1.6.1

Functionally equivalent to CycloneDX 1.6.0 but with bug fixes to the XML/JSON/ProtoBuf implementations, and spelling, grammar and other editorial improvements.

---

What's Changed

• tests: annotate schema for test resources of CDX1.6 JSON by @jkowalleck in #423
• chore: depedabot for all used ecosystems by @jkowalleck in #424
• chore(dependencies): bump bufbuild/buf:1.30.1 by @jkowalleck in #431
• chore(deps): bump ajv-formats from 2.1.1 to 3.0.1 in /tools/src/test/js by @dependabot in #430
• docs: annotate protobuf licenses by @jkowalleck in #468
• chore(deps): bump org.apache.commons:commons-text from 1.2 to 1.12.0 in /tools by @dependabot in #439
• chore(deps): bump commons-io:commons-io from 2.7 to 2.16.1 in /tools by @dependabot in #429
• chore(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.0.0-M5 to 3.2.5 in /tools by @dependabot in #428
• Fix(1.6spec): Fixed typo in componentEvidence description by @Petzys in #451
• issue451-streamline by @jkowalleck in #475
• tests: Update to cyclonedx-core-java-9.0.2 for test runners by @Nicolas-Peiffer in #480
• tests: Adding 1.6 valid and invalid test files in the Java tests by @Nicolas-Peiffer in #482
• chore(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.2.5 to 3.3.0 in /tools by @dependabot in #484
• Update pom.xml by @jkowalleck in #489
• docs: revisit example urls in spec 1.6 by @jkowalleck in #490
• chore(deps): bump glob from 10.4.5 to 11.0.0 in /tools/src/test/js by @dependabot in #496
• Add space after colon by @tamir-alltrue-ai in #494
• 1.6 ecma by @stevespringett in #478
• chore(deps): bump org.apache.maven.plugins:maven-surefire-plugin from 3.3.0 to 3.4.0 in /tools by @dependabot in #504
• chore(deps): bump org.apache.commons:commons-lang3 from 3.6 to 3.16.0 in /tools by @dependabot in #499
• chore(dependencies): bump Saxon-HE from 9.9.1-8 to 10.9 by @jkowalleck in #432
• fix: add missing cryptoRef to cryptoProperties.protocolPropertiesfor XML/PB by @jkowalleck in #502
• fix: ProtoBuf evidence not repeated, but optional by @jkowalleck in #425
• 1.6 ecma -- docs carry over by @jkowalleck in #512
• fix: revert PR #425 by @jkowalleck in #516
• fix(ProtoBuff): component evidence should be optional, istead of repeated by @jkowalleck in #517
• tests: fix ProtoBuf breaking detection to be wire-only by @jkowalleck in #532
• tests: bump docker image from bufbuild/buf:1.30.1 to :1.46.0 by @jkowalleck in #519
• tests: fix BrotoBuf BCcheck on version-level by @jkowalleck in #536
• tests: fix BrotoBuf test reports by @jkowalleck in #537
• fix(ProtoBuf): add ExternalReterence Type EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES by @jkowalleck in #531
• fix(ProtoBuf,XML): component data repeatable by @jkowalleck in #530
• fix(ProtoBuf): Component.evidence optional by @jkowalleck in #534
• fix(ProtoBuf): add LicenseExpression.bom_ref by @jkowalleck in #529
• docs: transfer spec docs to ProtoBuf 1.6 by @jkowalleck in #539
• docs: transfer specdocs to XML 1.6 by @jkowalleck in #540
• fix(xml): requirement descriptions should be unbounded by @hakandilek in #533
• chore: prep v1.6.1 by @jkowalleck in #535
• chore(deps): bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 in /tools by @dependabot in #509

New Contributors

• @Petzys made their first contribution in #451
• @Nicolas-Peiffer made their first contribution in #480
• @tamir-alltrue-ai made their first contribution in #494
• @hakandilek made their first contribution in #533

Full Changelog: 1.6...1.6.1

1.6

Major new additions include support for cryptographic assets (CBOM) and CycloneDX Attestations (CDXA). CycloneDX v1.6 forms the basis of a future Ecma International standard.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.6-released/

---

Added

• Core enhancement: Cryptography Bill of Materials — CBOM (#171, #291 via #347)
• Core enhancement: Attestation — CDXA (#192 via #348)
• Feature to express the URL to source distribution (#98 via #269)
• Feature to express the URL to RFC 9116 compliant documents (#380 via #381)
• Feature to express tags/keywords for services and components (via #383)
• Feature to express details for component authors (#335 via #379)
• Feature to express details for component and BOM manufacturer (#346 via #379)
• Feature to express communicate concluded values from observed evidences (#411 via #412)
• Features to express license acknowledgement (#407 via #408)
• Feature to express environmental consideration information for model cards (#396 via #395)
• Feature to express the address of organizational entities (via #395)
• Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs (#413 via #414)

Fixed

• Allow multiple evidence identities by XML/JSON schema (#272 via #359)
  This was already correct via ProtoBuff schema.
• Prevent empty license entities by XML schema (#288 via #292)
  This was already correct in JSON/ProtoBuff schema.
• Prevent empty or malformed property entities by JSON schema (#371 via #375)
  This was already correct in XML/ProtoBuff schema.
• Allow multiple licenses in Metadata by ProtoBuff schema (#264 via #401)
  This was already correct in XML/JSON schema.

Changed

• Allow arbitrary $schema values by JSON schema (#402 via #403)
• Increased max length of versionRange (via 3e01ce6)
• Harmonized length of version (via #417)

Deprecated

• Data model Component's field author was deprecated. (via #379)
  Use field authors or field manufacturer instead.
• Data model Metadata's field manufacture was deprecated. (#346 via #379)
  Use Metadata's field component's field manufacturer instead.
  • for XML: /bom/metadata/component/manufacturer
  • for JSON: $.metadata.component.manufacturer
  • for ProtoBuf: Bom:metadata.component.manufacturer

Documentation

• Centralize version and version-range (via #322)
• Streamlined SPDX expression related descriptions (via #327)
• Enhanced descriptions of bom-ref/refType (#336 via #344)
• Enhanced readability of enum documentation in JSON schema (#361 via #362)
• Fixed typo "compliment" -> "complement" (via #369)
• Added documentation for enum ComponentScope's values in JSON schema (#293 via d92e58e)
  Texts were taken from the existing ones in XML/ProtoBuff schema.
• Added documentation for enum TaskType's values (#245 via #377)
• Improve documentation for data model Metadata's field licenses (#273 via #378)
• Added documentation for enum MachineLearningApproachType's values (#351 via #416)
• Rephrased some texts here and there.

Test data

• Added test data for newly added use cases
• Added quality assurance for our ProtoBuf schemas (#384 via #385)

---

What's Changed

• Add BOM types by @stevespringett in #259
• adjust default values by @jkowalleck in #260
• Fix test data, closes #294 by @tokcum in #295
• Fix test data inconsistency regarding dependency tree in valid-service by @jkowalleck in #297
• chore: add @CycloneDX/core-team as default reviewers by @jkowalleck in #298
• Fix test data regarding base64-encoded contents by @tokcum in #299
• Fix test data regarding base64-encoded contents by @jkowalleck in #300
• Fix bom-ref in test data valid-compositions by @tokcum in #302
• Fix bom-ref in test data valid-compositions by @jkowalleck in #304
• Fix test data regarding invalid SPDX license ID by @tokcum in #305
• Fix test data regarding invalid SPDX license ID by @jkowalleck in #306
• chore: add dependabot for github actions by @jkowalleck in #314
• chore(deps): bump actions/checkout from 2 to 4 by @dependabot in #315
• chore(deps): bump actions/setup-python from 2 to 4 by @dependabot in #316
• chore(deps): bump actions/upload-artifact from 2 to 3 by @dependabot in #317
• chore(deps): bump actions/setup-java from 1 to 3 by @dependabot in #318
• chore: optimize CI runs by @jkowalleck in #324
• Merges detectionContext properties with component evidence by @bhess in #325
• CBOM: merges relatedCryptoMaterial and key asset types by @bhess in #313
• refactor: centralize version and version-range by @jkowalleck in #322
• docs: improve SPDX expression docs by @jkowalleck in #327
• chore(deps): bump actions/setup-node from 3 to 4 by @dependabot in #328
• CBOM: adds 'parameterSetIdentifier' property, replacing 'variant' by @bhess in #339
• Enhance descriptions of bom-ref by @andreas-hilti in #344
• Review description fields of 'algorithmProperties' by @bhess in #350
• chore(deps): bump actions/setup-java from 3 to 4 by @dependabot in #352
• chore(deps): bump actions/setup-python from 4 to 5 by @dependabot in #355
• tests: java tests run agsinst CDX1.5 by @jkowalleck in #356
• Support for hybrids/combiners: add 'combiner' as primitive by @bhess in #353
• ci: split workflows by @jkowalleck in https://github.com/CycloneDX/speci...

1.5

Added Machine Learning Bill of Materials (ML-BOM), Formulation (MBOM), Lifecycles, Identity Evidence, Annotations, and Low-code/no-code application support. And much more.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.5-released/

---

What's Changed

• Preserve keys, but fix potential JSON pointers to reflect actual DOM… by @mrutkows in #125
• add GH-workflow: php ci by @jkowalleck in #110
• fix CWEs example by @kabo in #144
• Fix invalid ref in tools/src/test/resources/1.4/valid-vulnerability-1.4.json by @damiencarol in #127
• fix: add missing Vulnerability.properties types in schema 1.4 by @desenna in #148
• Update Description by @msymons in #172
• Added firstIssued and lastUpdated timestamps to vulnerability analysis by @stevespringett in #176
• Resolves #130 - missing BOM properties in JSON and protobuf schemas by @stevespringett in #170
• Add licensing support and unit tests by @stevespringett in #175
• Added property support to license along with unit tests by @stevespringett in #177
• Add annotations support and valid test cases by @stevespringett in #169
• Adding support for security contact by @stevespringett in #180
• Adding support vulnerability rejected timestamp along with unit tests by @stevespringett in #181
• Added additional external references by @stevespringett in #189
• Added device driver component type by @stevespringett in #190
• Extend service dataflow support by @stevespringett in #194
• Added support for CVSSv4 by @stevespringett in #195
• Deprecated tool in favor of components and services used as tools by @stevespringett in #198
• Added identity and occurrences to evidence. Updated test cases. by @stevespringett in #199
• Add proof of concept support to vulnerability by @stevespringett in #200
• fix vulnerability.affects[].versions[].range ref by @jkowalleck in #219
• fix vulnerability.affects[].versions[].range ref by @jkowalleck in #218
• Added support for ML by @stevespringett in #209
• hint for device properties by @jkowalleck in #221
• hint for device properties by @jkowalleck in #220
• Added additional compositions and identity by @stevespringett in #212
• Added lifecycle support by @stevespringett in #213
• Adding external reference support for adversary model and risk assessment by @stevespringett in #215
• fix JSON schema issues found by AJV by @jkowalleck in #230
• licenseChoice streamlined by @jkowalleck in #205
• fix: XML schema 1.4 make all ref arguments type="bom:refType" by @jkowalleck in #183
• schema: own type for ref/bom-ref by @jkowalleck in #115
• Fixing missing data governance on service data by @stevespringett in #234
• Introduce type for BOM-Link by @jkowalleck in #235
• Added poam as external reference type by @stevespringett in #227
• Added bom-refs to organizationalEntity and organizationalContact by @stevespringett in #228
• schema validate VS test data - php by @jkowalleck in #237
• v1.5 validate XML/JSON test-data against schema - php by @jkowalleck in #238
• fixed test data by @jkowalleck in #239
• v1.5 fixed test data by @jkowalleck in #240
• validate JSON test data against schema - JS by @jkowalleck in #241
• Add SSVC to existing rating methods by @stevespringett in #224
• Added formulation support and test cases by @stevespringett in #222
• intro to explicitly linked elements by @jkowalleck in #236
• V1.5 dev resourceReferenceChoice ref clarifications by @jkowalleck in #251
• V1.5 JSON: fix oneOf documentations by @jkowalleck in #258
• v1.5 complete linkable licenses by @jkowalleck in #252
• streamline VulnerabilityReference by @jkowalleck in #253
• [WIP] finalize 1.5 by @jkowalleck in #231

New Contributors

• @kabo made their first contribution in #144
• @damiencarol made their first contribution in #127
• @desenna made their first contribution in #148

Full Changelog: 1.4...1.5

1.4

Added support for Vulnerability Exploitability Exchange (VEX), a standard release notes format, improved hardware device support and many other small improvements.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.4-released/

---

What's Changed

• Added external references support to tools by @stevespringett in #102
• Made component version optional by @stevespringett in #92
• Added vulnerabilities as part of core spec by @stevespringett in #91
• Implemented release notes in XML, JSON, and Protobuf by @stevespringett in #88
• Implemented JSF in the core spec by @stevespringett in #93
• JSON strict: add optional root property $schema by @jkowalleck in #107
• spec1.4 JSON fixes #83 by @jkowalleck in #109
• spec 1.4 JSON schema: remove unnecessary self-shadowing $id by @jkowalleck in #111
• schema spec1.4: own type for ref/bom-ref by @jkowalleck in #116
• spec1.4 JSON schema : bugfixes #83 by @jkowalleck in #117
• Add service release notes to v1.4 proto file by @coderpatros in #120
• v1.4 General Availability by @stevespringett in #121

Full Changelog: 1.3...1.4

1.3

Implemented support for compositions which precisely describe the completeness of relationships (component assemblies and dependencies). Added name-value store that can be used to describe additional data about the components, services, or the SBOM that isn’t native to the core specification. Improved support for copyright holders and licenses as additional evidence. Added license support for the SBOM itself. Added support for Protocol Buffers to make machine to machine SBOM transport more efficient.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.3-released/

---

What's Changed

• Bump junit from 4.12 to 4.13.1 in /tools by @dependabot in #39
• manufacture grammar fix by @bradh in #58
• Add protobuf format by @coderpatros in #54
• Add BOM license information by @coderpatros in #52
• Added support for key/value store (properties) by @stevespringett in #55
• Initial implementation for compositions (known unknowns) by @stevespringett in #59
• Added support for evidence of licenses and copyrights by @stevespringett in #61
• Refactor BOM license to make use of license choice type by @coderpatros in #65
• Tracking updates to protobuf format for feedback by @coderpatros in #66
• #69 - Added support for hashes on external references. Added unit tests by @stevespringett in #71
• URI cleanup for JSON by @stevespringett in #68
• Removed default empty string and unnecessary regex pattern by @stevespringett in #74
• Fix a few places where uri-reference has been applied at the array level instead of the array item level by @coderpatros in #75
• Specification v1.3 by @coderpatros in #63
• v1.3 Release candidate - Removing snapshot in preparation for release by @stevespringett in #76
• Bump commons-io from 2.5 to 2.7 in /tools by @dependabot in #64

New Contributors

• @bradh made their first contribution in #58

Full Changelog: 1.2...1.3

1.2

This release includes ‘firmware’ and ‘container’ component types, SWID tags, service components, applied patches, JSON support, and enhanced BOM metadata and dependency graphs previously only available through extensions.

---

What's Changed

• Draft vulnerability schema extension by @kakumara in #19
• Delete CODE_OF_CONDUCT.md by @coderpatros in #25

New Contributors

• @kakumara made their first contribution in #19

Full Changelog: 1.1...1.2

1.1

CycloneDX 1.1 — 03 March 2019

---

Full Changelog: 1.0...1.1

1.0

CycloneDX 1.0 — 26 March 2018