NAME
SBOM::CycloneDX::Enum::ExternalReferenceType - External Reference Type
SYNOPSIS
use SBOM::CycloneDX::Enum qw(EXTERNAL_REFERENCE_TYPE);
say EXTERNAL_REFERENCE_TYPE->ISSUE_TRACKER;
use SBOM::CycloneDX::Enum::ExternalReferenceType;
say SBOM::CycloneDX::Enum::ExternalReferenceType->DOCUMENTATION;
use SBOM::CycloneDX::Enum::ExternalReferenceType qw(:all);
say ADVISORIES;DESCRIPTION
SBOM::CycloneDX::Enum::ExternalReferenceType is ENUM package used by SBOM::CycloneDX::ExternalReference.
Specifies the type of external reference.
CONSTANTS
VCS, Version Control System
ISSUE_TRACKER, Issue or defect tracking system, or an Application Lifecycle Management (ALM) system
WEBSITE, Website
ADVISORIES, Security advisories
BOM, Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)
MAILING_LIST, Mailing list or discussion group
SOCIAL, Social media account
CHAT, Real-time chat platform
DOCUMENTATION, Documentation, guides, or how-to instructions
SUPPORT, Community or commercial support
SOURCE_DISTRIBUTION, The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.
DISTRIBUTION, Direct or repository download location
DISTRIBUTION_INTAKE, The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary.
LICENSE, The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.
BUILD_META, Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)
BUILD_SYSTEM, Reference to an automated build system
RELEASE_NOTES, Reference to release notes
SECURITY_CONTACT, Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.
MODEL_CARD, A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.
LOG, A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.
CONFIGURATION, Parameters or settings that may be used by other components or services.
EVIDENCE, Information used to substantiate a claim.
FORMULATION, Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.
ATTESTATION, Human or machine-readable statements containing facts, evidence, or testimony.
THREAT_MODEL, An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.
ADVERSARY_MODEL, The defined assumptions, goals, and capabilities of an adversary.
RISK_ASSESSMENT, Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.
VULNERABILITY_ASSERTION, A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.
EXPLOITABILITY_STATEMENT, A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.
PENTEST_REPORT, Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.
STATIC_ANALYSIS_REPORT, SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.
DYNAMIC_ANALYSIS_REPORT, Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.
RUNTIME_ANALYSIS_REPORT, Report generated by analyzing the call stack of a running application.
COMPONENT_ANALYSIS_REPORT, Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.
MATURITY_REPORT, Report containing a formal assessment of an organization, business unit, or team against a maturity model.
CERTIFICATION_REPORT, Industry, regulatory, or other certification from an accredited (if applicable) certification body.
CODIFIED_INFRASTRUCTURE, Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).
QUALITY_METRICS, Report or system in which quality metrics can be obtained.
POAM, Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones".
ELECTRONIC_SIGNATURE, An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.
DIGITAL_SIGNATURE, A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.
RFC_9116, Document that complies with RFC 9116 (A File Format to Aid in Security Vulnerability Disclosure)
PATENT, References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as ST.96.
PATENT_FAMILY, References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as ST.96.
PATENT_ASSERTION, References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.
CITATION, A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.
OTHER, Use this if no other types accurately describe the purpose of the external reference.
SUPPORT
Bugs / Feature Requests
Please report any bugs or feature requests through the issue tracker at https://github.com/giterlizzi/perl-SBOM-CycloneDX/issues. You will be notified automatically of any progress on your issue.
Source Code
This is open source software. The code repository is available for public review and contribution under the terms of the license.
https://github.com/giterlizzi/perl-SBOM-CycloneDX
git clone https://github.com/giterlizzi/perl-SBOM-CycloneDX.gitAUTHOR
Giuseppe Di Terlizzi <gdt@cpan.org>
LICENSE AND COPYRIGHT
This software is copyright (c) 2025-2026 by Giuseppe Di Terlizzi.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.