1.6

Major new additions include support for cryptographic assets (CBOM) and CycloneDX Attestations (CDXA). CycloneDX v1.6 forms the basis of a future Ecma International standard.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.6-released/

---

Added

• Core enhancement: Cryptography Bill of Materials — CBOM (#171, #291 via #347)
• Core enhancement: Attestation — CDXA (#192 via #348)
• Feature to express the URL to source distribution (#98 via #269)
• Feature to express the URL to RFC 9116 compliant documents (#380 via #381)
• Feature to express tags/keywords for services and components (via #383)
• Feature to express details for component authors (#335 via #379)
• Feature to express details for component and BOM manufacturer (#346 via #379)
• Feature to express communicate concluded values from observed evidences (#411 via #412)
• Features to express license acknowledgement (#407 via #408)
• Feature to express environmental consideration information for model cards (#396 via #395)
• Feature to express the address of organizational entities (via #395)
• Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs (#413 via #414)

Fixed

• Allow multiple evidence identities by XML/JSON schema (#272 via #359)
  This was already correct via ProtoBuff schema.
• Prevent empty license entities by XML schema (#288 via #292)
  This was already correct in JSON/ProtoBuff schema.
• Prevent empty or malformed property entities by JSON schema (#371 via #375)
  This was already correct in XML/ProtoBuff schema.
• Allow multiple licenses in Metadata by ProtoBuff schema (#264 via #401)
  This was already correct in XML/JSON schema.

Changed

• Allow arbitrary $schema values by JSON schema (#402 via #403)
• Increased max length of versionRange (via 3e01ce6)
• Harmonized length of version (via #417)

Deprecated

• Data model Component's field author was deprecated. (via #379)
  Use field authors or field manufacturer instead.
• Data model Metadata's field manufacture was deprecated. (#346 via #379)
  Use Metadata's field component's field manufacturer instead.
  • for XML: /bom/metadata/component/manufacturer
  • for JSON: $.metadata.component.manufacturer
  • for ProtoBuf: Bom:metadata.component.manufacturer

Documentation

• Centralize version and version-range (via #322)
• Streamlined SPDX expression related descriptions (via #327)
• Enhanced descriptions of bom-ref/refType (#336 via #344)
• Enhanced readability of enum documentation in JSON schema (#361 via #362)
• Fixed typo "compliment" -> "complement" (via #369)
• Added documentation for enum ComponentScope's values in JSON schema (#293 via d92e58e)
  Texts were taken from the existing ones in XML/ProtoBuff schema.
• Added documentation for enum TaskType's values (#245 via #377)
• Improve documentation for data model Metadata's field licenses (#273 via #378)
• Added documentation for enum MachineLearningApproachType's values (#351 via #416)
• Rephrased some texts here and there.

Test data

• Added test data for newly added use cases
• Added quality assurance for our ProtoBuf schemas (#384 via #385)

---

What's Changed

• Add BOM types by @stevespringett in #259
• adjust default values by @jkowalleck in #260
• Fix test data, closes #294 by @tokcum in #295
• Fix test data inconsistency regarding dependency tree in valid-service by @jkowalleck in #297
• chore: add @CycloneDX/core-team as default reviewers by @jkowalleck in #298
• Fix test data regarding base64-encoded contents by @tokcum in #299
• Fix test data regarding base64-encoded contents by @jkowalleck in #300
• Fix bom-ref in test data valid-compositions by @tokcum in #302
• Fix bom-ref in test data valid-compositions by @jkowalleck in #304
• Fix test data regarding invalid SPDX license ID by @tokcum in #305
• Fix test data regarding invalid SPDX license ID by @jkowalleck in #306
• chore: add dependabot for github actions by @jkowalleck in #314
• chore(deps): bump actions/checkout from 2 to 4 by @dependabot in #315
• chore(deps): bump actions/setup-python from 2 to 4 by @dependabot in #316
• chore(deps): bump actions/upload-artifact from 2 to 3 by @dependabot in #317
• chore(deps): bump actions/setup-java from 1 to 3 by @dependabot in #318
• chore: optimize CI runs by @jkowalleck in #324
• Merges detectionContext properties with component evidence by @bhess in #325
• CBOM: merges relatedCryptoMaterial and key asset types by @bhess in #313
• refactor: centralize version and version-range by @jkowalleck in #322
• docs: improve SPDX expression docs by @jkowalleck in #327
• chore(deps): bump actions/setup-node from 3 to 4 by @dependabot in #328
• CBOM: adds 'parameterSetIdentifier' property, replacing 'variant' by @bhess in #339
• Enhance descriptions of bom-ref by @andreas-hilti in #344
• Review description fields of 'algorithmProperties' by @bhess in #350
• chore(deps): bump actions/setup-java from 3 to 4 by @dependabot in #352
• chore(deps): bump actions/setup-python from 4 to 5 by @dependabot in #355
• tests: java tests run agsinst CDX1.5 by @jkowalleck in #356
• Support for hybrids/combiners: add 'combiner' as primitive by @bhess in #353
• ci: split workflows by @jkowalleck in https://github.com/CycloneDX/speci...

1.5

Added Machine Learning Bill of Materials (ML-BOM), Formulation (MBOM), Lifecycles, Identity Evidence, Annotations, and Low-code/no-code application support. And much more.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.5-released/

---

What's Changed

• Preserve keys, but fix potential JSON pointers to reflect actual DOM… by @mrutkows in #125
• add GH-workflow: php ci by @jkowalleck in #110
• fix CWEs example by @kabo in #144
• Fix invalid ref in tools/src/test/resources/1.4/valid-vulnerability-1.4.json by @damiencarol in #127
• fix: add missing Vulnerability.properties types in schema 1.4 by @desenna in #148
• Update Description by @msymons in #172
• Added firstIssued and lastUpdated timestamps to vulnerability analysis by @stevespringett in #176
• Resolves #130 - missing BOM properties in JSON and protobuf schemas by @stevespringett in #170
• Add licensing support and unit tests by @stevespringett in #175
• Added property support to license along with unit tests by @stevespringett in #177
• Add annotations support and valid test cases by @stevespringett in #169
• Adding support for security contact by @stevespringett in #180
• Adding support vulnerability rejected timestamp along with unit tests by @stevespringett in #181
• Added additional external references by @stevespringett in #189
• Added device driver component type by @stevespringett in #190
• Extend service dataflow support by @stevespringett in #194
• Added support for CVSSv4 by @stevespringett in #195
• Deprecated tool in favor of components and services used as tools by @stevespringett in #198
• Added identity and occurrences to evidence. Updated test cases. by @stevespringett in #199
• Add proof of concept support to vulnerability by @stevespringett in #200
• fix vulnerability.affects[].versions[].range ref by @jkowalleck in #219
• fix vulnerability.affects[].versions[].range ref by @jkowalleck in #218
• Added support for ML by @stevespringett in #209
• hint for device properties by @jkowalleck in #221
• hint for device properties by @jkowalleck in #220
• Added additional compositions and identity by @stevespringett in #212
• Added lifecycle support by @stevespringett in #213
• Adding external reference support for adversary model and risk assessment by @stevespringett in #215
• fix JSON schema issues found by AJV by @jkowalleck in #230
• licenseChoice streamlined by @jkowalleck in #205
• fix: XML schema 1.4 make all ref arguments type="bom:refType" by @jkowalleck in #183
• schema: own type for ref/bom-ref by @jkowalleck in #115
• Fixing missing data governance on service data by @stevespringett in #234
• Introduce type for BOM-Link by @jkowalleck in #235
• Added poam as external reference type by @stevespringett in #227
• Added bom-refs to organizationalEntity and organizationalContact by @stevespringett in #228
• schema validate VS test data - php by @jkowalleck in #237
• v1.5 validate XML/JSON test-data against schema - php by @jkowalleck in #238
• fixed test data by @jkowalleck in #239
• v1.5 fixed test data by @jkowalleck in #240
• validate JSON test data against schema - JS by @jkowalleck in #241
• Add SSVC to existing rating methods by @stevespringett in #224
• Added formulation support and test cases by @stevespringett in #222
• intro to explicitly linked elements by @jkowalleck in #236
• V1.5 dev resourceReferenceChoice ref clarifications by @jkowalleck in #251
• V1.5 JSON: fix oneOf documentations by @jkowalleck in #258
• v1.5 complete linkable licenses by @jkowalleck in #252
• streamline VulnerabilityReference by @jkowalleck in #253
• [WIP] finalize 1.5 by @jkowalleck in #231

New Contributors

• @kabo made their first contribution in #144
• @damiencarol made their first contribution in #127
• @desenna made their first contribution in #148

Full Changelog: 1.4...1.5

1.4

Added support for Vulnerability Exploitability Exchange (VEX), a standard release notes format, improved hardware device support and many other small improvements.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.4-released/

---

What's Changed

• Added external references support to tools by @stevespringett in #102
• Made component version optional by @stevespringett in #92
• Added vulnerabilities as part of core spec by @stevespringett in #91
• Implemented release notes in XML, JSON, and Protobuf by @stevespringett in #88
• Implemented JSF in the core spec by @stevespringett in #93
• JSON strict: add optional root property $schema by @jkowalleck in #107
• spec1.4 JSON fixes #83 by @jkowalleck in #109
• spec 1.4 JSON schema: remove unnecessary self-shadowing $id by @jkowalleck in #111
• schema spec1.4: own type for ref/bom-ref by @jkowalleck in #116
• spec1.4 JSON schema : bugfixes #83 by @jkowalleck in #117
• Add service release notes to v1.4 proto file by @coderpatros in #120
• v1.4 General Availability by @stevespringett in #121

Full Changelog: 1.3...1.4

1.3

Implemented support for compositions which precisely describe the completeness of relationships (component assemblies and dependencies). Added name-value store that can be used to describe additional data about the components, services, or the SBOM that isn’t native to the core specification. Improved support for copyright holders and licenses as additional evidence. Added license support for the SBOM itself. Added support for Protocol Buffers to make machine to machine SBOM transport more efficient.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.3-released/

---

What's Changed

• Bump junit from 4.12 to 4.13.1 in /tools by @dependabot in #39
• manufacture grammar fix by @bradh in #58
• Add protobuf format by @coderpatros in #54
• Add BOM license information by @coderpatros in #52
• Added support for key/value store (properties) by @stevespringett in #55
• Initial implementation for compositions (known unknowns) by @stevespringett in #59
• Added support for evidence of licenses and copyrights by @stevespringett in #61
• Refactor BOM license to make use of license choice type by @coderpatros in #65
• Tracking updates to protobuf format for feedback by @coderpatros in #66
• #69 - Added support for hashes on external references. Added unit tests by @stevespringett in #71
• URI cleanup for JSON by @stevespringett in #68
• Removed default empty string and unnecessary regex pattern by @stevespringett in #74
• Fix a few places where uri-reference has been applied at the array level instead of the array item level by @coderpatros in #75
• Specification v1.3 by @coderpatros in #63
• v1.3 Release candidate - Removing snapshot in preparation for release by @stevespringett in #76
• Bump commons-io from 2.5 to 2.7 in /tools by @dependabot in #64

New Contributors

• @bradh made their first contribution in #58

Full Changelog: 1.2...1.3

1.2

This release includes ‘firmware’ and ‘container’ component types, SWID tags, service components, applied patches, JSON support, and enhanced BOM metadata and dependency graphs previously only available through extensions.

---

What's Changed

• Draft vulnerability schema extension by @kakumara in #19
• Delete CODE_OF_CONDUCT.md by @coderpatros in #25

New Contributors

• @kakumara made their first contribution in #19

Full Changelog: 1.1...1.2

1.1

CycloneDX 1.1 — 03 March 2019

---

Full Changelog: 1.0...1.1

1.0

CycloneDX 1.0 — 26 March 2018