specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
So it dawned on me, that say you wanted to represent not just your application, but the external dependencies for it (so, the miraculous things that happen in AWS, GCP,...
Since, dependency tracker uses the tags: cpe, swid or purl to find the vulnerabilities from NVD database. CycloneDX should make existence of any of such tags mandatory for cycloneDX xml...
The way dependency objects are defined differs between the XSD and the JSON schema and documentation. The published documentation and JSON schema define "dependsOn" as a list of BOM ref...
Although https://github.com/in-toto/attestation/issues/82 is still open, meanwhile we can document the canonical intoto predicate types in the cyclonedx website since there is no registration process for predicate types. (per https://github.com/in-toto/attestation/blob/main/spec/README.md#predicate) This...
Hi, Currently, CycloneDX supports only relationships of parts in a system - dependencies and compositions. There is a need express several types of relationships. A thorough list of examples can...
I would like to see the specification support analysis timestamps in VEX There are timestamps for each vulnerability: * created * published * updated Without a timestamp for analysis, it...
## Problem The `externalReference` in model is limited to URI's but according to the [Maven POM schema](https://maven.apache.org/xsd/maven-4.0.0.xsd) the SCM `url` is a simple string! As a user of the `org.cyclonedx.bom`...
This is probably a duplicate of #77. However, I didn't want to comment to add to it in case there is a divergence from the feedback provided here. Currently, component...
The basic idea is to evolve the `vulnerability` model for things like pentest reports, bug bounty programs, etc. In particular, it would be great to have reproduction steps in a...
Most SBOM generators base the inclusion of a component in an SBOM on a packagemanager file or the existence of some other file. I would like to be able to...
