specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
This issue is to collect features useful for the next version of CBOM: - [ ] cryptoProperties/algorithmProperties/implementationPlatform should be an array to allow selecting multiple platforms - [ ] cryptoProperties/relatedCryptoMaterialProperties:...
Initial blueprint and threat modeling support for CycloneDX v2.0.
## Describe the defect Multiple list fields in the ModelCard definition for CycloneDX 1.5, 1.6, and 1.7 are incorrectly constrained in the XML schema. The elements `users`, `useCases`, `technicalLimitations`, and...
# Feature Request: Perspectives: Domain-Specific Views into CycloneDX Data ## Summary Introduce a `perspectives` construct that enables domain-specific audiences to define curated views into CycloneDX BOMs or API responses. Each...
Copyright, as it appears in components/services, is a simple text field. In evidence, copyright is an array of objects, where each object has a `text` property that holds the copyright....
Components support mime-type, attachments erroneously support contentType. In reality, both of these should be mediaType. This ticket is to standardize on mediaType throughout CycloneDX v2.0.
## Refactor: Unify services as a component type for improved schema consistency ### Summary This proposal seeks to refactor the separate `service` object definition into the existing `component` model by...
## TM-BOM Review Risk, threat and model schemas need review before launch as discussed on the TM-BOM sessions.
### Describe the feature Many CycloneDX VEX consumers (e.g `Dependency-Track`, `Trivy`..) consider only `analysis.state` (e.g., `not_affected`, `exploitable`, `resolved`) and ignore `vulnerabilities[].ratings[]` (e.g., CVSS, OWASP Risk Rating). Ratings carry essential exploitability...
Bumps [glob](https://github.com/isaacs/node-glob) from 11.1.0 to 13.0.0. Changelog Sourced from glob's changelog. changeglob 13 Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}