This library has partial support for the CycloneDX specification (we continue to grow support).
The following sub-sections aim to explain what support this library provides and any known gaps in support. We do this by calling out support for data as defined in the latest CycloneDX standard specification, regardless of whether it is supported in prior versions of the CycloneDX schema.
| Data Path | Supported? | Notes |
|---|---|---|
bom[@version] |
Yes | |
bom[@serialNumber] |
Yes | |
bom.metadata |
Yes | Not supported: lifecycles |
bom.components |
Yes | Not supported: modified (as it is deprecated), modelCard, data, signature. |
bom.services |
Yes | Not supported: signature. |
bom.externalReferences |
Yes | |
bom.dependencies |
Yes | Since 2.3.0 |
bom.compositions |
Yes | Since 7.4.0 |
bom.properties |
Yes | Supported when outputting to Schema Version >= 1.5. See schema specification bug 130 |
bom.vulnerabilities |
Yes | Note: Prior to CycloneDX 1.4, these were present under bom.components via a schema extension.
Note: As of cyclonedx-python-lib >3.0.0, Vulnerability are modelled differently |
bom.annotations |
No | |
bom.formulation |
No | |
bom.declarations |
No | |
bom.definitions |
No | |
bom.signature |
No |
| Internal Model | Supported? | Notes |
|---|---|---|
ComponentEvidence |
Yes | Not currently supported: callstack, identity, occurrences. |
DisjunctiveLicense |
Yes | Not currently supported: @bom-ref, licensing, properties. |
LicenseExpression |
Yes | Not currently supported: @bom-ref |
OrganizationalContact |
Yes | Not currently supported: @bom-ref |
OrganizationalEntity |
Yes | Not currently supported: @bom-ref |