STP
SBOM Observer/

SBOM Examples

Download example SBOM, VEX, and VDR documents in standardized formats

These compact examples follow the content requirements outlined in this documentation and demonstrate different real-world use cases. Each document is a complete, valid JSON file that shows how to structure metadata, components, dependencies, and vulnerability information according to industry standards.

The examples include a healthcare application scenario with proper supplier identification, patched dependencies, vendor-provided components, and redacted firmware — illustrating how to handle common transparency challenges in production environments. While production SBOMs typically contain many more components, these examples focus on demonstrating key patterns and requirements in a readable format.

Download Examples

CycloneDX SBOM

Complete CycloneDX 1.6 SBOM showing metadata, components, dependencies, compositions, and build tools

SPDX SBOM

Complete SPDX 2.3 SBOM demonstrating packages, files, relationships, and annotations

CSAF VEX

CSAF 2.0 VEX document showing vulnerability status communication and product relationships

What's Inside

Each example demonstrates:

  • Required metadata — unique identifiers, timestamps, supplier information, and tool documentation
  • Component inventory — properly identified components with PURLs, hashes, and licenses
  • Dependency relationships — both direct and transitive dependencies structured as hierarchies
  • Advanced scenarios — patched components, vendor-provided SBOMs, incomplete assemblies, and redacted information
  • Vulnerability handling — (VEX only) vulnerability status, impact analysis, and remediation guidance
Edit on GitHub

Licenses

License identification, expression syntax, and compliance requirements for SBOM components

Operational Model

How to integrate software transparency into your organization's operations

On this page

Download ExamplesWhat's Inside