specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
If a property is required, it should also not be an empty string. There are many places in the BOM schema where we use `"required": [...]` but do not also...
There have been several discussions with the threat modeling community, from users and open source and commercial vendors, to add support for **natively** representing threat models in CycloneDX. Currently, threat...
The accuracy of license IDs and expressions reported by tools might be limited based on the detection methods used. Attributes like confidence and concludedValue could help with explainability and reasoning.
Often, there is no 1:1 match between a component.purl and a vulnerability.affects.ref. Different tools use different techniques to generate aliases to attempt to match a given component (group + name...
We are seeing SBOM tools that are making up CPE and purl identifiers without offering evidence for identity. This is causing frustration, delays, and lack of trust in the tool...
Comparing the two specification I've found a couple differences. ## json definitions Last one is about `Dependency` in json it is defined as having two properties: `ref` and `dependsOn`, the...
#### Current Behavior `serialNumber` is defined as an UUID and RECOMMENDED: > Every BOM generated SHOULD have a unique serial number, even if the contents of a BOM have not...
- [ ] include all from the milestone: https://github.com/CycloneDX/specification/milestone/10 - [ ] do the needed documentation changes - [ ] streamline XML/JSON/ProtoBuf
After asking myself whether I need to support any encoding besides UTF-8 when consuming CycloneDX JSON BOMs, I stumbled over https://mobiarch.wordpress.com/2022/12/10/lets-talk-about-json-and-character-encoding/. With https://github.com/CycloneDX/specification/blob/1.6/schema/bom-1.6.xsd and the XML examples using UTF-8, I...
