specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
Bumps commons-io:commons-io from 2.16.1 to 2.17.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Closes: https://github.com/CycloneDX/specification/issues/513
see https://github.com/bufbuild/buf/releases ## TASKS - [x] bump version - [ ] migrate config see https://buf.build/docs/migration-guides/migrate-v2-config-files - [ ] migrate CLI?
## Describe the defect In JSON, the data member of a (data) component is an array: In protobuf, it is not repeated: https://github.com/CycloneDX/specification/blob/bfb6f8baf77bbf98a4c0a54392508ba3ccf2e22e/schema/bom-1.6.proto#L142-L143 Also in xml it is not repeated:...
> [!NOTE] > **WORK IN PROGRESS** > see progress: https://github.com/CycloneDX/specification/milestone/8 ---- ## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) - ... TBC ... ## Deprecated...
## Describe the defect The protobuf serialization does not allow to specify a bom-ref for license expressions, in contrast to the xml and JSON serialization: https://github.com/CycloneDX/specification/blob/bfb6f8baf77bbf98a4c0a54392508ba3ccf2e22e/schema/bom-1.6.proto#L368-L376 https://github.com/CycloneDX/specification/blob/bfb6f8baf77bbf98a4c0a54392508ba3ccf2e22e/schema/bom-1.6.schema.json#L1498-L1502 https://github.com/CycloneDX/specification/blob/bfb6f8baf77bbf98a4c0a54392508ba3ccf2e22e/schema/bom-1.6.xsd#L2279-L2286 ## Additional...
## Describe the feature [`tools\src\test\resources\1.6`](https://github.com/CycloneDX/specification/tree/master/tools/src/test/resources/1.6) contains many valid BOMs in all three serialization formats (JSON, xml, textproto). However, in many cases their content varies in the three different forms. I...
Bumps org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a...
## Describe the feature Currently there is no possibility to record the license selected (associated) by the user of a component from a selection of possible (declared) licenses of the...
Refactored `metadata.distribution` to be more verbose in its name, and made it more versatile by converting it to an "object" with "TLP" as a property. caused by https://github.com/CycloneDX/specification/pull/603#issuecomment-2972771553