Skip to content

[WIP] CycloneDX v2.0 Specification #652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
stevespringett wants to merge 78 commits into
base: master
Choose a base branch
from
Draft

[WIP] CycloneDX v2.0 Specification #652

stevespringett wants to merge 78 commits into from
+24,411 −11

Conversation

@stevespringett
Copy link
Member

@stevespringett stevespringett commented Jun 15, 2025

No description provided.

@stevespringett
Initial commit
eac0ac6 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett stevespringett added this to the 2.0 milestone Jun 15, 2025
@stevespringett stevespringett self-assigned this Jun 15, 2025
@stevespringett stevespringett added the CDX 2.0 related to release v2.0 label Jun 15, 2025
@stevespringett stevespringett linked an issue Jun 15, 2025 that may be closed by this pull request
CycloneDX 2.0 #631
Open
@jkowalleck jkowalleck changed the title CycloneDX v2.0 Specification [WIP] CycloneDX v2.0 Specification Jun 16, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 11, 2025
View reviewed changes
@stevespringett
Revert "Syncing with master"
dae213a 
This reverts commit bde33b2.
@stevespringett
Added schema bundler and updated readme.
fbaf3de 
Signed-off-by: Steve Springett <steve@springett.us>
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 11, 2025
View reviewed changes
stevespringett and others added 7 commits November 11, 2025 17:20
@stevespringett
Adding GitHub Action to combine schemas
0d74d96 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updated branches
51fbf49 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updating action
b4721e1 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schema [skip ci]
91ec8e0
@stevespringett
Updated docgen for 2.0
c4d6c82 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added minified bundling
b6fed22 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
173a276
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
stevespringett and others added 6 commits November 24, 2025 15:57
@stevespringett
Fixed resolution issues
c46624c 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
ed3eb38
@stevespringett
Added ref verification
7aceff4 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Merge remote-tracking branch 'origin/2.0-dev' into 2.0-dev
70ea2fa
@stevespringett
Updated JSON Schema for Humans
dd45ceb 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Initial commit of CycloneDX linter
b8abb0c 
Signed-off-by: Steve Springett <steve@springett.us>
stevespringett and others added 30 commits December 1, 2025 13:46
@stevespringett
Removed properties from license. Removed unused model files.
93f57a5 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
1caff3e
@stevespringett
Removed extensible properties to root object.
5012f06 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
66cd80e
@stevespringett
Ported service model.
c23f59b 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
691bc49
@stevespringett
Fixed extensibleProperties defect preventing validation
2d9b07a 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
7ddf4b8
@stevespringett
Fixed properties defect.
da1b173 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
dde65f3
@stevespringett
Synced external references with 1.7 version
57beb2e 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
2114c27
@stevespringett
Fixed property issue with component
5f14c2a 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
9f13aae
@stevespringett
Fixed composition model
3a80369 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
0d619e3
@stevespringett
Synced hash with v1.7 version
75c344d 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
8db8674
@stevespringett
Fixed copyright issue to align with how v1.7 does it.
1c8bab8 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
9c8c622
@stevespringett
Ported 1.7 unit tests to 2.0.
6a39e36 
Signed-off-by: Steve Springett <steve@springett.us>
@bhess
feat(cryptography): implement CBOM v2.0 enhancements from #738
b7585b0 
Implement the following features for CBOM v2.0:

- Change implementationPlatform to array to support multiple platforms
- Add keyUsage property to cryptoProperties and relatedCryptoMaterialProperties
  (open string array with examples: CIPHER, SIGN, VERIFY, WRAP, UNWRAP, etc.)
- Add secProperties to algorithmProperties for security properties
  (open string array with examples: IND-CPA, IND-CCA, SUF-CMA, EUF-CMA, etc.)
- Extend evidence/occurrences with system metadata: accountInfo, systemOwner
- Extend evidence/occurrences with process metadata: startTime, endTime, usageCount
- Change securedBy.algorithmRef to array of refs to support linking multiple
  securing assets (algorithms, hardware, keys, etc.)

Extend cryptoProperties.mode/padding/cryptoFunctions

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@stevespringett
must -> shall
2a6e499 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
8ca8115
@bhess
Improved description of secProperties
daa4052 
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@bhess
- Creates "cryptographicFunction" definition, used by algorithm/crypt…
54b6e3b 
…oFunctions and relatedCryptoMaterial/keyUsage

- Makes sure meta:enum descriptions are added for new definitions in the PR
- Adds riscv64/riscv32 to implementation platforms

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
@github-actions
chore: update bundled schemas [skip ci]
ea64f8b
@stevespringett
Merge branch '2.0-dev' into 2.0-dev
c53250b 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
CBOM 2.0 features (#769)
1c9fc9e 
Implement the following features for CBOM v2.0 as described in #738 

- Change implementationPlatform to array to support multiple platforms
- Add keyUsage property to cryptoProperties and
relatedCryptoMaterialProperties
(open string array with examples: CIPHER, SIGN, VERIFY, WRAP, UNWRAP,
etc.)
- Add secProperties to algorithmProperties for security properties
(open string array with examples: IND-CPA, IND-CCA, SUF-CMA, EUF-CMA,
etc.)
- Extend evidence/occurrences with system metadata: accountInfo,
systemOwner
- Extend evidence/occurrences with process metadata: startTime, endTime,
usageCount
- Change securedBy.algorithmRef to array of refs to support linking
multiple
  securing assets (algorithms, hardware, keys, etc.)

Fixes #738

Adds support for pss in cryptoProperties.algorithmProperties.padding
Fixes #747

Adds support for key agreement or exchange in
cryptoProperties.algorithmProperties.cryptoFunctions
Fixes #748 

Adds support for additional cipher modes in
cryptoProperties.algorithmProperties.mode
Fixes #749
@github-actions
chore: update bundled schemas [skip ci]
338edcf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@stevespringett stevespringett

Labels

CDX 2.0 related to release v2.0

Projects

None yet

Milestone

2.0

Development

Successfully merging this pull request may close these issues.

CycloneDX 2.0

3 participants

@stevespringett @bhess