CycloneDX · jkowalleck · Jul 22, 2025
@@ -33,6 +33,9 @@
 if TYPE_CHECKING:  # pragma: no cover
     from ..model.bom import Bom
     from ..model.bom_ref import BomRef
+    from ..model.contact import OrganizationalContact, OrganizationalEntity, PostalAddress
+    from ..model.definition import Level, Requirement, Standard
+    from ..model.license import License
     from .json import Json as JsonOutputter
     from .xml import Xml as XmlOutputter
 
@@ -170,8 +173,47 @@ def _make_unique(self) -> str:
 
     @classmethod
     def from_bom(cls, bom: 'Bom', prefix: str = 'BomRef') -> 'BomRefDiscriminator':
-        return cls(chain(
-            map(lambda c: c.bom_ref, bom._get_all_components()),
-            map(lambda s: s.bom_ref, bom.services),
-            map(lambda v: v.bom_ref, bom.vulnerabilities)
-        ), prefix)
+        """
+        Create an instance containing EVERY ``bom-ref`` in the bom.
+        """
+
+        components = tuple(bom._get_all_components())
+        services = tuple(bom.services)
+        vulnerabilities = tuple(bom.vulnerabilities)
+        orgs: tuple['OrganizationalEntity', ...] = tuple(filter(lambda o: o is not None, chain(  # type:ignore[arg-type]
+            (bom.metadata.manufacture, bom.metadata.manufacturer, bom.metadata.supplier),
+            chain.from_iterable((c.manufacturer, c.supplier,) for c in components),
+            (s.provider for s in services),
+            chain.from_iterable(v.credits.organizations for v in vulnerabilities if v.credits),
+        )))
+        contacts: Iterable['OrganizationalContact'] = chain(
+            bom.metadata.authors,
+            chain.from_iterable(c.authors for c in components),
+            chain.from_iterable(v.credits.individuals for v in vulnerabilities if v.credits),
+            chain.from_iterable(o.contacts for o in orgs),
+        )
+        addresses: Iterable['PostalAddress'] = (o.address for o in orgs if o.address is not None)
+        licenses: Iterable['License'] = chain(
+            bom.metadata.licenses,
+            chain.from_iterable(c.licenses for c in components),
+            chain.from_iterable(c.evidence.licenses for c in components if c.evidence is not None),
+            chain.from_iterable(s.licenses for s in services),
+        )
+        standards: tuple['Standard', ...] = () \
+            if bom.definitions is None \
+            else tuple(bom.definitions.standards)
+        requirements: Iterable['Requirement'] = chain.from_iterable(s.requirements for s in standards)
+        levels: Iterable['Level'] = chain.from_iterable(s.levels for s in standards)
+        relevant_bom_refs: Iterable['BomRef'] = (i.bom_ref for i in chain(
+            components,
+            services,
+            vulnerabilities,
+            orgs,
+            contacts,
+            addresses,
+            licenses,
+            standards,
+            requirements,
+            levels,
+        ))
+        return cls(relevant_bom_refs, prefix)
@@ -5,6 +5,7 @@
       "licenses": [
         {
           "license": {
+            "bom-ref": "dummy_license",
             "name": "att.encoding: BASE_64",
             "text": {
               "content": "att.encoding: BASE_64",

@@ -7,7 +7,7 @@
     <component type="library" bom-ref="dummy">
       <name>dummy</name>
       <licenses>
-        <license>
+        <license bom-ref="dummy_license">
           <name>att.encoding: BASE_64</name>
           <text content-type="text/plain" encoding="base64">att.encoding: BASE_64</text>
         </license>

@@ -5,6 +5,7 @@
       "licenses": [
         {
           "license": {
+            "bom-ref": "dummy_license",
             "name": "att.encoding: BASE_64",
             "text": {
               "content": "att.encoding: BASE_64",

@@ -7,7 +7,7 @@
     <component type="library" bom-ref="dummy">
       <name>dummy</name>
       <licenses>
-        <license>
+        <license bom-ref="dummy_license">
           <name>att.encoding: BASE_64</name>
           <text content-type="text/plain" encoding="base64">att.encoding: BASE_64</text>
         </license>

@@ -7,11 +7,13 @@
   "metadata": {
     "authors": [
       {
+        "bom-ref": "OrganizationalContact_ano_bom_authors",
         "email": "[email protected]",
         "name": "A N Other",
         "phone": "+44 (0)1234 567890"
       },
       {
+        "bom-ref": "OrganizationalContact_ph_bom_authors",
         "email": "[email protected]",
         "name": "Paul Horton"
       }
@@ -26,6 +28,7 @@
           "licenses": [
             {
               "license": {
+                "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz_license",
                 "id": "MIT"
               }
             }
@@ -91,6 +94,7 @@
       "licenses": [
         {
           "license": {
+            "bom-ref": "my-specific-bom-ref-for-dings_license",
             "id": "MIT"
           }
         }
@@ -104,6 +108,7 @@
             "licenses": [
               {
                 "license": {
+                  "bom-ref": "ccc8d7ee-4b9c-4750-aee0-a72585152291_license",
                   "id": "MIT"
                 }
               }
@@ -119,6 +124,7 @@
             "licenses": [
               {
                 "license": {
+                  "bom-ref": "8a3893b3-9923-4adb-a1d3-47456636ba0a_license",
                   "id": "MIT"
                 }
               }
@@ -141,6 +147,7 @@
             "licenses": [
               {
                 "license": {
+                  "bom-ref": "28b2d8ce-def0-446f-a221-58dee0b44acc_license",
                   "id": "MIT"
                 }
               }
@@ -197,6 +204,7 @@
             "licenses": [
               {
                 "license": {
+                  "bom-ref": "ded1d73e-1fca-4302-b520-f1bc53979958_license",
                   "id": "MIT"
                 }
               }
@@ -307,13 +315,16 @@
       },
       "scope": "required",
       "supplier": {
+        "bom-ref": "OrganizationalEntity_cdx_my-specific-bom-ref-for-dings",
         "contact": [
           {
+            "bom-ref": "OrganizationalContact_ano_my-specific-bom-ref-for-dings",
             "email": "[email protected]",
             "name": "A N Other",
             "phone": "+44 (0)1234 567890"
           },
           {
+            "bom-ref": "OrganizationalContact_ph_my-specific-bom-ref-for-dings",
             "email": "[email protected]",
             "name": "Paul Horton"
           }
@@ -340,6 +351,7 @@
     "licenses": [
       {
         "license": {
+          "bom-ref": "bom_license",
           "id": "Apache-2.0",
           "text": {
             "content": "VGVzdCBjb250ZW50IC0gdGhpcyBpcyBub3QgdGhlIEFwYWNoZSAyLjAgbGljZW5zZSE=",
@@ -356,13 +368,16 @@
       }
     ],
     "manufacture": {
+      "bom-ref": "OrganizationalEntity_cdx_bom_manufacture",
       "contact": [
         {
+          "bom-ref": "OrganizationalContact_ano_bom_manufacture",
           "email": "[email protected]",
           "name": "A N Other",
           "phone": "+44 (0)1234 567890"
         },
         {
+          "bom-ref": "OrganizationalContact_ph_bom_manufacture",
           "email": "[email protected]",
           "name": "Paul Horton"
         }
@@ -384,8 +399,10 @@
       }
     ],
     "supplier": {
+      "bom-ref": "OrganizationalEntity_cd_x_bom_supplier",
       "contact": [
         {
+          "bom-ref": "OrganizationalContact_ano_bom_supplier",
           "email": "[email protected]",
           "name": "A N Other",
           "phone": "+44 (0)1234 567890"

@@ -8,27 +8,27 @@
       </lifecycle>
     </lifecycles>
     <authors>
-      <author>
+      <author bom-ref="OrganizationalContact_ano_bom_authors">
         <name>A N Other</name>
         <email>[email protected]</email>
         <phone>+44 (0)1234 567890</phone>
       </author>
-      <author>
+      <author bom-ref="OrganizationalContact_ph_bom_authors">
         <name>Paul Horton</name>
         <email>[email protected]</email>
       </author>
     </authors>
     <component type="library" bom-ref="my-specific-bom-ref-for-dings">
-      <supplier>
+      <supplier bom-ref="OrganizationalEntity_cdx_my-specific-bom-ref-for-dings">
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
         <url>https://cyclonedx.org/docs</url>
-        <contact>
+        <contact bom-ref="OrganizationalContact_ano_my-specific-bom-ref-for-dings">
           <name>A N Other</name>
           <email>[email protected]</email>
           <phone>+44 (0)1234 567890</phone>
         </contact>
-        <contact>
+        <contact bom-ref="OrganizationalContact_ph_my-specific-bom-ref-for-dings">
           <name>Paul Horton</name>
           <email>[email protected]</email>
         </contact>
@@ -40,7 +40,7 @@
       <description>This component is awesome</description>
       <scope>required</scope>
       <licenses>
-        <license>
+        <license bom-ref="my-specific-bom-ref-for-dings_license">
           <id>MIT</id>
         </license>
       </licenses>
@@ -57,7 +57,7 @@
             <name>setuptools</name>
             <version>50.3.2</version>
             <licenses>
-              <license>
+              <license bom-ref="ccc8d7ee-4b9c-4750-aee0-a72585152291_license">
                 <id>MIT</id>
               </license>
             </licenses>
@@ -67,7 +67,7 @@
             <author>Test Author</author>
             <name>setuptools</name>
             <licenses>
-              <license>
+              <license bom-ref="8a3893b3-9923-4adb-a1d3-47456636ba0a_license">
                 <id>MIT</id>
               </license>
             </licenses>
@@ -79,7 +79,7 @@
             <author>Test Author</author>
             <name>setuptools</name>
             <licenses>
-              <license>
+              <license bom-ref="28b2d8ce-def0-446f-a221-58dee0b44acc_license">
                 <id>MIT</id>
               </license>
             </licenses>
@@ -109,7 +109,7 @@
             <name>setuptools</name>
             <version>50.3.2</version>
             <licenses>
-              <license>
+              <license bom-ref="ded1d73e-1fca-4302-b520-f1bc53979958_license">
                 <id>MIT</id>
               </license>
             </licenses>
@@ -168,7 +168,7 @@
           <name>setuptools</name>
           <version>50.3.2</version>
           <licenses>
-            <license>
+            <license bom-ref="pkg:pypi/[email protected]?extension=tar.gz_license">
               <id>MIT</id>
             </license>
           </licenses>
@@ -243,31 +243,31 @@
         </properties>
       </releaseNotes>
     </component>
-    <manufacture>
+    <manufacture bom-ref="OrganizationalEntity_cdx_bom_manufacture">
       <name>CycloneDX</name>
       <url>https://cyclonedx.org</url>
       <url>https://cyclonedx.org/docs</url>
-      <contact>
+      <contact bom-ref="OrganizationalContact_ano_bom_manufacture">
         <name>A N Other</name>
         <email>[email protected]</email>
         <phone>+44 (0)1234 567890</phone>
       </contact>
-      <contact>
+      <contact bom-ref="OrganizationalContact_ph_bom_manufacture">
         <name>Paul Horton</name>
         <email>[email protected]</email>
       </contact>
     </manufacture>
-    <supplier>
+    <supplier bom-ref="OrganizationalEntity_cd_x_bom_supplier">
       <name>Cyclone DX</name>
       <url>https://cyclonedx.org/</url>
-      <contact>
+      <contact bom-ref="OrganizationalContact_ano_bom_supplier">
         <name>A N Other</name>
         <email>[email protected]</email>
         <phone>+44 (0)1234 567890</phone>
       </contact>
     </supplier>
     <licenses>
-      <license>
+      <license bom-ref="bom_license">
         <id>Apache-2.0</id>
         <text content-type="text/plain" encoding="base64">VGVzdCBjb250ZW50IC0gdGhpcyBpcyBub3QgdGhlIEFwYWNoZSAyLjAgbGljZW5zZSE=</text>
         <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>