1.6

Major new additions include support for cryptographic assets (CBOM) and CycloneDX Attestations (CDXA). CycloneDX v1.6 forms the basis of a future Ecma International standard.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.6-released/

---

Added

• Core enhancement: Cryptography Bill of Materials — CBOM (#171, #291 via #347)
• Core enhancement: Attestation — CDXA (#192 via #348)
• Feature to express the URL to source distribution (#98 via #269)
• Feature to express the URL to RFC 9116 compliant documents (#380 via #381)
• Feature to express tags/keywords for services and components (via #383)
• Feature to express details for component authors (#335 via #379)
• Feature to express details for component and BOM manufacturer (#346 via #379)
• Feature to express communicate concluded values from observed evidences (#411 via #412)
• Features to express license acknowledgement (#407 via #408)
• Feature to express environmental consideration information for model cards (#396 via #395)
• Feature to express the address of organizational entities (via #395)
• Feature to express additional component identifiers: Universal Bill Of Receipts Identifier and Software Heritage persistent IDs (#413 via #414)

Fixed

• Allow multiple evidence identities by XML/JSON schema (#272 via #359)
  This was already correct via ProtoBuff schema.
• Prevent empty license entities by XML schema (#288 via #292)
  This was already correct in JSON/ProtoBuff schema.
• Prevent empty or malformed property entities by JSON schema (#371 via #375)
  This was already correct in XML/ProtoBuff schema.
• Allow multiple licenses in Metadata by ProtoBuff schema (#264 via #401)
  This was already correct in XML/JSON schema.

Changed

• Allow arbitrary $schema values by JSON schema (#402 via #403)
• Increased max length of versionRange (via 3e01ce6)
• Harmonized length of version (via #417)

Deprecated

• Data model Component's field author was deprecated. (via #379)
  Use field authors or field manufacturer instead.
• Data model Metadata's field manufacture was deprecated. (#346 via #379)
  Use Metadata's field component's field manufacturer instead.
  • for XML: /bom/metadata/component/manufacturer
  • for JSON: $.metadata.component.manufacturer
  • for ProtoBuf: Bom:metadata.component.manufacturer

Documentation

• Centralize version and version-range (via #322)
• Streamlined SPDX expression related descriptions (via #327)
• Enhanced descriptions of bom-ref/refType (#336 via #344)
• Enhanced readability of enum documentation in JSON schema (#361 via #362)
• Fixed typo "compliment" -> "complement" (via #369)
• Added documentation for enum ComponentScope's values in JSON schema (#293 via d92e58e)
  Texts were taken from the existing ones in XML/ProtoBuff schema.
• Added documentation for enum TaskType's values (#245 via #377)
• Improve documentation for data model Metadata's field licenses (#273 via #378)
• Added documentation for enum MachineLearningApproachType's values (#351 via #416)
• Rephrased some texts here and there.

Test data

• Added test data for newly added use cases
• Added quality assurance for our ProtoBuf schemas (#384 via #385)

---

What's Changed

• Add BOM types by @stevespringett in #259
• adjust default values by @jkowalleck in #260
• Fix test data, closes #294 by @tokcum in #295
• Fix test data inconsistency regarding dependency tree in valid-service by @jkowalleck in #297
• chore: add @CycloneDX/core-team as default reviewers by @jkowalleck in #298
• Fix test data regarding base64-encoded contents by @tokcum in #299
• Fix test data regarding base64-encoded contents by @jkowalleck in #300
• Fix bom-ref in test data valid-compositions by @tokcum in #302
• Fix bom-ref in test data valid-compositions by @jkowalleck in #304
• Fix test data regarding invalid SPDX license ID by @tokcum in #305
• Fix test data regarding invalid SPDX license ID by @jkowalleck in #306
• chore: add dependabot for github actions by @jkowalleck in #314
• chore(deps): bump actions/checkout from 2 to 4 by @dependabot in #315
• chore(deps): bump actions/setup-python from 2 to 4 by @dependabot in #316
• chore(deps): bump actions/upload-artifact from 2 to 3 by @dependabot in #317
• chore(deps): bump actions/setup-java from 1 to 3 by @dependabot in #318
• chore: optimize CI runs by @jkowalleck in #324
• Merges detectionContext properties with component evidence by @bhess in #325
• CBOM: merges relatedCryptoMaterial and key asset types by @bhess in #313
• refactor: centralize version and version-range by @jkowalleck in #322
• docs: improve SPDX expression docs by @jkowalleck in #327
• chore(deps): bump actions/setup-node from 3 to 4 by @dependabot in #328
• CBOM: adds 'parameterSetIdentifier' property, replacing 'variant' by @bhess in #339
• Enhance descriptions of bom-ref by @andreas-hilti in #344
• Review description fields of 'algorithmProperties' by @bhess in #350
• chore(deps): bump actions/setup-java from 3 to 4 by @dependabot in #352
• chore(deps): bump actions/setup-python from 4 to 5 by @dependabot in #355
• tests: java tests run agsinst CDX1.5 by @jkowalleck in #356
• Support for hybrids/combiners: add 'combiner' as primitive by @bhess in #353
• ci: split workflows by @jkowalleck in #357
• chore(deps): bump actions/upload-artifact from 3 to 4 by @dependabot in #358
• Refactored JSON enum descriptions to use meta:enum by @stevespringett in #362
• Add source-distribution element to externalReferenceType by @tsjensen in #269
• 1.6 dev attestations by @jkowalleck in #348
• Fixed evidence identity. Updated test cases by @stevespringett in #359
• rework dependency type to provides by @jkowalleck in #366
• 1.6 dev cbom by @jkowalleck in #347
• docs: Tweak "compliment" to "complement" by @msymons in #369
• fix #288 by @jkowalleck in #292
• 1.6 dev fix properties json - fixes #371 by @jkowalleck in #375
• fix: correcting title of attestations[].map[].counterClaim by @idunbarh in #374
• Add meta:enum descriptions for task types by @mrutkows in #377
• docs: describe $.metadata.licenses by @jkowalleck in #378
• Add tags support by @stevespringett in #383
• feat: decouple metadata from its component by @jkowalleck in #379
• feat: external reference type for RFC-9116 by @jkowalleck in #381
• introduce QA pipeline for protobuf schemas by @jkowalleck in #385
• add headers to *.textproto by @jkowalleck in #393
• tests: add example for component scope by @jkowalleck in #389
• docs: spelling and grammar checks by @prabhu in #397
• docs: Spelling and grammar checks by @prabhu in #398
• remove restriction on json's $schema annotation by @jkowalleck in #403
• fix: protobuf Metadata.licenses repeated by @jkowalleck in #401
• docs: fix examples for versionRange according to VERS spec by @jkowalleck in #415
• Added descriptions for ML learning types by @stevespringett in #416
• 1.6 bump bufbuild buf 1.30.0 by @jkowalleck in #418
• fix/harmonize version length by @jkowalleck in #417
• Added support for concluded value. Updated test cases. by @stevespringett in #412
• Added support for license acknowledgements by @stevespringett in #408
• Propose new environmental consideration information for ML models by @mrutkows in #395
• Add support for OmniBOR and Software Heritage persistent IDs by @stevespringett in #414
• fix: revisit new component identifiers by @jkowalleck in #419
• Updated dependency attribute docs by @prabhu in #421
• v1.6 by @jkowalleck in #323

New Contributors

• @tokcum made their first contribution in #295
• @bhess made their first contribution in #325
• @andreas-hilti made their first contribution in #344
• @tsjensen made their first contribution in #269
• @idunbarh made their first contribution in #374
• @prabhu made their first contribution in #397

Full Changelog: 1.5...1.6