CycloneDX 2.0 should support a slot in a BOM that can be filled by one of several alternates, by all of a group taken together, or by an optionally populated part. This is a hard requirement for physical device manufacturing.
Why
BOMs for physical goods routinely express things software BOMs do not: approved alternates from multiple manufacturers, dual sourcing for supply chain resilience, last time buy substitutions, and build variants. None of these can be expressed faithfully today.
Proposed shape
A new component-choice wrapper carries an operator and a list of alternates.
{
"$schema": "http://cyclonedx.org/schema/2.0/",
"specFormat": "CycloneDX",
"specVersion": "2.0",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"component": {
"bom-ref": "acme-product-rev-1",
"type": "device",
"name": "Acme Product",
"version": "Revision 1"
}
},
"components": [
{
"type": "device",
"name": "Power Management Board"
},
{
"type": "component-choice",
"name": "2N2222 or PN2222A Transistor",
"operator": "XOR",
"components": [
{
"type": "device",
"name": "NPN Transistor 2N2222",
"supplier": { "name": "Company A" },
"part-number": "2N2222A"
},
{
"type": "device",
"name": "NPN Transistor 2N2222",
"supplier": { "name": "Company B" },
"part-number": "2N2222A"
},
{
"type": "device",
"name": "NPN Transistor PN2222A",
"supplier": { "name": "Company C" },
"part-number": "PN2222A"
}
]
}
]
}Operators
| Operator |
Meaning |
OR |
Any non empty subset may be installed. |
XOR |
Exactly one is installed per instance. |
AND |
All members installed together as a group. |
Schema sketch
"component-choice": {
"type": "object",
"title": "Component Choice",
"description": "A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi sourced parts, build variants, optional populations, and required component groups in physical device BOMs.",
"required": ["operator", "components"],
"additionalProperties": false,
"properties": {
"bom-ref": { "$ref": "#/$defs/refType" },
"name": { "type": "string", "title": "Name", "description": "Display name for the choice slot. Typically corresponds to a reference designator or design intent name." },
"description": { "type": "string", "title": "Description" },
"operator": {
"type": "string",
"title": "Operator",
"enum": ["OR", "XOR", "AND"],
"meta:enum": {
"OR": "Any non-empty subset of the contained components may be installed.",
"XOR": "Exactly one of the contained components is installed per instance.",
"AND": "All of the contained components are installed together as a group."
}
},
"components": {
"type": "array",
"title": "Components",
"minItems": 1,
"items": { "$ref": "#/$defs/component" }
}
}
}component-choice would be permitted in any field that already accepts an array of component, including the top level components array and the nested component.components array.
CycloneDX 2.0 should support a slot in a BOM that can be filled by one of several alternates, by all of a group taken together, or by an optionally populated part. This is a hard requirement for physical device manufacturing.
Why
BOMs for physical goods routinely express things software BOMs do not: approved alternates from multiple manufacturers, dual sourcing for supply chain resilience, last time buy substitutions, and build variants. None of these can be expressed faithfully today.
Proposed shape
A new
component-choicewrapper carries anoperatorand a list of alternates.{ "$schema": "http://cyclonedx.org/schema/2.0/", "specFormat": "CycloneDX", "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, "metadata": { "component": { "bom-ref": "acme-product-rev-1", "type": "device", "name": "Acme Product", "version": "Revision 1" } }, "components": [ { "type": "device", "name": "Power Management Board" }, { "type": "component-choice", "name": "2N2222 or PN2222A Transistor", "operator": "XOR", "components": [ { "type": "device", "name": "NPN Transistor 2N2222", "supplier": { "name": "Company A" }, "part-number": "2N2222A" }, { "type": "device", "name": "NPN Transistor 2N2222", "supplier": { "name": "Company B" }, "part-number": "2N2222A" }, { "type": "device", "name": "NPN Transistor PN2222A", "supplier": { "name": "Company C" }, "part-number": "PN2222A" } ] } ] }Operators
ORXORANDSchema sketch
component-choicewould be permitted in any field that already accepts an array ofcomponent, including the top levelcomponentsarray and the nestedcomponent.componentsarray.