git.stella-ops.org/docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:00000000-0000-4000-8000-000000000001",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-01T00:00:00Z",
    "component": {
      "type": "application",
      "name": "demo-app",
      "version": "1.0.0",
      "purl": "pkg:demo/demo-app@1.0.0",
      "hashes": [
        { "alg": "SHA-256", "content": "1111111111111111111111111111111111111111111111111111111111111111" }
      ],
      "evidence": {
        "properties": [
          { "name": "evidence:source", "value": "fixture" },
          { "name": "evidence:hash", "value": "blake3:fixture-demo-app" }
        ]
      }
    },
    "properties": [
      { "name": "source.repo", "value": "https://example.invalid/demo" },
      { "name": "source.ref", "value": "refs/tags/v1.0.0" },
      { "name": "build.id", "value": "build-123" },
      { "name": "build.invocation.hash", "value": "blake3:deadbeef" },
      { "name": "provenance.dsse", "value": "sha256:2222222222222222222222222222222222222222222222222222222222222222" }
    ],
    "tools": [
      { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" }
    ]
  },
  "services": [
    {
      "name": "api",
      "properties": [
        { "name": "cbom:ingress", "value": "https" },
        { "name": "cbom:egress", "value": "postgres" }
      ]
    }
  ],
  "components": [
    {
      "type": "library",
      "name": "lib-a",
      "version": "1.2.3",
      "purl": "pkg:demo/lib-a@1.2.3",
      "hashes": [ { "alg": "SHA-256", "content": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" } ]
    },
    {
      "type": "library",
      "name": "lib-b",
      "version": "2.0.0",
      "purl": "pkg:demo/lib-b@2.0.0",
      "hashes": [ { "alg": "SHA-256", "content": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" } ]
    }
  ],
  "vulnerabilities": [
    {
      "id": "CVE-0000-0001",
      "source": { "name": "NVD" },
      "ratings": [
        {
          "source": { "name": "NVD" },
          "method": "CVSSv4",
          "score": 8.0,
          "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
        },
        {
          "source": { "name": "NVD" },
          "method": "CVSSv3.1",
          "score": 7.5,
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "properties": [
        { "name": "evidence:source", "value": "fixture" },
        { "name": "evidence:proof-id", "value": "proof-123" },
        { "name": "evidence:hash", "value": "sha256:3333333333333333333333333333333333333333333333333333333333333333" }
      ]
    }
  ]
}