OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
CycloneDX 1.0 — 26 March 2018
CycloneDX 1.1 — 03 March 2019
Full Changelog: https://github.com/CycloneDX/specification/compare/1.0...1.1
Major new additions include support for cryptographic assets (CBOM) and CycloneDX Attestations (CDXA). CycloneDX v1.6 forms the basis of a future Ecma International standard.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.6-released/
license
entities by XML schema (#288 via #292)property
entities by JSON schema (#371 via #375)licenses
in Metadata
by ProtoBuff schema (#264 via #401)$schema
values by JSON schema (#402 via #403)versionRange
(via 3e01ce6
)version
(via #417)author
was deprecated. (via #379)
Use field authors
or field manufacturer
instead.manufacture
was deprecated. (#346 via #379)
Use Metadata's field component
's field manufacturer
instead.
/bom/metadata/component/manufacturer
$.metadata.component.manufacturer
Bom:metadata.component.manufacturer
bom-ref
/refType
(#336 via #344)d92e58e
)licenses
(#273 via #378)valid-service
by @jkowalleck in https://github.com/CycloneDX/specification/pull/297
@CycloneDX/core-team
as default reviewers by @jkowalleck in https://github.com/CycloneDX/specification/pull/298
bom-ref
in test data valid-compositions
by @tokcum in https://github.com/CycloneDX/specification/pull/302
bom-ref
in test data valid-compositions
by @jkowalleck in https://github.com/CycloneDX/specification/pull/304
bom-ref
by @andreas-hilti in https://github.com/CycloneDX/specification/pull/344
source-distribution
element to externalReferenceType
by @tsjensen in https://github.com/CycloneDX/specification/pull/269
provides
by @jkowalleck in https://github.com/CycloneDX/specification/pull/366
attestations[].map[].counterClaim
by @idunbarh in https://github.com/CycloneDX/specification/pull/374
meta:enum
descriptions for task types by @mrutkows in https://github.com/CycloneDX/specification/pull/377
$.metadata.licenses
by @jkowalleck in https://github.com/CycloneDX/specification/pull/378
*.textproto
by @jkowalleck in https://github.com/CycloneDX/specification/pull/393
$schema
annotation by @jkowalleck in https://github.com/CycloneDX/specification/pull/403
Metadata.licenses
repeated by @jkowalleck in https://github.com/CycloneDX/specification/pull/401
versionRange
according to VERS spec by @jkowalleck in https://github.com/CycloneDX/specification/pull/415
Full Changelog: https://github.com/CycloneDX/specification/compare/1.5...1.6
Added Machine Learning Bill of Materials (ML-BOM), Formulation (MBOM), Lifecycles, Identity Evidence, Annotations, and Low-code/no-code application support. And much more.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.5-released/
Vulnerability.properties
types in schema 1.4 by @desenna in https://github.com/CycloneDX/specification/pull/148
vulnerability.affects[].versions[].range
ref by @jkowalleck in https://github.com/CycloneDX/specification/pull/219
vulnerability.affects[].versions[].range
ref by @jkowalleck in https://github.com/CycloneDX/specification/pull/218
licenseChoice
streamlined by @jkowalleck in https://github.com/CycloneDX/specification/pull/205
ref
arguments type="bom:refType"
by @jkowalleck in https://github.com/CycloneDX/specification/pull/183
ref
/bom-ref
by @jkowalleck in https://github.com/CycloneDX/specification/pull/115
oneOf
documentations by @jkowalleck in https://github.com/CycloneDX/specification/pull/258
Full Changelog: https://github.com/CycloneDX/specification/compare/1.4...1.5
Added support for Vulnerability Exploitability Exchange (VEX), a standard release notes format, improved hardware device support and many other small improvements.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.4-released/
$schema
by @jkowalleck in https://github.com/CycloneDX/specification/pull/107
$id
by @jkowalleck in https://github.com/CycloneDX/specification/pull/111
ref
/bom-ref
by @jkowalleck in https://github.com/CycloneDX/specification/pull/116
Full Changelog: https://github.com/CycloneDX/specification/compare/1.3...1.4
Implemented support for compositions which precisely describe the completeness of relationships (component assemblies and dependencies). Added name-value store that can be used to describe additional data about the components, services, or the SBOM that isn’t native to the core specification. Improved support for copyright holders and licenses as additional evidence. Added license support for the SBOM itself. Added support for Protocol Buffers to make machine to machine SBOM transport more efficient.
Announcement: https://cyclonedx.org/news/cyclonedx-v1.3-released/
Full Changelog: https://github.com/CycloneDX/specification/compare/1.2...1.3
This release includes ‘firmware’ and ‘container’ component types, SWID tags, service components, applied patches, JSON support, and enhanced BOM metadata and dependency graphs previously only available through extensions.
Full Changelog: https://github.com/CycloneDX/specification/compare/1.1...1.2