Skip to content

[WIP] CycloneDX v2.0 Specification#652

Draft
stevespringett wants to merge 131 commits into
masterfrom
2.0-dev
Draft

[WIP] CycloneDX v2.0 Specification#652
stevespringett wants to merge 131 commits into
masterfrom
2.0-dev

Conversation

@stevespringett

@stevespringett stevespringett commented Jun 15, 2025

Copy link
Copy Markdown
Member

Important

WORK IN PROGRESS
see Milestone for progress: https://github.com/CycloneDX/specification/milestone/2


BREAKING Changes

  • Drop schema for XML.
    To be explained further.
  • Drop schema for Protocol Buffers
    Reasoning: Downstream spec users may build ontop of JSON schema.
    To be explained further.

... TBC ...

Added

... TBD ...

Chaned

... TBD ...

Removed

... TBD ...

Misc

... TBD ...


Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett stevespringett added this to the 2.0 milestone Jun 15, 2025
@stevespringett stevespringett self-assigned this Jun 15, 2025
@stevespringett stevespringett added the CDX 2.0 related to release v2.0 label Jun 15, 2025
@stevespringett stevespringett linked an issue Jun 15, 2025 that may be closed by this pull request
@jkowalleck jkowalleck changed the title CycloneDX v2.0 Specification [WIP] CycloneDX v2.0 Specification Jun 16, 2025
Comment thread .github/workflows/bundle-schema.yml Fixed
Signed-off-by: Steve Springett <steve@springett.us>
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundle-schemas.js Fixed
stevespringett and others added 7 commits November 11, 2025 17:20
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Comment thread tools/src/main/js/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
Comment thread tools/src/main/js/bundler/bundle-schemas.js Fixed
stevespringett and others added 6 commits November 24, 2025 15:57
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
stevespringett and others added 26 commits May 4, 2026 13:11
…the various models.

Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
…d value. All JSS unit tests continue to pass.

Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Extend the `fingerprint` definition in
`cyclonedx-cryptography-2.0.schema.json` to support custom fingerprint
algorithms alongside standard hash algorithms.

### Changes

- Replace the flat `$ref: hash` on `certificateProperties.fingerprint`
and `relatedCryptoMaterialProperties.fingerprint` with a single central
`$defs/fingerprint` definition
- `$defs/fingerprint` uses `oneOf` with two branches:
- **Standard Hash** — `alg` + `content` (refs to existing
`hashAlgorithm` / `hashValue`); fully backward compatible
- **Custom Fingerprint** — `customAlg` + `customContent` for
non-standard algorithms

### Backward Compatibility

Existing documents with `{"alg": "SHA-256", "content": "..."}` satisfy
the Standard Hash branch unchanged.
…king Group.

Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
…nts from Jan

Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
superceeds #776 and closes #718.


I have included the change to the `component` schema as an example of
how this would look like in other schemas. Once approved by TC54, I will
refactor the remaining part of the schemas to use the party model. The
refactor shall use the same pattern as the component schema and should
be considered during the review.
# Migrate enveloped signature support from JSF to JSS (ITU-T X.590)

## Summary

- Replaced legacy JSON Signature Format (JSF) with JSON Signature Scheme
(JSS) per ITU-T X.590 (10/2023). Added CycloneDX 2.0 model schema that
implements JSS
- Updated all schema files referencing signatures to use the new
`signatures` array (JSS) instead of singular `signature` object (JSF)
- Removed old JSF test (`valid-signatures-2.0.json`) and added 18
targeted JSS test cases (8 valid, 10 invalid)

This PR closes #851

All tests are **structural validations only**. Keys, certificates,
thumbprints, and signature values are illustrative and may not be
cryptographically valid. No content validation is performed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

breaking-changes CDX 2.0 related to release v2.0

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CycloneDX 2.0

6 participants