Skip to content

v1.7 #511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 268 commits into from
Oct 21, 2025
Merged

v1.7 #511

merged 268 commits into from
Oct 21, 2025

Conversation

@jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Aug 31, 2024
edited
Loading

Fixed

  • XML schema: add type for ComponentData sub-elements (#600 via #601)
  • JSON schema: added the correct deprecated mark for already deprecated structures (via a973a6b)

Deprecated

  • Deprecated various fields and structures related to cryptographic transparency - CBOM . (via #657)
    Use the newly added structures and fields for detailing the information instead.

Changed

  • Extended the scope of formulations. (via #647)
    From now on, formulations may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself.
    Before, it was restricted to components and services.

Added

  • Support for external components with version-ranges (#321 via #586)
  • Support for multiple SPDX License Expressions alongside with other licenses (#454 via #582)
  • Support for Streebog hashing algorithm (#485 via #525)
  • Support for license expression details and properties (#549, #554 via #599)
  • Support for expressing BOM distribution constraints with the Traffic Light Protocol (TLP) in metadata (#595 via #604, #653)
  • Support for representing patent information (#596 via #597)
  • Support for properties on external-references (#608 via #610)
  • Support for citations (#630 via #629)
  • Support for detailing cryptographic transparency information - CBOM (#569 via #657)

Documentation

  • Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters (#233 via #647)
  • Removed the term "optional" from the schema where the definition was already unambiguous (#616, #649 via #680)

Test data

  • Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf

@jkowalleck jkowalleck added this to the 1.7 milestone Aug 31, 2024
jkowalleck and others added 29 commits January 11, 2025 18:02
@jkowalleck
Merge branch 'master' into 1.7-dev
3e624b1
@jkowalleck
Merge branch 'master' into 1.7-dev
2bcbb1c
@jkowalleck
Merge branch 'master' into 1.7-dev
a998cfc
@jkowalleck
tests: enable tests for 1.7
63541da 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: copy tests from 1.6
423729e 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: rename tests for 1.7
4010887 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: migrate tests for 1.7
6262459 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: testcases initial 1.7 (#583)
544db94 
1. enabled test runner for schema 1.7
1. copied all test cases from 1.6 to 1.7 
1. renamed the files from `*.1.6.*` to `*.1.7.*`
1. migrated the test cases from schema 1.6 to schema 1.7

see the diff/delta of each individual commit for details

java tests are expected to fail, as long as
#256 is not done
@jkowalleck
feat: licenses allow mix of multiple SPDX expressions AND/OR multiple…
9f5b308 
… named/spdx licenses

Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests
4abbe2f 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs: docsgen latest first
1572344 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs: docsgen latest first (#584)
504a69f 
We often only need the latest docs, while developing a new version.
Therefore, the latest version's docs are generated first.
@jkowalleck
Merge branch 'master' into 1.7-dev
4315e39
@jkowalleck
add CDX 1.7 schema to xmlcatalog
439f407 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Merge remote-tracking branch 'origin/master' into 1.7-dev
df66f06
@jkowalleck
forward-port #581
4162876 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
forward-port #581
76f2b2c 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Merge remote-tracking branch 'origin/master' into 1.7-dev
20d766d
@jkowalleck
draft: JSON - extraneous comp and version range
4aef005 
related to #321 #321

Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs
a6941df 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
xml
7ede07a 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs
84a9783 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
docs
7a52828 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck @ppkarwasz
Update schema/bom-1.7.schema.json
d3e0ed5 
Co-authored-by: Piotr P. Karwasz <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wip
045a6de 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wip
0971f02 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wip
b12bd49 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wip
2c00374 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
wip
db0b3b8 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck requested a review from Copilot October 20, 2025 08:10
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces CycloneDX specification version 1.7, adding comprehensive test data for all supported formats (XML, JSON, and Protocol Buffers). The update includes new functionality for patent information, citations, cryptographic transparency (CBOM), external component version ranges, multiple SPDX license expressions, and enhanced formulation capabilities.

Key Changes:

  • Adds comprehensive test data covering new CycloneDX 1.7 features including patent assertions, license expression details, and CBOM support
  • Provides test coverage for enhanced formulation workflows and external reference properties
  • Includes validation test cases for all major 1.7 schema elements across XML, JSON, and Protocol Buffer formats

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@jkowalleck
tests:streamlined some tests
e8a606c 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck requested a review from Copilot October 20, 2025 08:22
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 264 out of 272 changed files in this pull request and generated 15 comments.

Comments suppressed due to low confidence (1)

tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json:1

  • Inconsistent bom-ref values. Line 41 references 'component-B' but line 48 should reference 'component-C' based on the context, not 'component-C' twice.
{

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

jkowalleck and others added 13 commits October 20, 2025 10:44
@jkowalleck
Update tools/src/test/resources/1.7/valid-saasbom-1.7.textproto
5b71950 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Update tools/src/test/resources/1.7/valid-saasbom-1.7.textproto
8e75d05 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Update tools/src/test/resources/1.7/valid-saasbom-1.7.textproto
ee9b1c5 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Update tools/src/test/resources/1.7/valid-saasbom-1.7.textproto
f6fb4b3 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Update tools/src/test/resources/1.7/valid-saasbom-1.7.textproto
88129d6 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
Update tools/src/test/resources/1.7/valid-saasbom-1.7.textproto
e6abf6d 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: style
31beb26 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: style
86bae15 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: style
c6c508f 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: style
beb4fd5 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: style
45bd509 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: style
f741f70 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck
tests: style
8dc65ed 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck requested a review from Copilot October 20, 2025 11:57
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 264 out of 272 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json:1

  • Inconsistent bom-ref values: line 41 shows 'LicenseDetails-component-B' but line 48 shows 'LicenseDetails-component-C', while both should reference component-B and component-C respectively according to the text content.
{

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@jkowalleck
tests: fixes
276895a 
Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck requested a review from Copilot October 20, 2025 12:09
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 264 out of 272 changed files in this pull request and generated no new comments.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@jkowalleck
style: streamlined test script
8a89e2c 
Signed-off-by: Jan Kowalleck <[email protected]>
@stevespringett stevespringett merged commit 11c0e00 into master Oct 21, 2025
13 checks passed
@stevespringett stevespringett deleted the 1.7-dev branch October 21, 2025 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@stevespringett stevespringett stevespringett approved these changes

Assignees

No one assigned

Labels

defect documentation proposed core enhancement test-data related to test-resources and -data

Projects

None yet

Milestone

1.7

8 participants

@jkowalleck @stevespringett @andreas-hilti @anthonyharrison @Urist-McGit @bhess @n1ckl0sk0rtge