CycloneDX 1.7
SBOM Observer now supports CycloneDX 1.7.
SBOM Observer now supports importing CycloneDX 1.7 SBOMs.
Distribution constraints
We have added the following field to the attestation index model:
distributionConstraints— Specifies the Traffic Light Protocol (TLP) classification for sharing and distribution of this BOM's data or components.
CycloneDX 1.7 introduces the concept of distribution constraints, which are used to specify the Traffic Light Protocol (TLP) classification for sharing and distribution of the BOM's data or components.
The CycloneDX 1.7 specification defines the following values:
"CLEAR"— No restrictions on sharing."GREEN"— Limited disclosure; may be shared within the recipient's community, but not publicly."AMBER"— Limited disclosure; share only on a need-to-know basis within the organization and with clients."AMBER_AND_STRICT"— Limited disclosure; share only on a need-to-know basis within the organization."RED"— Restricted; may only be shared with individual recipients and not forwarded.
Component fields
We have added the following fields to the component index model:
scope— Scope of use for the component.isExternal— An external component is one that is not part of an assembly, but is expected to be provided by the environment, regardless of the component'sscope.versionRange— For an external component, this specifies the accepted version range.
Future work
CycloneDX 1.7 contains a number of improvements for CBOM use-cases which will be part of a future release.