Any way to specify an item is for internal use only?

[Radial01]

Is there any object in which we are able to state a component is for "internal eyes only" and that it should be omitted from any BOM released to the public?

[madpah]

Hi @Radial01 - thanks for engaging with us.

There is no official place in the CycloneDX standard (v1.4) that allows for a data-classification type statement or flag. This is something we can consider for v1.5 :-)

One option you could consider using in the short term are Properties - see https://cyclonedx.org/docs/1.4/json/#components_items_properties.

[Radial01]

If it would be considered, that would be fantastic. We could definitely look into using Properties for the time being but having a field specifically denoting that a component/material should NOT be shared outside the organization would be ideal. I think this would promote it's use in third party products that have chosen to ingest/export BOMs in the CyloneDX format. Thanks!

For reference, my thought behind this field, I'll call "internalUse," would have either a yes/no assigned to it. Third party vendors utilizing CycloneDX could then provide the option of omitting components where internalUse == no. Otherwise, it would at least be a field that could be exported to a CSV, allowing for quick removal of said components.

[stevespringett]

@Radial01 were you able to use properties for this?

I cannot think of a way to achieve what you want in a way that would not make assumptions for what "internal" means. The supply chain is complex and the reach in which component transparency should be revealed will vary dramatically based on use case.

[Elshaer-Mohamed]

@madpah, @Radial01 any updates on this topic even in v1.5?