Black Duck to CycloneDX field mapping

Field	Description
`bomFormat`	Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.
`specVersion`	The version of the CycloneDX specification a BOM used for the report.
`serialNumber`	A string formatted by "urn:uuid:"+ a randomly generated UUID number.
`version`	The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
`metadata`	`timestamp`: The date and time (timestamp) when the document was created. `tools`: Describes the tool(s) used in the creation of the BOM, which includes the name of the vendor who created the tool, the name of the tool itself, and the version of the tool. `authors`: The name of the person(s) who created the BOM. May also contain the email address of the contact if present. `component`: The component that the BOM describes; the name of the component, the component version, the type of component, and a `bom-ref` which can be used to reference the component elsewhere in the BOM
`components`	`author`: The person(s) or organization(s) that authored the component. `supplier`: The organization that supplied the component. `name`: The name of the component. This will often be a shortened, single name of the component. If this field is missing in the SBOM import, the filename of the SBOM will be used as the scan name in place of the missing metadata. `version`: The component's version. If there is no version information, this field is set as "Unknown". `description`: Specifies a description for the component. `licenses`: A list of all licenses associated to the component. If the license is a valid SPDX license, it will be displayed in the `id` field. If the license's SPDX id is not available it will be displayed in the `name` field. `cpe`: Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. `purl`: The component package URL. `pedigree`: The `notes` field lists the license display text. it is especially useful for complex license cases. The licenses section list all licenses objects in a flat list. By using this field, it can pass the complex license info. `externalReferences`: This section contains the component url, e.g. host/components/[component UUID]/versions/[component version id]. `type`: Specifies the type of component. `bom-ref`: An optional identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` should be unique.
`dependencies`	Defines the direct dependencies of a component. `ref`: References a component by the components `bom-ref` attribute `dependsOn`: The parent's identifier, either entity version UUID or enitity UUID if the version UUID is unavailable.
`vulnerabilities` (v1.4 only)	`id`: The identification for the specific vulnerability. Will be either CVE or BDSA depending on your current security risk ranking. `source`: The source of the vulnerability information. As above, the `name` will be either NVD or BDSA depending on your current security risk ranking. `ratings`: As above, the `source` and `name` will be either NVD or BDSA depending on your current security risk ranking. The `score` and `severity` will display the security risk as rated by NVD or BDSA. `description`: The description of the vulnerability from NVD or BDSA.

Field

Description

bomFormat

Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.

specVersion

The version of the CycloneDX specification a BOM used for the report.

serialNumber

A string formatted by "urn:uuid:"+ a randomly generated UUID number.

version

The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.

metadata

timestamp: The date and time (timestamp) when the document was created.

tools: Describes the tool(s) used in the creation of the BOM, which includes the name of the vendor who created the tool, the name of the tool itself, and the version of the tool.

authors: The name of the person(s) who created the BOM. May also contain the email address of the contact if present.

component: The component that the BOM describes; the name of the component, the component version, the type of component, and a bom-ref which can be used to reference the component elsewhere in the BOM

components

author: The person(s) or organization(s) that authored the component.

supplier: The organization that supplied the component.

name: The name of the component. This will often be a shortened, single name of the component. If this field is missing in the SBOM import, the filename of the SBOM will be used as the scan name in place of the missing metadata.

version: The component's version. If there is no version information, this field is set as "Unknown".

description: Specifies a description for the component.

licenses: A list of all licenses associated to the component. If the license is a valid SPDX license, it will be displayed in the id field. If the license's SPDX id is not available it will be displayed in the name field.

cpe: Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification.

purl: The component package URL.

pedigree: The notes field lists the license display text. it is especially useful for complex license cases. The licenses section list all licenses objects in a flat list. By using this field, it can pass the complex license info.

externalReferences: This section contains the component url, e.g. host/components/[component UUID]/versions/[component version id].

type: Specifies the type of component.

bom-ref: An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique.

dependencies

Defines the direct dependencies of a component.

ref: References a component by the components bom-ref attribute

dependsOn: The parent's identifier, either entity version UUID or enitity UUID if the version UUID is unavailable.

vulnerabilities (v1.4 only)

id: The identification for the specific vulnerability. Will be either CVE or BDSA depending on your current security risk ranking.

source: The source of the vulnerability information. As above, the name will be either NVD or BDSA depending on your current security risk ranking.

ratings: As above, the source and name will be either NVD or BDSA depending on your current security risk ranking. The score and severity will display the security risk as rated by NVD or BDSA.

description: The description of the vulnerability from NVD or BDSA.