1.5

Added Machine Learning Bill of Materials (ML-BOM), Formulation (MBOM), Lifecycles, Identity Evidence, Annotations, and Low-code/no-code application support. And much more.

Announcement: https://cyclonedx.org/news/cyclonedx-v1.5-released/

---

What's Changed

• Preserve keys, but fix potential JSON pointers to reflect actual DOM… by @mrutkows in #125
• add GH-workflow: php ci by @jkowalleck in #110
• fix CWEs example by @kabo in #144
• Fix invalid ref in tools/src/test/resources/1.4/valid-vulnerability-1.4.json by @damiencarol in #127
• fix: add missing Vulnerability.properties types in schema 1.4 by @desenna in #148
• Update Description by @msymons in #172
• Added firstIssued and lastUpdated timestamps to vulnerability analysis by @stevespringett in #176
• Resolves #130 - missing BOM properties in JSON and protobuf schemas by @stevespringett in #170
• Add licensing support and unit tests by @stevespringett in #175
• Added property support to license along with unit tests by @stevespringett in #177
• Add annotations support and valid test cases by @stevespringett in #169
• Adding support for security contact by @stevespringett in #180
• Adding support vulnerability rejected timestamp along with unit tests by @stevespringett in #181
• Added additional external references by @stevespringett in #189
• Added device driver component type by @stevespringett in #190
• Extend service dataflow support by @stevespringett in #194
• Added support for CVSSv4 by @stevespringett in #195
• Deprecated tool in favor of components and services used as tools by @stevespringett in #198
• Added identity and occurrences to evidence. Updated test cases. by @stevespringett in #199
• Add proof of concept support to vulnerability by @stevespringett in #200
• fix vulnerability.affects[].versions[].range ref by @jkowalleck in #219
• fix vulnerability.affects[].versions[].range ref by @jkowalleck in #218
• Added support for ML by @stevespringett in #209
• hint for device properties by @jkowalleck in #221
• hint for device properties by @jkowalleck in #220
• Added additional compositions and identity by @stevespringett in #212
• Added lifecycle support by @stevespringett in #213
• Adding external reference support for adversary model and risk assessment by @stevespringett in #215
• fix JSON schema issues found by AJV by @jkowalleck in #230
• licenseChoice streamlined by @jkowalleck in #205
• fix: XML schema 1.4 make all ref arguments type="bom:refType" by @jkowalleck in #183
• schema: own type for ref/bom-ref by @jkowalleck in #115
• Fixing missing data governance on service data by @stevespringett in #234
• Introduce type for BOM-Link by @jkowalleck in #235
• Added poam as external reference type by @stevespringett in #227
• Added bom-refs to organizationalEntity and organizationalContact by @stevespringett in #228
• schema validate VS test data - php by @jkowalleck in #237
• v1.5 validate XML/JSON test-data against schema - php by @jkowalleck in #238
• fixed test data by @jkowalleck in #239
• v1.5 fixed test data by @jkowalleck in #240
• validate JSON test data against schema - JS by @jkowalleck in #241
• Add SSVC to existing rating methods by @stevespringett in #224
• Added formulation support and test cases by @stevespringett in #222
• intro to explicitly linked elements by @jkowalleck in #236
• V1.5 dev resourceReferenceChoice ref clarifications by @jkowalleck in #251
• V1.5 JSON: fix oneOf documentations by @jkowalleck in #258
• v1.5 complete linkable licenses by @jkowalleck in #252
• streamline VulnerabilityReference by @jkowalleck in #253
• [WIP] finalize 1.5 by @jkowalleck in #231

New Contributors

• @kabo made their first contribution in #144
• @damiencarol made their first contribution in #127
• @desenna made their first contribution in #148

Full Changelog: 1.4...1.5