specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
In many security-sensitive applications, it's crucial to understand not just what cryptographic asset is used, but how it is used. For example, an algorithm might be used for legal document...
Add an external reference specific for open source contributing. This should reference contributing.md, or contributing.json and contributing.yaml that is being defined by Ecma TC54-TG4.
Fixes https://github.com/CycloneDX/specification/issues/674 With inspiration from the Node.js [PRs](https://github.com/nodejs/node/pull/59259) and [this](https://github.com/nodejs/node/pull/59461), this pull request adds three new post-quantum algorithms: "ML-DSA-44", "ML-DSA-65", and "ML-DSA-87" to better future-proof BOM signature validity. The hypothetical...
## Describe the feature The specification currently supports the following JWA [RFC7518] and RFC8037 [RFC8037] asymmetric key algorithms: ``` "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512", "Ed25519", "Ed448",...
The uniqueness of components and services types are enforced everywhere, except under the Declarations.Targets type. Currently it looks like this: https://github.com/CycloneDX/specification/blob/d2948509102647896eeedcddd76112b4d286acee/schema/bom-1.6.schema.json#L407-L432 I think it should include uniqueness like this? ```jsonc...
### Discussed in https://github.com/CycloneDX/specification/discussions/671 Originally posted by **andreas-hilti** August 10, 2025 I'm wondering about the identifier "bom-ref": shouldn't this rather be called "bom-id"? If you look at the description https://cyclonedx.org/docs/1.6/json/#components_items_bom-ref...
There is a need to group cryptographic assets (possibly others) into a standard. For example, the following can currently be represented: - Use of a cryptographic algorithm for encryption (e.g....
