specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
It is desirable to specify that a component, service, assembly, or dependency has been redacted. This is a use case currently being discussed at CISA.
followup of #396 existing work/art: - Green Software Foundation - Impact Framework - see requests - request for manufacturing cost in HBOM and SBOM ans SaaSBOM (components and services) and...
The link to the purl version range defined in https://github.com/CycloneDX/specification/blob/8af880d5f2ba0a107de88a920a76cedd5ba75083/schema/bom-1.5.xsd#L3647 (https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst) does not work at the moment. Currently the Version-Range Spec is not merged to main but only available in...
I was browsing through https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_affects_items_versions_items_range to gain a better understanding of CycloneDX version ranges. When I attempted to access the information via this link: https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst, it led me to a...
A proposal has been suggested that the CycloneDX specification add native support for the [SCVS BOM Maturity Model](https://scvs.owasp.org/bom-maturity-model/) to the schema itself. This may likely be a JSON-only enhancement, but...
## current situation (CDX 1.6): - it is allowed to have EITHER one spdx license expression OR multiple named/spdx licenses. see [spec](https://cyclonedx.org/docs/1.6/json/#components_items_licenses) - each license(expression/named/spdx) can have a acknowledgement -...
Up to version 1.5, there was a discrepancy between the XML and the JSON Schema, which was resolved as per #204/#205. Since that update, `LicenseChoice` has become a complex type...
Bumps [json-schema-for-humans](https://github.com/coveooss/json-schema-for-humans) from 0.47 to 1.0.2. Release notes Sourced from json-schema-for-humans's releases. v1.0.2 1.0.2 (2024-05-16) Bug Fixes Fix for unstable enum description templating_utils.py (#243) (c304af8) v1.0.1 1.0.1 (2024-05-06) Bug Fixes...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
A BOM is not overly useful to defenders as they only contain inventory of things and potentially how something was built (e.g. formulation). They do not provide any insight into...
I'm currently working on generating SBOM for a yocto based embedded distribution and I'd like to use dependency-track. I have a semi-working solution to get my SBOM into dependency track...
