Releases: CycloneDX/specification
Releases · CycloneDX/specification
1.7
Major new additions include support for Data Provenance & Citations, Intellectual Property Transparency, Cryptographic Assurance (CBOM), extended License Details. and external components (SBOM).
Announcement: https://cyclonedx.org/news/cyclonedx-v1.7-released/
Fixed
- XML schema: add type for
ComponentDatasub-elements (#600 via #601) - JSON schema: added the correct
deprecatedmark for already deprecated structures (via a973a6b)
Deprecated
- Deprecated various fields and structures related to cryptographic transparency - CBOM . (via #657)
Use the newly added structures and fields for detailing the information instead.
Changed
- Extended the scope of formulations. (via #647)
From now on, formulations may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself.
Before, it was restricted to components and services.
Added
- Support for external components with version-ranges (#321 via #586)
- Support for multiple SPDX License Expressions alongside with other licenses (#454 via #582)
- Support for Streebog hashing algorithm (#485 via #525)
- Support for license expression details and properties (#549, #554 via #599)
- Support for expressing BOM distribution constraints with the Traffic Light Protocol (TLP) in metadata (#595 via #604, #653)
- Support for representing patent information (#596 via #597)
- Support for properties on external-references (#608 via #610)
- Support for citations (#630 via #629)
- Support for detailing cryptographic transparency information - CBOM (#569 via #657)
Documentation
- Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters (#233 via #647)
- Removed the term "optional" from the schema where the definition was already unambiguous (#616, #649 via #680)
Test data
- Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf
What's Changed
- chore(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.4.0 to 3.5.1 in /tools by @dependabot[bot] in #527
- chore(deps): bump commons-io:commons-io from 2.16.1 to 2.17.0 in /tools by @dependabot[bot] in #523
- Adapt test samples to ensure consistency between the different formats by @andreas-hilti in #514
- fix: typos in schemas 1.6 by @weaversa in #550
- chore(dev-deps): tools use cyclonedx-core-java v10.0.0 by @jkowalleck in #552
- remove unused config file by @jkowalleck in #558
- chore(deps): update opis/json-schema requirement from 2.3 to 2.4.1 in /tools/src/test/php by @dependabot[bot] in #560
- docs: align media types in table by @jkowalleck in #561
- docs: Recognized file patterns by @jkowalleck in #562
- docs: fix some docs image-urls by @jkowalleck in #566
- docs: docsgen restructure output for website by @jkowalleck in #570
- docs: docgen proto with
protoc-gen-docby @jkowalleck in #557 - docs: docsgen theme and linkd for proto by @jkowalleck in #571
- docs: docsge fix title in
<meta>elements by @jkowalleck in #572 - docs: docsgen proto html scroll fixes by @jkowalleck in #573
- chore: introduce PR template by @jkowalleck in #579
- pull_request_template tell about rules by @jkowalleck in #580
- tests: testcases initial 1.7 by @jkowalleck in #583
- docs: docsgen latest first by @jkowalleck in #584
- feat(DX): add xml catalog for XSD by @Nicolas-Peiffer in #479
- fix: version range spec url by @jkowalleck in #581
- docs: allow SchemaDocs HTML generator run for one(specific) CDX version by @jkowalleck in #587
- chore: bump tools buf 1.50.0 by @jkowalleck in #588
- chore: test protobuf acknowledged BC by @jkowalleck in #589
- tests: php QA tests run offline by @jkowalleck in #594
- tests(Java): run test against actual schema files by @ppkarwasz in #592
- Fix missing type definitions for ComponentData subelements in XML by @andreas-hilti in #601
- Add support for Streebog hashing algorithm by @volkdm in #525
- feat: support for external components with version-ranges by @jkowalleck in #586
- docs: modernize build workflow badges by @jkowalleck in #625
- Update cryptography-defs.json by @bhess in #622
- Extends cryptography-defs.json by @bhess in #644
- feat: Add support for TLP marking in metadata by @anthonyharrison in #604
- feat: add custom properties to external references by @Urist-McGit in #610
- feat: license expression details and properties - text attachment, licensing, etc by @jkowalleck in #599
- Add support for representing patent information by @stevespringett in #597
- Improve wording of issue templates by @sschuberth in #651
- JIT compilers & interpreters are "platforms" by @jkowalleck in #647
- Add python script to generate algorithm families by @n1ckl0sk0rtge in #645
- Review algorithm list, apply rules for patterns by @bhess in #646
- Add missing changes by @n1ckl0sk0rtge in #658
- CBOM 1.7: Update test cases & a few schema fixes/extensions by @bhess in #661
- feat: support multi license mix by @jkowalleck in #582
- [1.7] citation: proposed changes 2 by @jkowalleck in #667
- Extend crypto definitions by @bhess in #672
- [1.7] Added citation support and test cases. by @stevespringett in #630
- refactor: metadata distribution to be an object by @jkowalleck in #653
- fix: remove the word "optional", align some docs by @jkowalleck in #680
- Extend crypto definitions by @bhess in #676
- [1.7] - Updates from CBOM working group - remove any BREAKING CHANGES for ProtoBuf by @jkowalleck in #677
- [1.7] - Updates from CBOM working group by @stevespringett in #657
- Updating SPD...
Contributors
bhess, sschuberth, and 12 other contributors
Assets 2
1.6.1
Functionally equivalent to CycloneDX 1.6.0 but with bug fixes to the XML/JSON/ProtoBuf implementations, and spelling, grammar and other editorial improvements.
What's Changed
- tests: annotate schema for test resources of CDX1.6 JSON by @jkowalleck in #423
- chore: depedabot for all used ecosystems by @jkowalleck in #424
- chore(dependencies): bump bufbuild/buf:1.30.1 by @jkowalleck in #431
- chore(deps): bump ajv-formats from 2.1.1 to 3.0.1 in /tools/src/test/js by @dependabot in #430
- docs: annotate protobuf licenses by @jkowalleck in #468
- chore(deps): bump org.apache.commons:commons-text from 1.2 to 1.12.0 in /tools by @dependabot in #439
- chore(deps): bump commons-io:commons-io from 2.7 to 2.16.1 in /tools by @dependabot in #429
- chore(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.0.0-M5 to 3.2.5 in /tools by @dependabot in #428
- Fix(1.6spec): Fixed typo in componentEvidence description by @Petzys in #451
- issue451-streamline by @jkowalleck in #475
- tests: Update to cyclonedx-core-java-9.0.2 for test runners by @Nicolas-Peiffer in #480
- tests: Adding 1.6 valid and invalid test files in the Java tests by @Nicolas-Peiffer in #482
- chore(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.2.5 to 3.3.0 in /tools by @dependabot in #484
- Update pom.xml by @jkowalleck in #489
- docs: revisit example urls in spec 1.6 by @jkowalleck in #490
- chore(deps): bump glob from 10.4.5 to 11.0.0 in /tools/src/test/js by @dependabot in #496
- Add space after colon by @tamir-alltrue-ai in #494
- 1.6 ecma by @stevespringett in #478
- chore(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.3.0 to 3.4.0 in /tools by @dependabot in #504
- chore(deps): bump org.apache.commons:commons-lang3 from 3.6 to 3.16.0 in /tools by @dependabot in #499
- chore(dependencies): bump Saxon-HE from 9.9.1-8 to 10.9 by @jkowalleck in #432
- fix: add missing cryptoRef to
cryptoProperties.protocolPropertiesforXML/PB by @jkowalleck in #502 - fix: ProtoBuf evidence not repeated, but optional by @jkowalleck in #425
- 1.6 ecma -- docs carry over by @jkowalleck in #512
- fix: revert PR #425 by @jkowalleck in #516
- fix(ProtoBuff): component evidence should be optional, istead of repeated by @jkowalleck in #517
- tests: fix ProtoBuf breaking detection to be wire-only by @jkowalleck in #532
- tests: bump docker image from
bufbuild/buf:1.30.1to:1.46.0by @jkowalleck in #519 - tests: fix BrotoBuf BCcheck on version-level by @jkowalleck in #536
- tests: fix BrotoBuf test reports by @jkowalleck in #537
- fix(ProtoBuf): add ExternalReterence Type
EXTERNAL_REFERENCE_TYPE_RELEASE_NOTESby @jkowalleck in #531 - fix(ProtoBuf,XML): component data repeatable by @jkowalleck in #530
- fix(ProtoBuf):
Component.evidenceoptional by @jkowalleck in #534 - fix(ProtoBuf): add
LicenseExpression.bom_refby @jkowalleck in #529 - docs: transfer spec docs to ProtoBuf 1.6 by @jkowalleck in #539
- docs: transfer specdocs to XML 1.6 by @jkowalleck in #540
- fix(xml): requirement descriptions should be unbounded by @hakandilek in #533
- chore: prep v1.6.1 by @jkowalleck in #535
- chore(deps): bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 in /tools by @dependabot in #509
New Contributors
- @Petzys made their first contribution in #451
- @Nicolas-Peiffer made their first contribution in #480
- @tamir-alltrue-ai made their first contribution in #494
- @hakandilek made their first contribution in #533
Full Changelog: 1.6...1.6.1
Contributors
hakandilek, jkowalleck, and 5 other contributors
Assets 2
1.6
Major new additions include support for cryptographic assets (CBOM) and CycloneDX Attestations (CDXA). CycloneDX v1.6 forms the basis of a future Ecma International standard.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.6-released/
Added
- Core enhancement: Cryptography Bill of Materials — CBOM (#171, #291 via #347)
- Core enhancement: Attestation — CDXA (#192 via #348)
- Feature to express the URL to source distribution (#98 via #269)
- Feature to express the URL to RFC 9116 compliant documents (#380 via #381)
- Feature to express tags/keywords for services and components (via #383)
- Feature to express details for component authors (#335 via #379)
- Feature to express details for component and BOM manufacturer (#346 via #379)
- Feature to express communicate concluded values from observed evidences (#411 via #412)
- Features to express license acknowledgement (#407 via #408)
- Feature to express environmental consideration information for model cards (#396 via #395)
- Feature to express the address of organizational entities (via #395)
- Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs (#413 via #414)
Fixed
- Allow multiple evidence identities by XML/JSON schema (#272 via #359)
This was already correct via ProtoBuff schema. - Prevent empty
licenseentities by XML schema (#288 via #292)
This was already correct in JSON/ProtoBuff schema. - Prevent empty or malformed
propertyentities by JSON schema (#371 via #375)
This was already correct in XML/ProtoBuff schema. - Allow multiple
licensesinMetadataby ProtoBuff schema (#264 via #401)
This was already correct in XML/JSON schema.
Changed
- Allow arbitrary
$schemavalues by JSON schema (#402 via #403) - Increased max length of
versionRange(via3e01ce6) - Harmonized length of
version(via #417)
Deprecated
- Data model Component's field
authorwas deprecated. (via #379)
Use fieldauthorsor fieldmanufacturerinstead. - Data model Metadata's field
manufacturewas deprecated. (#346 via #379)
Use Metadata's fieldcomponent's fieldmanufacturerinstead.- for XML:
/bom/metadata/component/manufacturer - for JSON:
$.metadata.component.manufacturer - for ProtoBuf:
Bom:metadata.component.manufacturer
- for XML:
Documentation
- Centralize version and version-range (via #322)
- Streamlined SPDX expression related descriptions (via #327)
- Enhanced descriptions of
bom-ref/refType(#336 via #344) - Enhanced readability of enum documentation in JSON schema (#361 via #362)
- Fixed typo "compliment" -> "complement" (via #369)
- Added documentation for enum ComponentScope's values in JSON schema (#293 via
d92e58e)
Texts were taken from the existing ones in XML/ProtoBuff schema. - Added documentation for enum TaskType's values (#245 via #377)
- Improve documentation for data model Metadata's field
licenses(#273 via #378) - Added documentation for enum MachineLearningApproachType's values (#351 via #416)
- Rephrased some texts here and there.
Test data
- Added test data for newly added use cases
- Added quality assurance for our ProtoBuf schemas (#384 via #385)
What's Changed
- Add BOM types by @stevespringett in #259
- adjust default values by @jkowalleck in #260
- Fix test data, closes #294 by @tokcum in #295
- Fix test data inconsistency regarding dependency tree in
valid-serviceby @jkowalleck in #297 - chore: add
@CycloneDX/core-teamas default reviewers by @jkowalleck in #298 - Fix test data regarding base64-encoded contents by @tokcum in #299
- Fix test data regarding base64-encoded contents by @jkowalleck in #300
- Fix
bom-refin test datavalid-compositionsby @tokcum in #302 - Fix
bom-refin test datavalid-compositionsby @jkowalleck in #304 - Fix test data regarding invalid SPDX license ID by @tokcum in #305
- Fix test data regarding invalid SPDX license ID by @jkowalleck in #306
- chore: add dependabot for github actions by @jkowalleck in #314
- chore(deps): bump actions/checkout from 2 to 4 by @dependabot in #315
- chore(deps): bump actions/setup-python from 2 to 4 by @dependabot in #316
- chore(deps): bump actions/upload-artifact from 2 to 3 by @dependabot in #317
- chore(deps): bump actions/setup-java from 1 to 3 by @dependabot in #318
- chore: optimize CI runs by @jkowalleck in #324
- Merges detectionContext properties with component evidence by @bhess in #325
- CBOM: merges relatedCryptoMaterial and key asset types by @bhess in #313
- refactor: centralize version and version-range by @jkowalleck in #322
- docs: improve SPDX expression docs by @jkowalleck in #327
- chore(deps): bump actions/setup-node from 3 to 4 by @dependabot in #328
- CBOM: adds 'parameterSetIdentifier' property, replacing 'variant' by @bhess in #339
- Enhance descriptions of
bom-refby @andreas-hilti in #344 - Review description fields of 'algorithmProperties' by @bhess in #350
- chore(deps): bump actions/setup-java from 3 to 4 by @dependabot in #352
- chore(deps): bump actions/setup-python from 4 to 5 by @dependabot in #355
- tests: java tests run agsinst CDX1.5 by @jkowalleck in #356
- Support for hybrids/combiners: add 'combiner' as primitive by @bhess in #353
- ci: split workflows by @jkowalleck in https://github.com/CycloneDX/speci...
Contributors
prabhu, bhess, and 9 other contributors
Assets 2
1.5
Added Machine Learning Bill of Materials (ML-BOM), Formulation (MBOM), Lifecycles, Identity Evidence, Annotations, and Low-code/no-code application support. And much more.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.5-released/
What's Changed
- Preserve keys, but fix potential JSON pointers to reflect actual DOM… by @mrutkows in #125
- add GH-workflow: php ci by @jkowalleck in #110
- fix CWEs example by @kabo in #144
- Fix invalid ref in tools/src/test/resources/1.4/valid-vulnerability-1.4.json by @damiencarol in #127
- fix: add missing
Vulnerability.propertiestypes in schema 1.4 by @desenna in #148 - Update Description by @msymons in #172
- Added firstIssued and lastUpdated timestamps to vulnerability analysis by @stevespringett in #176
- Resolves #130 - missing BOM properties in JSON and protobuf schemas by @stevespringett in #170
- Add licensing support and unit tests by @stevespringett in #175
- Added property support to license along with unit tests by @stevespringett in #177
- Add annotations support and valid test cases by @stevespringett in #169
- Adding support for security contact by @stevespringett in #180
- Adding support vulnerability rejected timestamp along with unit tests by @stevespringett in #181
- Added additional external references by @stevespringett in #189
- Added device driver component type by @stevespringett in #190
- Extend service dataflow support by @stevespringett in #194
- Added support for CVSSv4 by @stevespringett in #195
- Deprecated tool in favor of components and services used as tools by @stevespringett in #198
- Added identity and occurrences to evidence. Updated test cases. by @stevespringett in #199
- Add proof of concept support to vulnerability by @stevespringett in #200
- fix
vulnerability.affects[].versions[].rangeref by @jkowalleck in #219 - fix
vulnerability.affects[].versions[].rangeref by @jkowalleck in #218 - Added support for ML by @stevespringett in #209
- hint for device properties by @jkowalleck in #221
- hint for device properties by @jkowalleck in #220
- Added additional compositions and identity by @stevespringett in #212
- Added lifecycle support by @stevespringett in #213
- Adding external reference support for adversary model and risk assessment by @stevespringett in #215
- fix JSON schema issues found by AJV by @jkowalleck in #230
licenseChoicestreamlined by @jkowalleck in #205- fix: XML schema 1.4 make all
refargumentstype="bom:refType"by @jkowalleck in #183 - schema: own type for
ref/bom-refby @jkowalleck in #115 - Fixing missing data governance on service data by @stevespringett in #234
- Introduce type for BOM-Link by @jkowalleck in #235
- Added poam as external reference type by @stevespringett in #227
- Added bom-refs to organizationalEntity and organizationalContact by @stevespringett in #228
- schema validate VS test data - php by @jkowalleck in #237
- v1.5 validate XML/JSON test-data against schema - php by @jkowalleck in #238
- fixed test data by @jkowalleck in #239
- v1.5 fixed test data by @jkowalleck in #240
- validate JSON test data against schema - JS by @jkowalleck in #241
- Add SSVC to existing rating methods by @stevespringett in #224
- Added formulation support and test cases by @stevespringett in #222
- intro to explicitly linked elements by @jkowalleck in #236
- V1.5 dev resourceReferenceChoice ref clarifications by @jkowalleck in #251
- V1.5 JSON: fix
oneOfdocumentations by @jkowalleck in #258 - v1.5 complete linkable licenses by @jkowalleck in #252
- streamline VulnerabilityReference by @jkowalleck in #253
- [WIP] finalize 1.5 by @jkowalleck in #231
New Contributors
- @kabo made their first contribution in #144
- @damiencarol made their first contribution in #127
- @desenna made their first contribution in #148
Full Changelog: 1.4...1.5
Contributors
kabo, desenna, and 5 other contributors
Assets 2
1.4
Added support for Vulnerability Exploitability Exchange (VEX), a standard release notes format, improved hardware device support and many other small improvements.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.4-released/
What's Changed
- Added external references support to tools by @stevespringett in #102
- Made component version optional by @stevespringett in #92
- Added vulnerabilities as part of core spec by @stevespringett in #91
- Implemented release notes in XML, JSON, and Protobuf by @stevespringett in #88
- Implemented JSF in the core spec by @stevespringett in #93
- JSON strict: add optional root property
$schemaby @jkowalleck in #107 - spec1.4 JSON fixes #83 by @jkowalleck in #109
- spec 1.4 JSON schema: remove unnecessary self-shadowing
$idby @jkowalleck in #111 - schema spec1.4: own type for
ref/bom-refby @jkowalleck in #116 - spec1.4 JSON schema : bugfixes #83 by @jkowalleck in #117
- Add service release notes to v1.4 proto file by @coderpatros in #120
- v1.4 General Availability by @stevespringett in #121
Full Changelog: 1.3...1.4
Contributors
coderpatros, jkowalleck, and stevespringett
Assets 2
1.3
Implemented support for compositions which precisely describe the completeness of relationships (component assemblies and dependencies). Added name-value store that can be used to describe additional data about the components, services, or the SBOM that isn’t native to the core specification. Improved support for copyright holders and licenses as additional evidence. Added license support for the SBOM itself. Added support for Protocol Buffers to make machine to machine SBOM transport more efficient.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.3-released/
What's Changed
- Bump junit from 4.12 to 4.13.1 in /tools by @dependabot in #39
- manufacture grammar fix by @bradh in #58
- Add protobuf format by @coderpatros in #54
- Add BOM license information by @coderpatros in #52
- Added support for key/value store (properties) by @stevespringett in #55
- Initial implementation for compositions (known unknowns) by @stevespringett in #59
- Added support for evidence of licenses and copyrights by @stevespringett in #61
- Refactor BOM license to make use of license choice type by @coderpatros in #65
- Tracking updates to protobuf format for feedback by @coderpatros in #66
- #69 - Added support for hashes on external references. Added unit tests by @stevespringett in #71
- URI cleanup for JSON by @stevespringett in #68
- Removed default empty string and unnecessary regex pattern by @stevespringett in #74
- Fix a few places where uri-reference has been applied at the array level instead of the array item level by @coderpatros in #75
- Specification v1.3 by @coderpatros in #63
- v1.3 Release candidate - Removing snapshot in preparation for release by @stevespringett in #76
- Bump commons-io from 2.5 to 2.7 in /tools by @dependabot in #64
New Contributors
Full Changelog: 1.2...1.3
Contributors
bradh, coderpatros, and 2 other contributors
Assets 2
1.2
d8be0bf
This commit was signed with the committer’s verified signature.
The key has expired.
stevespringett
Steve Springett
This release includes ‘firmware’ and ‘container’ component types, SWID tags, service components, applied patches, JSON support, and enhanced BOM metadata and dependency graphs previously only available through extensions.
What's Changed
- Draft vulnerability schema extension by @kakumara in #19
- Delete CODE_OF_CONDUCT.md by @coderpatros in #25
New Contributors
Full Changelog: 1.1...1.2
Contributors
coderpatros and kakumara
Assets 2
1.1
aa6dea1
This commit was signed with the committer’s verified signature.
The key has expired.
stevespringett
Steve Springett
1.0
CycloneDX 1.0 — 26 March 2018