specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
[Sigstore](https://www.sigstore.dev) exists to verify whether a deployed dependency was signed by the author. Detecting whether a detected dependency was signed by Sigstore would allow downstream tools such as DependencyTrack to...
Every component and/or pedigree should support how the component was made, not only what the component is or its dna. For high assurance use cases, it is important to document...
In XML schema definition for CDX-1.4 `vulnerabilityType.references.reference` the `id` and `source` are defined optional (`minOccurs="0"`) see https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.xsd#L1779 In JSON schema definition for CDX-1.4 the `/definitions/vulnerability/properties/references/items` the `id` and `source` are...
Many enterprise applications are developed and deployed to Low-Code Application Platforms (LCAP). These applications may consist of configuration, a minimum amount of code, workflow, and integrations. Low-code components should be...
As tools it is noted, many tools may contribute data to the "final" published SBOM. Currently, there is no means to associate "evidence" (including other concluded data such as from...
ML models could theoretically be represented in the inventory. ML is often abstracted behind a service making it easier to consume, but if you wanted to describe the models themselves,...
My team has been working on improving/updating legacy license scanning tools and integrating them with source code scanners that support SBOM generation (CDX format). Learning from this process we have...
Is there any object in which we are able to state a component is for "internal eyes only" and that it should be omitted from any BOM released to the...
Per comment https://github.com/CycloneDX/specification/pull/91#issuecomment-982546216 > In general I like this, but it seems like it has bit of a vulnerability centric view versus a vulnerability in context of an assembled >piece...
CoSWID defines a concise representation of SWID Tags. It's very suited for devices with network and storage constraints. It would be quite useful for a firmware use case I have....
