specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
Proposing to add a new URL type called `source-archive` to list the alternative permalinks for archives. This is particular useful when a VCS source gets removed without de-listing the packages....
Currently, dependencies is an array supporting two kinds of relationships - dependsOn (for dependency trees) and provides (for implementations). Both Software Heritage and OmniBOR supports [advanced](https://docs.softwareheritage.org/devel/swh-graph/api.html) [graphs](https://omnibor.io/glossary/artifact_dependency_graph/) that requires representing...
Bumps org.apache.commons:commons-text from 1.2 to 1.12.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Looks like this got missed somehow I think it must be `optional` in the proto as well. https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.proto#L136 https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.schema.json#L2079 Originally reported [here](https://github.com/CycloneDX/specification/issues/272#issuecomment-1868576165)
Currently it is possible to specify a value for `scope` without offering any evidence. https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.schema.json#L4783 This creates potential false negatives if consuming tools are configured to filter for components with...
according to the [Saxonica](https://www.saxonica.com), the authors of `Saxon HE`, the v9 is no longer maintained. so lets upgrade. > [...] current actively maintained versions of Saxon-HE: [10](https://github.com/Saxonica/Saxon-HE/blob/main/10), [11](https://github.com/Saxonica/Saxon-HE/blob/main/11), and [12](https://github.com/Saxonica/Saxon-HE/blob/main/12)....
fixes #422 and yes, fixing this bug is actually considered a breaking change in terms of ProtoBuf
Bumps commons-io:commons-io from 2.7 to 2.16.1. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a...
Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.0.0-M5 to 3.2.5. Release notes Sourced from org.apache.maven.plugins:maven-surefire-plugin's releases. 3.2.5 JIRA link Release Notes - Maven Surefire - Version 3.2.5 What's Changed Bump org.htmlunit:htmlunit from 3.8.0 to...
Bumps org.apache.commons:commons-lang3 from 3.6 to 3.14.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands...