This page maps SBOM properties to their specific field paths in CycloneDX, SPDX 2.3, and SPDX 3.0.
Need help with compliance? We can help you navigate your SBOM compliance journey.
Get in TouchNote: The CISA Framing document’s published crosswalk table references CycloneDX v1.6. This page uses CycloneDX 1.7 schema paths, which are largely compatible but include some updates (e.g., tools object structure).
Document-Level Metadata
| Property | CycloneDX 1.7 | SPDX 2.3 | SPDX 3.0 |
|---|---|---|---|
| SBOM Author | metadata.authors[] | creationInfo.creators[] | creationInfo.createdBy |
| Timestamp | metadata.timestamp | creationInfo.created | creationInfo.created |
| Tool Name/Version | metadata.tools.components[] and/or metadata.tools.services[] | creationInfo.creators[] (tool identifier) | creationInfo.createdUsing |
| Generation Context | metadata.lifecycles[].phase | CreatorComment or DocumentComment | Profile-dependent properties |
Notes:
- The CISA Framing crosswalk maps “SBOM Author Name” to
metadata.authors(CycloneDX v1.6). CycloneDX 1.7 additionally providesmetadata.manufacturerfor organizational authorship if needed. - In CycloneDX 1.7,
metadata.toolsis an object containingcomponentsand/orservicesarrays. The legacy array format is deprecated. - The
metadata.lifecycles[].phasefield captures the stage(s) in which data in the BOM was captured (design, pre-build, build, post-build, operations, discovery, decommission). - Generation Context (per CISA 2025) includes both SDLC phase and context about “how and where” the SBOM was generated. For complete representation, you may also use
metadata.tools(to express tooling) andmetadata.properties[](for additional context).
Component Identification
| Property | CycloneDX 1.7 | SPDX 2.3 | SPDX 3.0 |
|---|---|---|---|
| Supplier Name | components[].supplier.name | packages[].supplier | Organization agent linked to element |
| Component Name | components[].name | packages[].name | Element name field |
| Component Version | components[].version | packages[].versionInfo | Element version field |
| Package URL (purl) | components[].purl | packages[].externalRefs[] | External identifier support |
| CPE | components[].cpe | packages[].externalRefs[] | External identifier support |
| Component Hash | components[].hashes[] | packages[].checksums[] | Verification/checksum properties |
Relationships
| Property | CycloneDX 1.7 | SPDX 2.3 | SPDX 3.0 |
|---|---|---|---|
| Dependency Relationship | dependencies[].ref + dependencies[].dependsOn[] | relationships[] (DEPENDS_ON) | Relationships between elements |
Legal & Security
| Property | CycloneDX 1.7 | SPDX 2.3 | SPDX 3.0 |
|---|---|---|---|
| License | components[].licenses[] | packages[].licenseDeclared / packages[].licenseConcluded | Rich licensing model (profile-dependent) |
Lifecycle Properties (FDA/CLE)
| Property | CycloneDX 1.7 | SPDX 2.3 | SPDX 3.0 |
|---|---|---|---|
| Support Level | components[].properties[] | annotations or externalRefs | Extension/property modeling |
| End-of-Support Date | components[].properties[] | packages[].validUntilDate | Extension/property modeling |
Note: SPDX 2.3’s validUntilDate field is defined as the “end of support period for the package from the supplier,” making it the most appropriate mapping for FDA’s end-of-support date requirement.
Related Pages
- CLE: Common Lifecycle Enumeration - Standard for machine-readable lifecycle events
- CISA Framing Document - Authoritative source for baseline attribute definitions
- NTIA Minimum Elements - US baseline for SBOM data fields
Disclaimer: This page represents our interpretation of the referenced frameworks and standards. While we strive for accuracy, we may have made errors or omissions. This content is provided for informational purposes only and does not constitute legal advice. For compliance decisions, consult the official source documents and seek qualified legal counsel.