanyA”,licensee:CompanyB,"term":"2024-05-0z,“content":"Thislicensetextincludesawarrantydisclaimer.),)B.13安全漏洞“vulnerabilities”:“vulnerabilityId":"vul-001，"vulnerabilityName":"心脏滴血"，*affectedObject*:“lib-001”,“nu11ber”:“CVE-2014-0160”,"CNVD-2014-31337,z,“repairSituation":"codelevel”,）,B.14配置风险JSON格式示例：“configRisks”:（*configRiskId*:"con-001”,"configRiskName":“数据安全风险”，"ConfigRiSkItem：”数据库远程访问功能设置为开启”,“suggestion”:该配置可能导致数据泄露。”，*testingTool7z:"ToolA”,*relatedUrl*:"https:ConfigUratiOn.risk,com”）,）B.15生命周期维护中断风险（disruptionRisks*:（z,disruptionldz,:“Drp-001”,"disruptionType”:组件停止更新”，"affectedbject":"lib-003”,"description":"由于知识产权纠纷,该组件已停止更新”,"estimatedTime":"2023-06-1009:30:00，“diposal”:false,）"signature”:wSignatureFilew:rtValue.txtw<<digitalCertificateFile>,:wcertification.pemn,