[FEATURE]: Rename bomFormat to specFormat #775
Description
Proposal: Rename bomFormat to specFormat
Summary
This proposal recommends renaming the root-level property bomFormat to specFormat to better reflect CycloneDX's evolution from a Bill of Materials standard into a comprehensive transparency expression language.
Background
Current implementation
The bomFormat property is currently defined in the CycloneDX 1.7 JSON Schema as follows:
"bomFormat": {
"type": "string",
"title": "BOM Format",
"description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value must be "CycloneDX".",
"enum": [
"CycloneDX"
]
}The property is required at the root level alongside specVersion and serves as a format identifier.
The problem
CycloneDX has evolved far beyond a traditional "Bill of Materials" format. The specification now supports a diverse range of document types and use cases that may not constitute a BOM at all:
| Document type | Description |
|---|---|
| VEX | Vulnerability Exploitability eXchange documents |
| VDR | Vulnerability Disclosure Reports |
| CDXA | CycloneDX Attestations for compliance-as-code |
| BOV | Bill of Vulnerabilities (standalone vulnerability data) |
| Release notes | Common release notes format |
Additionally, CycloneDX 2.0 introduces behavioral, threat, and risk modeling capabilities that push further away from a BOM-only model
Proposed change
Rename the property
| Current | Proposed |
|---|---|
bomFormat |
specFormat |
Proposed schema definition
"specFormat": {
"type": "string",
"title": "Specification Format",
"description": "Specifies the format. This value shall be \"CycloneDX\".",
"enum": [
"CycloneDX"
]
}