feat: Add support for TLP marking in metadata#604
Merged
jkowalleck merged 11 commits intoCycloneDX:1.7-devfrom Jun 5, 2025
Merged
feat: Add support for TLP marking in metadata#604jkowalleck merged 11 commits intoCycloneDX:1.7-devfrom
jkowalleck merged 11 commits intoCycloneDX:1.7-devfrom
Conversation
anthonyharrison
force-pushed
the
1.7-dev
branch
from
2d456e1 to
5d5201f
Compare
anthonyharrison
force-pushed
the
1.7-dev
branch
from
e7f1f82 to
1fd2561
Compare
Signed-off-by: anthonyharrison <anthony.p.harrison@gmail.com>
Signed-off-by: anthonyharrison <anthony.p.harrison@gmail.com>
CycloneDX#595) Signed-off-by: anthonyharrison <anthony.p.harrison@gmail.com>
anthonyharrison
force-pushed
the
1.7-dev
branch
from
a767891 to
55425e5
Compare
jkowalleck
requested changes
Feb 23, 2025
Member
|
for backwards compatibility reasons, i would not set "CLEAR" as the default value. clean means a decision actively was made, right? in JSON, this would mean no default is defined, and the property is optional. |
Contributor
Author
I see CLEAR as the default when the user makes no choice as the user is more likely to explicitly state one of the other values (which indicates that he has thought about the constraints as regards sharing the BOM). Personally, I would prefer to see all BOMs to have the TLP value explicitly stated but that is possibly too much to expect at this stage. |
…d documentation (fixes CycloneDX#595) Signed-off-by: anthonyharrison <anthony.p.harrison@gmail.com>
jkowalleck
reviewed
Feb 24, 2025
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
requested changes
Mar 6, 2025
tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto
Outdated
Show resolved
Hide resolved
Member
|
I'll try to fix the open issues ASAP |
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
requested changes
Mar 6, 2025
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
…on (fixes CycloneDX#595) Signed-off-by: anthonyharrison <anthony.p.harrison@gmail.com>
# Conflicts: # schema/bom-1.7.proto # schema/bom-1.7.schema.json # schema/bom-1.7.xsd
…on (fixes CycloneDX#595) Signed-off-by: anthonyharrison <anthony.p.harrison@gmail.com>
Member
|
@anthonyharrison, the current state looks promising. According to the CycloneDX working model, the next step would be to move from "prototype" to "draft", meaning the community review phase (RFC) would start. |
Contributor
Author
|
@jkowalleck Let's go to the next stage and see what the community thinks. I have no outstanding changes. |
jkowalleck
added
draft
RFC notice sent
Member
|
RFC notice sent.
Public RFC period ends April 13, 2025 |
jkowalleck
changed the title
jkowalleck
approved these changes
Apr 14, 2025
jkowalleck
added
promote to tc54
prabhu
reviewed
Apr 28, 2025
prabhu
reviewed
Apr 28, 2025
Member
|
All current discussuons are basically too late. Public RFC ended on 13. of April. This feature is promoted to become standardized under Ecma. Vote will be on 1. May. Please do not alter the current state last minute. |
Member
|
This feature was just appoved by Ecma TC54 👍 |
Merged
stevespringett
added a commit
that referenced
this pull request
Oct 21, 2025
## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([#321] via [#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([#454] via [#582]) * Support for _Streebog hashing algorithm_ ([#485] via [#525]) * Support for license expression _details and properties_ ([#549], [#554] via [#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653]) * Support for representing _patent information_ ([#596] via [#597]) * Support for _properties_ on external-references ([#608] via [#610]) * Support for _citations_ ([#630] via [#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([#569] via [#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([#233] via [#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([#616], [#649] via [#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [#233]: #233 [#321]: #321 [#454]: #454 [#485]: #485 [#525]: #525 [#549]: #549 [#554]: #554 [#569]: #569 [#582]: #582 [#586]: #586 [#595]: #595 [#596]: #596 [#597]: #597 [#599]: #599 [#600]: #600 [#601]: #601 [#604]: #604 [#608]: #608 [#610]: #610 [#616]: #616 [#629]: #629 [#630]: #630 [#647]: #647 [#649]: #649 [#653]: #653 [#657]: #657 [#680]: #680 [a973a6b]: a973a6b ---- - fixes #233 - fixes #321 - fixes #454 - fixes #485 - fixes #549 - fixes #554 - fixes #595 - fixes #596 - fixes #600 - fixes #608 - fixes #629 - fixes #616 - fixes #649
luckystar-crypto
pushed a commit
to luckystar-crypto/specification
that referenced
this pull request
Jan 27, 2026
## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([#321] via [#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([#454] via [#582]) * Support for _Streebog hashing algorithm_ ([#485] via [#525]) * Support for license expression _details and properties_ ([#549], [#554] via [#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653]) * Support for representing _patent information_ ([#596] via [#597]) * Support for _properties_ on external-references ([#608] via [#610]) * Support for _citations_ ([#630] via [#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([#569] via [#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([#233] via [#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([#616], [#649] via [#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [#233]: CycloneDX/specification#233 [#321]: CycloneDX/specification#321 [#454]: CycloneDX/specification#454 [#485]: CycloneDX/specification#485 [#525]: CycloneDX/specification#525 [#549]: CycloneDX/specification#549 [#554]: CycloneDX/specification#554 [#569]: CycloneDX/specification#569 [#582]: CycloneDX/specification#582 [#586]: CycloneDX/specification#586 [#595]: CycloneDX/specification#595 [#596]: CycloneDX/specification#596 [#597]: CycloneDX/specification#597 [#599]: CycloneDX/specification#599 [#600]: CycloneDX/specification#600 [#601]: CycloneDX/specification#601 [#604]: CycloneDX/specification#604 [#608]: CycloneDX/specification#608 [#610]: CycloneDX/specification#610 [#616]: CycloneDX/specification#616 [#629]: CycloneDX/specification#629 [#630]: CycloneDX/specification#630 [#647]: CycloneDX/specification#647 [#649]: CycloneDX/specification#649 [#653]: CycloneDX/specification#653 [#657]: CycloneDX/specification#657 [#680]: CycloneDX/specification#680 [a973a6b]: CycloneDX/specification@a973a6b ---- - fixes #233 - fixes #321 - fixes #454 - fixes #485 - fixes #549 - fixes #554 - fixes #595 - fixes #596 - fixes #600 - fixes #608 - fixes #629 - fixes #616 - fixes #649
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
As discussed in ticket CycloneDX#595, this PR adds TLP marking in the BOM metadata. This PR superseeds CycloneDX#603 fixes CycloneDX#595
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
## Fixed * XML schema: add type for `ComponentData` sub-elements ([CycloneDX#600] via [CycloneDX#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [CycloneDX#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [CycloneDX#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([CycloneDX#321] via [CycloneDX#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([CycloneDX#454] via [CycloneDX#582]) * Support for _Streebog hashing algorithm_ ([CycloneDX#485] via [CycloneDX#525]) * Support for license expression _details and properties_ ([CycloneDX#549], [CycloneDX#554] via [CycloneDX#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([CycloneDX#595] via [CycloneDX#604], [CycloneDX#653]) * Support for representing _patent information_ ([CycloneDX#596] via [CycloneDX#597]) * Support for _properties_ on external-references ([CycloneDX#608] via [CycloneDX#610]) * Support for _citations_ ([CycloneDX#630] via [CycloneDX#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([CycloneDX#569] via [CycloneDX#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([CycloneDX#233] via [CycloneDX#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([CycloneDX#616], [CycloneDX#649] via [CycloneDX#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [CycloneDX#233]: CycloneDX#233 [CycloneDX#321]: CycloneDX#321 [CycloneDX#454]: CycloneDX#454 [CycloneDX#485]: CycloneDX#485 [CycloneDX#525]: CycloneDX#525 [CycloneDX#549]: CycloneDX#549 [CycloneDX#554]: CycloneDX#554 [CycloneDX#569]: CycloneDX#569 [CycloneDX#582]: CycloneDX#582 [CycloneDX#586]: CycloneDX#586 [CycloneDX#595]: CycloneDX#595 [CycloneDX#596]: CycloneDX#596 [CycloneDX#597]: CycloneDX#597 [CycloneDX#599]: CycloneDX#599 [CycloneDX#600]: CycloneDX#600 [CycloneDX#601]: CycloneDX#601 [CycloneDX#604]: CycloneDX#604 [CycloneDX#608]: CycloneDX#608 [CycloneDX#610]: CycloneDX#610 [CycloneDX#616]: CycloneDX#616 [CycloneDX#629]: CycloneDX#629 [CycloneDX#630]: CycloneDX#630 [CycloneDX#647]: CycloneDX#647 [CycloneDX#649]: CycloneDX#649 [CycloneDX#653]: CycloneDX#653 [CycloneDX#657]: CycloneDX#657 [CycloneDX#680]: CycloneDX#680 [a973a6b]: CycloneDX@a973a6b ---- - fixes CycloneDX#233 - fixes CycloneDX#321 - fixes CycloneDX#454 - fixes CycloneDX#485 - fixes CycloneDX#549 - fixes CycloneDX#554 - fixes CycloneDX#595 - fixes CycloneDX#596 - fixes CycloneDX#600 - fixes CycloneDX#608 - fixes CycloneDX#629 - fixes CycloneDX#616 - fixes CycloneDX#649
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As discussed in ticket #595, this PR adds TLP marking in the BOM metadata.
This PR superseeds #603
fixes #595