specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
Proposal: add a list of model libraries/dependencies that exist for a given ML model. This captures one of the most important pieces of information: what primary ML library a model...
Including the code snippet in the SBoM can help users without access to the application source code understand the evidence better. We currently support the value attribute in identity.methods. The...
More and more "AI" services are being offered as endpoints (generation, summarization, analysis, etc.); it would a valid consideration to be able to declare which AI models were being used...
Currently with the current spec if we have n dependencies with the same license and if we need to include the license text this leads to a lot of duplicated...
**Motivation** As a CycloneDX consumer, I would like the ability to validate whether all the components declared their expected cryptographic hash. In SLSA v0.1, for example, hashes are recommended for...
while i was updating some test resources, I noticed that my IDE did not autocomplete in the JSON files, but did so in the XML files. I noticed, that this...
Please do not reuse `propertyType` for "environmentVar". The annotations from `propertyType` do not match the case here. better define a dedicated (abstract) `key-value` pair element type: ```xml The name of...
For multiple instances of JSON in the same MIME object, a possibility, please register application/vnd.cyclonedx+jsonseq.
The SPDX License List is a subschema of the main CDX schema. CyclonedDX is currently using 3.17 of the SPDX License List, whilst the latest version is 3.19. 15 new...
As discussed in the ML working group, there may be a desire to tie CDX components/services as inputs/outputs of ML models within the same BOM or across BOMs. This ticket...
