specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
Add CycloneDX v1.2 and v1.3 to https://www.schemastore.org/ once v1.3 has been published.
CycloneDX is great format and can be used for multiple purposes - thank you! CycloneDX allows to specify hashes, for integrity, for packaging, etc. You can specify the hash algorithm...
Sorry if I overlooked something obvious, but I miss a way to specify a `source` archive url for a component, as logical counterpart to the `distribution` type. Many ecosystems have...
With v1.3 of the spec custom properties were introduced. But no real guidance on naming. For example, CDX support is being added to Tern, a container SCA tool. One of...
BOM version is optional in XML and protobuf but required in JSON. I propose dropping the requirement from the JSON schemas as a patch release.
I see the XML schema has a specific schema extension for describing vulnerability information https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd The main page [says](https://cyclonedx.org/#extensions) > The Vulnerability extension provides the ability to represent component vulnerabilities...
The ability to optionally supplement the BOM with results of human analysis and opinion is required for moderate to high assurance use cases. Examples include: - Analysis of the accuracy...
In the age of Docker, Kubernetes and other solutions that allow virtualizations, these solutions often come with preinstalled software, libraries and more importantly - preconfigured user accounts with default passwords....
