Skip to content

CBOM 2.0 features #769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bhess wants to merge 3 commits into
base: 2.0-dev
Choose a base branch
from
+221 −45
Open

CBOM 2.0 features #769

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b7585b0
feat(cryptography): implement CBOM v2.0 enhancements from #738
bhess Jan 7, 2026
daa4052
Improved description of secProperties
bhess Jan 14, 2026
fd51d9c
chore: update bundled schemas [skip ci]
github-actions[bot] Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion schema/2.0/cyclonedx-2.0-bundled.min.schema.json
View file
Open in desktop

Large diffs are not rendered by default.

132 changes: 110 additions & 22 deletions schema/2.0/cyclonedx-2.0-bundled.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2208,6 +2208,34 @@
"type": "string",
"title": "Additional Context",
"description": "Any additional context of the detected component (e.g. a code snippet)."
},
"accountInfo": {
"type": "string",
"title": "Account Information",
"description": "The account or user information associated with the occurrence."
},
"systemOwner": {
"type": "string",
"title": "System Owner",
"description": "The owner of the system where the component was found."
},
"startTime": {
"type": "string",
"format": "date-time",
"title": "Start Time",
"description": "The date and time when the process detecting the occurrence started."
},
"endTime": {
"type": "string",
"format": "date-time",
"title": "End Time",
"description": "The date and time when the process detecting the occurrence ended."
},
"usageCount": {
"type": "integer",
"minimum": 0,
"title": "Usage Count",
"description": "The number of times the component occurred in the detecting process."
}
}
}
Expand Down Expand Up @@ -2695,25 +2723,30 @@
}
},
"implementationPlatform": {
"type": "string",
"title": "Implementation platform",
"description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.",
"enum": [
"generic",
"x86_32",
"x86_64",
"armv7-a",
"armv7-m",
"armv8-a",
"armv8-m",
"armv9-a",
"armv9-m",
"s390x",
"ppc64",
"ppc64le",
"other",
"unknown"
]
"type": "array",
"title": "Implementation platforms",
"description": "The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.",
"items": {
"type": "string",
"title": "Platform",
"description": "The target platform for the implementation.",
"enum": [
"generic",
"x86_32",
"x86_64",
"armv7-a",
"armv7-m",
"armv8-a",
"armv8-m",
"armv9-a",
"armv9-m",
"s390x",
"ppc64",
"ppc64le",
"other",
"unknown"
]
}
},
"certificationLevel": {
"type": "array",
Expand Down Expand Up @@ -2797,6 +2830,14 @@
"cfb",
"ofb",
"ctr",
"siv",
"gcm-siv",
"ocb",
"eax",
"kw",
"kwp",
"cts",
"xts",
"other",
"unknown"
],
Expand All @@ -2822,6 +2863,7 @@
"pkcs1v15",
"oaep",
"raw",
"pss",
"other",
"unknown"
],
Expand Down Expand Up @@ -2853,6 +2895,7 @@
"verify",
"encapsulate",
"decapsulate",
"keyagree",
"other",
"unknown"
]
Expand All @@ -2870,6 +2913,25 @@
"description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.",
"minimum": 0,
"maximum": 6
},
"secProperties": {
"type": "array",
"title": "Security Properties",
"description": "Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.",
"items": {
"type": "string",
"title": "Security Property",
"examples": [
"IND-CPA",
"IND-CCA",
"IND-CCA2",
"SUF-CMA",
"EUF-CMA",
"collision-resistant",
"preimage-resistant",
"second-preimage-resistant"
]
}
}
}
},
Expand Down Expand Up @@ -3238,6 +3300,29 @@
},
"relatedCryptographicAssets": {
"$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"
},
"keyUsage": {
"type": "array",
"title": "Key Usage",
"description": "Defines the permitted cryptographic usage for the asset.",
"items": {
"type": "string",
"title": "Usage",
"description": "A permitted cryptographic usage.",
"examples": [
"CIPHER",
"DECIPHER",
"DERIVE",
"GENERATE",
"SIGN",
"VERIFY",
"WRAP",
"UNWRAP",
"ENCRYPT",
"DECRYPT",
"MAC"
]
}
}
}
},
Expand Down Expand Up @@ -3595,9 +3680,12 @@
]
},
"algorithmRef": {
"$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType",
"title": "Algorithm Reference",
"description": "The bom-ref to the algorithm."
"type": "array",
"title": "References",
"description": "The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).",
"items": {
"$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType"
}
}
}
}
Expand Down
28 changes: 28 additions & 0 deletions schema/2.0/model/cyclonedx-component-2.0.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,6 +456,34 @@
"type": "string",
"title": "Additional Context",
"description": "Any additional context of the detected component (e.g. a code snippet)."
},
"accountInfo": {
"type": "string",
"title": "Account Information",
"description": "The account or user information associated with the occurrence."
},
"systemOwner": {
"type": "string",
"title": "System Owner",
"description": "The owner of the system where the component was found."
},
"startTime": {
"type": "string",
"format": "date-time",
"title": "Start Time",
"description": "The date and time when the process detecting the occurrence started."
},
"endTime": {
"type": "string",
"format": "date-time",
"title": "End Time",
"description": "The date and time when the process detecting the occurrence ended."
},
"usageCount": {
"type": "integer",
"minimum": 0,
"title": "Usage Count",
"description": "The number of times the component occurred in the detecting process."
}
}
}
Expand Down
104 changes: 82 additions & 22 deletions schema/2.0/model/cyclonedx-cryptography-2.0.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,25 +120,30 @@
}
},
"implementationPlatform": {
"type": "string",
"title": "Implementation platform",
"description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.",
"enum": [
"generic",
"x86_32",
"x86_64",
"armv7-a",
"armv7-m",
"armv8-a",
"armv8-m",
"armv9-a",
"armv9-m",
"s390x",
"ppc64",
"ppc64le",
"other",
"unknown"
]
"type": "array",
"title": "Implementation platforms",
"description": "The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.",
"items": {
"type": "string",
"title": "Platform",
"description": "The target platform for the implementation.",
"enum": [
"generic",
"x86_32",
"x86_64",
"armv7-a",
"armv7-m",
"armv8-a",
"armv8-m",
"armv9-a",
"armv9-m",
"s390x",
"ppc64",
"ppc64le",
"other",
"unknown"
]
}
},
"certificationLevel": {
"type": "array",
Expand Down Expand Up @@ -222,6 +227,14 @@
"cfb",
"ofb",
"ctr",
"siv",
"gcm-siv",
"ocb",
"eax",
"kw",
"kwp",
"cts",
"xts",
"other",
"unknown"
],
Expand All @@ -247,6 +260,7 @@
"pkcs1v15",
"oaep",
"raw",
"pss",
"other",
"unknown"
],
Expand Down Expand Up @@ -278,6 +292,7 @@
"verify",
"encapsulate",
"decapsulate",
"keyagree",
"other",
"unknown"
]
Expand All @@ -295,6 +310,25 @@
"description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.",
"minimum": 0,
"maximum": 6
},
"secProperties": {
"type": "array",
"title": "Security Properties",
"description": "Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.",
"items": {
"type": "string",
"title": "Security Property",
"examples": [
"IND-CPA",
"IND-CCA",
"IND-CCA2",
"SUF-CMA",
"EUF-CMA",
"collision-resistant",
"preimage-resistant",
"second-preimage-resistant"
]
}
}
}
},
Expand Down Expand Up @@ -663,6 +697,29 @@
},
"relatedCryptographicAssets": {
"$ref": "#/$defs/relatedCryptographicAssets"
},
"keyUsage": {
"type": "array",
"title": "Key Usage",
"description": "Defines the permitted cryptographic usage for the asset.",
"items": {
"type": "string",
"title": "Usage",
"description": "A permitted cryptographic usage.",
"examples": [
Copy link
Member

@stevespringett stevespringett Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Investigate syncing with related crypto material usage and making this an enum.

"CIPHER",
"DECIPHER",
"DERIVE",
"GENERATE",
"SIGN",
"VERIFY",
"WRAP",
"UNWRAP",
"ENCRYPT",
"DECRYPT",
"MAC"
]
}
}
}
},
Expand Down Expand Up @@ -1020,9 +1077,12 @@
]
},
"algorithmRef": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
"title": "Algorithm Reference",
"description": "The bom-ref to the algorithm."
"type": "array",
"title": "References",
"description": "The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).",
"items": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
}
}
}
}
Expand Down