{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:example-0000-0000-0000-000000000001",
  "version": 1,
  "metadata": {
    "timestamp": "2026-01-15T10:30:00Z",
    "tools": {
      "components": [
        {
          "type": "application",
          "name": "your-sbom-tool",
          "version": "1.0.0"
        }
      ]
    },
    "component": {
      "type": "firmware",
      "name": "your-product-firmware",
      "version": "2.1.0",
      "description": "Example IoT sensor firmware",
      "supplier": {
        "name": "Your Company Name",
        "url": ["https://yourcompany.com"]
      },
      "cpe": "cpe:2.3:o:yourcompany:sensor_firmware:2.1.0:*:*:*:*:*:*:*"
    },
    "manufacture": {
      "name": "Your Company Name",
      "url": ["https://yourcompany.com"]
    }
  },
  "components": [
    {
      "type": "operating-system",
      "name": "zephyr",
      "version": "3.6.0",
      "description": "Zephyr Real-Time Operating System",
      "purl": "pkg:github/zephyrproject-rtos/zephyr@v3.6.0",
      "cpe": "cpe:2.3:o:zephyrproject:zephyr:3.6.0:*:*:*:*:*:*:*",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "externalReferences": [
        {
          "type": "website",
          "url": "https://zephyrproject.org"
        },
        {
          "type": "vcs",
          "url": "https://github.com/zephyrproject-rtos/zephyr"
        }
      ]
    },
    {
      "type": "library",
      "name": "mbedtls",
      "version": "3.5.2",
      "description": "Mbed TLS cryptographic library",
      "purl": "pkg:github/Mbed-TLS/mbedtls@v3.5.2",
      "cpe": "cpe:2.3:a:arm:mbed_tls:3.5.2:*:*:*:*:*:*:*",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ]
    },
    {
      "type": "library",
      "name": "mcuboot",
      "version": "2.0.0",
      "description": "Secure bootloader for 32-bit MCUs",
      "purl": "pkg:github/mcu-tools/mcuboot@v2.0.0",
      "cpe": "cpe:2.3:a:mcuboot:mcuboot:2.0.0:*:*:*:*:*:*:*",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ]
    },
    {
      "type": "library",
      "name": "lwm2m",
      "version": "1.2.0",
      "description": "LwM2M protocol implementation (part of Zephyr)",
      "purl": "pkg:generic/lwm2m@1.2.0",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ]
    },
    {
      "type": "library",
      "name": "tinycbor",
      "version": "0.6.0",
      "description": "Concise Binary Object Representation (CBOR) library",
      "purl": "pkg:github/nicktrav/tinycbor@v0.6.0",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ]
    },
    {
      "type": "firmware",
      "name": "nordic-sdk",
      "version": "2.5.0",
      "description": "Nordic Semiconductor nRF Connect SDK",
      "purl": "pkg:github/nrfconnect/sdk-nrf@v2.5.0",
      "licenses": [
        {
          "license": {
            "id": "LicenseRef-Nordic-5-Clause"
          }
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "your-product-firmware",
      "dependsOn": [
        "zephyr",
        "mbedtls",
        "mcuboot",
        "nordic-sdk"
      ]
    },
    {
      "ref": "zephyr",
      "dependsOn": [
        "lwm2m",
        "tinycbor"
      ]
    }
  ]
}