{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2026-06-08T00:00:00Z",
    "tools": [
      { "vendor": "your-org", "name": "your-sbom-generator", "version": "0.0.0" }
    ],
    "component": {
      "type": "application",
      "bom-ref": "pkg:your-product@1.0.0",
      "name": "Your product with digital elements",
      "version": "1.0.0",
      "supplier": { "name": "Your company / manufacturer" },
      "description": "CRA SBOM starter template (CycloneDX). Replace placeholders. Cover at least top-level dependencies; transitive is best practice. Keep this in your Annex VII technical documentation and regenerate on every release."
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:npm/example-dependency@1.2.3",
      "name": "example-dependency",
      "version": "1.2.3",
      "supplier": { "name": "Upstream maintainer / steward" },
      "licenses": [{ "license": { "id": "MIT" } }],
      "purl": "pkg:npm/example-dependency@1.2.3"
    }
  ],
  "_cra_notes": [
    "CRA Annex I, Part II(1): SBOM in a commonly used, machine-readable format covering at least top-level dependencies.",
    "Not required to be public, but provide to market surveillance authorities on request.",
    "Alternative format: SPDX (ISO/IEC 5962). Pick one and generate it in CI.",
    "Source: https://digital-strategy.ec.europa.eu/en/policies/cra-summary"
  ]
}