[1.7] - Updates from CBOM working group#657
Merged
jkowalleck merged 76 commits into1.7-devfrom Sep 7, 2025
Merged
Conversation
Signed-off-by: Steve Springett <steve@springett.us>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
- Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work ---- TODO / progress - [x] JSON schema - [ ] XML schema - [ ] ProtoBugf schema <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
- Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
- Extends cryptography-defs.json list with algorithms from PKCS11 - Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive
Signed-off-by: Nicklas Körtge <nicklas.koertge1@ibm.com>
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional paremeter with literal separator
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
…phy-defs.schema.json
This PR will add a python script that can be used to generate an enum-object for the cyclonedx json schema that reflects algorithm families defined in `cryptography-defs.json`.
The following rules apply for the patterns:
{placeholder} -> required parameter with placeholder
(option1|option2) -> required parameter with fixed alternatives
[parameter] -> optional parameter
[-{placeholder}] -> optional parameter with literal separator
<!--
Thank you for taking the time to develop and contribute a core
enhancement or fix for a defect!
We kindly request that you create pull requests only for things that
have been discussed in a ticket first; exceptions may be made for
spelling or grammar fixes.
Read more about the process here:
https://cyclonedx.org/participate/standardization-process/#working-model
Please have the related ticket/issue ID ready.
If there is none, feel free to create a new ticket:
https://github.com/CycloneDX/specification/issues/new/choose
-->
<!--
Please provide a brief description of what this pull request intends to
do and which ticket it fixes/closes.
Example:
> As discussed in ticket #485, this PR adds Streebog to the hash
algorithm enum.
>
> fixes #485
In case this is for a spelling or grammar improvement, please provide a
brief description.
Example:
> Fixe typo: color(AE) -> colour(BE)
-->
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Nicklas Körtge <nicklas.koertge1@ibm.com>
Signed-off-by: Nicklas Körtge <nicklas.koertge1@ibm.com>
Member
|
@stevespringett , what do you think about #677 ? this will remove any breaking changes in the PB implementations. |
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
requested changes
Sep 3, 2025
Member
jkowalleck
left a comment
jkowalleck
left a comment
There was a problem hiding this comment.
remove the word "optional" where possible. the information which fields are optional are clearly visible in the schema.
see #649 (comment) and #616 (comment)
Co-authored-by: Jan Kowalleck <jan.kowalleck@owasp.org> Signed-off-by: Steve Springett <steve@springett.us>
Co-authored-by: Jan Kowalleck <jan.kowalleck@owasp.org> Signed-off-by: Steve Springett <steve@springett.us>
Co-authored-by: Jan Kowalleck <jan.kowalleck@owasp.org> Signed-off-by: Steve Springett <steve@springett.us>
Iteration over the crypto definitions, extending the list with more algorithms. No changes to the schema. <!-- Thank you for taking the time to develop and contribute a core enhancement or fix for a defect! We kindly request that you create pull requests only for things that have been discussed in a ticket first; exceptions may be made for spelling or grammar fixes. Read more about the process here: https://cyclonedx.org/participate/standardization-process/#working-model Please have the related ticket/issue ID ready. If there is none, feel free to create a new ticket: https://github.com/CycloneDX/specification/issues/new/choose --> <!-- Please provide a brief description of what this pull request intends to do and which ticket it fixes/closes. Example: > As discussed in ticket #485, this PR adds Streebog to the hash algorithm enum. > > fixes #485 In case this is for a spelling or grammar improvement, please provide a brief description. Example: > Fixe typo: color(AE) -> colour(BE) -->
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
… for ProtoBuf (#677) removed breaking changes in Protocol Buffer schema regarding CBOM changes caused by #657 (comment)
jkowalleck
changed the title
jkowalleck
approved these changes
Sep 7, 2025
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
approved these changes
Sep 7, 2025
This was referenced Sep 7, 2025
Merged
stevespringett
added a commit
that referenced
this pull request
Oct 21, 2025
## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([#321] via [#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([#454] via [#582]) * Support for _Streebog hashing algorithm_ ([#485] via [#525]) * Support for license expression _details and properties_ ([#549], [#554] via [#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653]) * Support for representing _patent information_ ([#596] via [#597]) * Support for _properties_ on external-references ([#608] via [#610]) * Support for _citations_ ([#630] via [#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([#569] via [#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([#233] via [#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([#616], [#649] via [#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [#233]: #233 [#321]: #321 [#454]: #454 [#485]: #485 [#525]: #525 [#549]: #549 [#554]: #554 [#569]: #569 [#582]: #582 [#586]: #586 [#595]: #595 [#596]: #596 [#597]: #597 [#599]: #599 [#600]: #600 [#601]: #601 [#604]: #604 [#608]: #608 [#610]: #610 [#616]: #616 [#629]: #629 [#630]: #630 [#647]: #647 [#649]: #649 [#653]: #653 [#657]: #657 [#680]: #680 [a973a6b]: a973a6b ---- - fixes #233 - fixes #321 - fixes #454 - fixes #485 - fixes #549 - fixes #554 - fixes #595 - fixes #596 - fixes #600 - fixes #608 - fixes #629 - fixes #616 - fixes #649
luckystar-crypto
pushed a commit
to luckystar-crypto/specification
that referenced
this pull request
Jan 27, 2026
… for ProtoBuf (#677) removed breaking changes in Protocol Buffer schema regarding CBOM changes caused by CycloneDX/specification#657 (comment)
luckystar-crypto
pushed a commit
to luckystar-crypto/specification
that referenced
this pull request
Jan 27, 2026
## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([#321] via [#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([#454] via [#582]) * Support for _Streebog hashing algorithm_ ([#485] via [#525]) * Support for license expression _details and properties_ ([#549], [#554] via [#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653]) * Support for representing _patent information_ ([#596] via [#597]) * Support for _properties_ on external-references ([#608] via [#610]) * Support for _citations_ ([#630] via [#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([#569] via [#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([#233] via [#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([#616], [#649] via [#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [#233]: CycloneDX/specification#233 [#321]: CycloneDX/specification#321 [#454]: CycloneDX/specification#454 [#485]: CycloneDX/specification#485 [#525]: CycloneDX/specification#525 [#549]: CycloneDX/specification#549 [#554]: CycloneDX/specification#554 [#569]: CycloneDX/specification#569 [#582]: CycloneDX/specification#582 [#586]: CycloneDX/specification#586 [#595]: CycloneDX/specification#595 [#596]: CycloneDX/specification#596 [#597]: CycloneDX/specification#597 [#599]: CycloneDX/specification#599 [#600]: CycloneDX/specification#600 [#601]: CycloneDX/specification#601 [#604]: CycloneDX/specification#604 [#608]: CycloneDX/specification#608 [#610]: CycloneDX/specification#610 [#616]: CycloneDX/specification#616 [#629]: CycloneDX/specification#629 [#630]: CycloneDX/specification#630 [#647]: CycloneDX/specification#647 [#649]: CycloneDX/specification#649 [#653]: CycloneDX/specification#653 [#657]: CycloneDX/specification#657 [#680]: CycloneDX/specification#680 [a973a6b]: CycloneDX/specification@a973a6b ---- - fixes #233 - fixes #321 - fixes #454 - fixes #485 - fixes #549 - fixes #554 - fixes #595 - fixes #596 - fixes #600 - fixes #608 - fixes #629 - fixes #616 - fixes #649
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
… for ProtoBuf (CycloneDX#677) removed breaking changes in Protocol Buffer schema regarding CBOM changes caused by CycloneDX#657 (comment)
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
The cryptography working group has received feedback from real-world usage and have made enhancements to the CBOM specificaiton: - enum `CryptoProperties.AlgorithmProperties.CryptoPrimitive` got a new case "key-wrap". - added field `CryptoProperties.AlgorithmProperties.algorithmFamily` - added field `CryptoProperties.AlgorithmProperties.ellipticCurve` - deprecated field `CryptoProperties.AlgorithmProperties.curve` - added field `CryptoProperties.CertificateProperties.serialNumber` - added field `CryptoProperties.CertificateProperties.certificateFileExtension` - deprecated field `CryptoProperties.CertificateProperties.certificateExtension` - deprecated field `CryptoProperties.CertificateProperties.signatureAlgorithmRef` - deprecated field `CryptoProperties.CertificateProperties.subjectPublicKeyRef` - added field `CryptoProperties.CertificateProperties.fingerprint` - added field `CryptoProperties.CertificateProperties.certificateState` - added field `CryptoProperties.CertificateProperties.creationDate` - added field `CryptoProperties.CertificateProperties.activationDate` - added field `CryptoProperties.CertificateProperties.deactivationDate` - added field `CryptoProperties.CertificateProperties.revocationDate` - added field `CryptoProperties.CertificateProperties.destructionDate` - added field `CryptoProperties.CertificateProperties.certificateExtensions` - added field `CryptoProperties.CertificateProperties.relatedCryptographicAssets` - deprecated field `CryptoProperties.RelatedCryptoMaterialProperties.algorithmRef` - added field `CryptoProperties.RelatedCryptoMaterialProperties.fingerprint` - added field `CryptoProperties.RelatedCryptoMaterialProperties.relatedCryptographicAssets` - enum `CryptoProperties.ProtocolProperties.CryptoProtocolType` got new cases: `DTLS`, `QUIC`, `AKA`, `AKA_PRIME`, `PRINS` , `5G_AKA` - added field `CryptoProperties.ProtocolProperties.CryptoProtocolCipherSuite.tlsGroups` - added field `CryptoProperties.ProtocolProperties.CryptoProtocolCipherSuite.tlsSignatureSchemes` - deprecated ikev2Trans information as strings (BOM-links) - added capabilities to capture ikev2Trans information in detailed form - added field `CryptoProperties.CertificateProperties.relatedCryptographicAssets` ---- Closes CycloneDX#569 ----- RFC notice sent 2025-07-26 This RFC will be open for 4 weeks. At the end of the RFC period the CycloneDX community will vote, by lazy consensus, to accept or reject the proposal. RFC period end: 2025-08-23 ---- TODO/DONE - [x] add examples for XML - [x] add examples for JSON - [x] add examples for ProtoBuf - [x] implement for XML - [x] implement for JSON - [x] implement for ProtoBuf
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
## Fixed * XML schema: add type for `ComponentData` sub-elements ([CycloneDX#600] via [CycloneDX#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [CycloneDX#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [CycloneDX#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([CycloneDX#321] via [CycloneDX#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([CycloneDX#454] via [CycloneDX#582]) * Support for _Streebog hashing algorithm_ ([CycloneDX#485] via [CycloneDX#525]) * Support for license expression _details and properties_ ([CycloneDX#549], [CycloneDX#554] via [CycloneDX#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([CycloneDX#595] via [CycloneDX#604], [CycloneDX#653]) * Support for representing _patent information_ ([CycloneDX#596] via [CycloneDX#597]) * Support for _properties_ on external-references ([CycloneDX#608] via [CycloneDX#610]) * Support for _citations_ ([CycloneDX#630] via [CycloneDX#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([CycloneDX#569] via [CycloneDX#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([CycloneDX#233] via [CycloneDX#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([CycloneDX#616], [CycloneDX#649] via [CycloneDX#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [CycloneDX#233]: CycloneDX#233 [CycloneDX#321]: CycloneDX#321 [CycloneDX#454]: CycloneDX#454 [CycloneDX#485]: CycloneDX#485 [CycloneDX#525]: CycloneDX#525 [CycloneDX#549]: CycloneDX#549 [CycloneDX#554]: CycloneDX#554 [CycloneDX#569]: CycloneDX#569 [CycloneDX#582]: CycloneDX#582 [CycloneDX#586]: CycloneDX#586 [CycloneDX#595]: CycloneDX#595 [CycloneDX#596]: CycloneDX#596 [CycloneDX#597]: CycloneDX#597 [CycloneDX#599]: CycloneDX#599 [CycloneDX#600]: CycloneDX#600 [CycloneDX#601]: CycloneDX#601 [CycloneDX#604]: CycloneDX#604 [CycloneDX#608]: CycloneDX#608 [CycloneDX#610]: CycloneDX#610 [CycloneDX#616]: CycloneDX#616 [CycloneDX#629]: CycloneDX#629 [CycloneDX#630]: CycloneDX#630 [CycloneDX#647]: CycloneDX#647 [CycloneDX#649]: CycloneDX#649 [CycloneDX#653]: CycloneDX#653 [CycloneDX#657]: CycloneDX#657 [CycloneDX#680]: CycloneDX#680 [a973a6b]: CycloneDX@a973a6b ---- - fixes CycloneDX#233 - fixes CycloneDX#321 - fixes CycloneDX#454 - fixes CycloneDX#485 - fixes CycloneDX#549 - fixes CycloneDX#554 - fixes CycloneDX#595 - fixes CycloneDX#596 - fixes CycloneDX#600 - fixes CycloneDX#608 - fixes CycloneDX#629 - fixes CycloneDX#616 - fixes CycloneDX#649
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The cryptography working group has received feedback from real-world usage and have made enhancements to the CBOM specificaiton:
CryptoProperties.AlgorithmProperties.CryptoPrimitivegot a new case "key-wrap".CryptoProperties.AlgorithmProperties.algorithmFamilyCryptoProperties.AlgorithmProperties.ellipticCurveCryptoProperties.AlgorithmProperties.curveCryptoProperties.CertificateProperties.serialNumberCryptoProperties.CertificateProperties.certificateFileExtensionCryptoProperties.CertificateProperties.certificateExtensionCryptoProperties.CertificateProperties.signatureAlgorithmRefCryptoProperties.CertificateProperties.subjectPublicKeyRefCryptoProperties.CertificateProperties.fingerprintCryptoProperties.CertificateProperties.certificateStateCryptoProperties.CertificateProperties.creationDateCryptoProperties.CertificateProperties.activationDateCryptoProperties.CertificateProperties.deactivationDateCryptoProperties.CertificateProperties.revocationDateCryptoProperties.CertificateProperties.destructionDateCryptoProperties.CertificateProperties.certificateExtensionsCryptoProperties.CertificateProperties.relatedCryptographicAssetsCryptoProperties.RelatedCryptoMaterialProperties.algorithmRefCryptoProperties.RelatedCryptoMaterialProperties.fingerprintCryptoProperties.RelatedCryptoMaterialProperties.relatedCryptographicAssetsCryptoProperties.ProtocolProperties.CryptoProtocolTypegot new cases:DTLS,QUIC,AKA,AKA_PRIME,PRINS,5G_AKACryptoProperties.ProtocolProperties.CryptoProtocolCipherSuite.tlsGroupsCryptoProperties.ProtocolProperties.CryptoProtocolCipherSuite.tlsSignatureSchemesCryptoProperties.CertificateProperties.relatedCryptographicAssetsCloses #569
RFC notice sent 2025-07-26
This RFC will be open for 4 weeks. At the end of the RFC period the CycloneDX community will vote, by lazy consensus, to accept or reject the proposal.
RFC period end: 2025-08-23
TODO/DONE