specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
# Request: Evidence for Vulnerabilities Similar to existing support for evidence for components, and other requests for evidence elsewhere, the request is to support evidence in the `Vulnerability` object. Specifically,...
**Proposal** Separate from base models, models can have a long linage or multiple parent models. The practitioners we spoke with thought it would be helpful to allow listing one or...
To improve supply chain compliance, we are finding the need to add properties that connect the SBOM to the procurement. Specific attributes that would support include - Purchasing Document Number...
Like components, `services` can be detected by generator tools like cdxgen. All evidence, such as identity, occurrence, and call stack, can be presented for the detected services. The structure of...
As of v1.5, the description of `metadata.supplier` states: https://github.com/CycloneDX/specification/blob/299209abd9531d808e0cc4235e77a7c4b1b53d96/schema/bom-1.5.schema.json#L268-L271 This is in addition to `metadata.component.supplier`, which states: https://github.com/CycloneDX/specification/blob/299209abd9531d808e0cc4235e77a7c4b1b53d96/schema/bom-1.5.schema.json#L430-L434 Based on those descriptions, it is unclear what the subject of `metadata.supplier`...
fixes #345 fixes #273 ---- parts are superseded by https://github.com/CycloneDX/specification/pull/378 parts are continued in https://github.com/CycloneDX/specification/pull/379
SBoM generation tools (like cdxgen) might encounter artifacts already built along with source code and package manager manifests. In such cases, indicating the lifecycle phases associated with the given component(s)...
At as v1.4 the only values accepted by `components.type` are as follows: - "application" - "framework" - "library" - "container" - "operating-system" - "device" - "firmware" - "file" Having reviewed...
Based on issues identified in https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/310 and which has been discussed at https://github.com/guacsec/guac/issues/594 along with a [Slack discussion.](https://cyclonedx.slack.com/archives/CVCKP34A2/p1678480722085369) on the topic, this enhancement will introduce tight scoping for nodes in...
In discussions being had within the ML work group around "model cards" we ack. that the in-progress CycloneDX schema to describe ML models has, at best ad-hoc standards to draw...
