Skip to content

WIP: Develop 2.0 schema for AI/ML BOM#948

Draft
mrutkows wants to merge 167 commits into
CycloneDX:masterfrom
mrutkows:2.0-dev-ai-ml
Draft

WIP: Develop 2.0 schema for AI/ML BOM#948
mrutkows wants to merge 167 commits into
CycloneDX:masterfrom
mrutkows:2.0-dev-ai-ml

Conversation

@mrutkows

@mrutkows mrutkows commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

No description provided.

stevespringett and others added 30 commits June 14, 2025 20:17
@stevespringett
Initial commit
eac0ac6 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Merge remote-tracking branch 'origin/master' into 2.0-dev
028c9df 
Syncing with master to incoporate v1.7 spec
@stevespringett
Syncing with master
bde33b2
@stevespringett
Revert "Syncing with master"
dae213a 
This reverts commit bde33b2.
@stevespringett
Added schema bundler and updated readme.
fbaf3de 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Adding GitHub Action to combine schemas
0d74d96 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updated branches
51fbf49 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updating action
b4721e1 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schema [skip ci]
91ec8e0
@stevespringett
Updated docgen for 2.0
c4d6c82 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added minified bundling
b6fed22 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
173a276
@stevespringett
Added further optimization to minified version
0427839 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
8668856
@stevespringett
Fixed resolution issues
c46624c 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
ed3eb38
@stevespringett
Added ref verification
7aceff4 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Merge remote-tracking branch 'origin/2.0-dev' into 2.0-dev
70ea2fa
@stevespringett
Updated JSON Schema for Humans
dd45ceb 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Initial commit of CycloneDX linter
b8abb0c 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Moved bundler
f0c447b 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added lock file
41ad354 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Omitting a few properties from being bundled.
319ed73 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
47f0ec2
@stevespringett
Added comment check
f0fcf97 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added schema version check
625b757 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Ported metadata minus deprecations.
90de7cd 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Ported multiple models minus deprecations and standardized id and com…
38547b6 
…ment patterns.

Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Ported model card
9be3484 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updating indent check. Added two new checks.
4e77988 
Signed-off-by: Steve Springett <steve@springett.us>
Mehrn0ush and others added 28 commits June 22, 2026 14:31
@Mehrn0ush @mrutkows
Add AES-OCB to cryptography registry
1751dc7 
Fixes CycloneDX#884

Signed-off-by: Mehrn0ush <mehrnoush.vaseghi@gmail.com>
@jvdsn @mrutkows
Add ANSI KDFs
90d10b9 
Fixes CycloneDX#856

Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
@Mehrn0ush @mrutkows
Deduplicate MD4 and MD5 entries in cryptography registry
4e21034 
Fixes CycloneDX#878

Signed-off-by: Mehrn0ush <mehrnoush.vaseghi@gmail.com>
@jvdsn @mrutkows
Remove dash from SHA-3 hash algorithms
4fa512c 
The official name of the hash algorithms does not contain the dash.

Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
@jvdsn @mrutkows
Remove dash from EdDSA
c0fb0ec 
According to RFC8032, the names are Ed25519ph, Ed25519ctx, and Ed448ph. There is no dash.

Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
@jvdsn @mrutkows
Add hashAlgorithm to IKE-PRF
a64c8ed 
fixes CycloneDX#872 

Also changes primitive to "kdf" since this is a KDF, not a key agreement function.

Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
@stevespringett @mrutkows
Fixed JSON issue
58a5e01 
Signed-off-by: Steve Springett <steve@springett.us>
@jvdsn @mrutkows
Add SSH-KDF
72cfa71 
Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
@mrutkows
Initial plan
da1a972
@jkowalleck @mrutkows
chore: pin GitHub Actions to immutable commit SHAs
f3f6482 
Agent-Logs-Url: https://github.com/CycloneDX/specification/sessions/0e454f4f-9adc-4521-b5b7-c3685851a0dc

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
@jkowalleck @mrutkows
chore(workflows): add zizmor security gate and harden Actions credent…
dc843c7 
…ial handling (CycloneDX#925)

This PR adds a [zizmor](https://github.com/woodruffw/zizmor)
security-scanning workflow and hardens the existing GitHub Actions
workflows against credential-leakage risks.

Changes include:
- New `.github/workflows/zizmor.yml` that runs the zizmor
static-analysis tool on every push and pull-request, and on
`dependabot.yml` changes.
- All `actions/checkout` steps now use `persist-credentials: false` to
avoid leaving GitHub tokens in the workspace.
- All third-party Actions are pinned to their full commit SHA (with a
human-readable version comment) so supply-chain substitutions are
detectable.
- A cooldown configuration block added to `dependabot.yml` to reduce
noise from automated updates.

fixes CycloneDX#924

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
Co-authored-by: Jan Kowalleck <jan.kowalleck@owasp.org>
Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck @mrutkows
chore: bump schema versions for upcoming changes
ca68e7a 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@wiebe-vandendriessche @mrutkows
fix: allow multiple entries for ModelCard considerations lists in xml…
a218d57 
… (so it matches the json spec)

Signed-off-by: wievdndr <wiebe.vandendriessche@ugent.be>
@wiebe-vandendriessche @mrutkows
test: Add second entry for users, useCases, technicalLimitations, and
157d29b 
performanceTradeoffs in valid-machine-learning-*.xml test files to
verify the schema correctly validates multiple entries for these fields.

Signed-off-by: wievdndr <wiebe.vandendriessche@ugent.be>
@wiebe-vandendriessche @mrutkows
fix: add test cases for all supported formats
1890396 
Signed-off-by: wievdndr <wiebe.vandendriessche@ugent.be>
@Mehrn0ush @mrutkows
fix: correct BLS12 algorithm pattern
5b2ad50 
Signed-off-by: Mehrn0ush <mehrnoush.vaseghi@gmail.com>
@Mehrn0ush @mrutkows
fix: correct GOST 28147 algorithm names
c16e29a 
Signed-off-by: Mehrn0ush <mehrnoush.vaseghi@gmail.com>
@dependabot @mrutkows
chore(deps): bump shivammathur/setup-php from 2.37.0 to 2.37.1
3a7526b 
Bumps [shivammathur/setup-php](https://github.com/shivammathur/setup-php) from 2.37.0 to 2.37.1.
- [Release notes](https://github.com/shivammathur/setup-php/releases)
- [Commits](shivammathur/setup-php@accd612...7c071df)

---
updated-dependencies:
- dependency-name: shivammathur/setup-php
  dependency-version: 2.37.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @mrutkows
chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6
6922a52 
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.3 to 0.5.6.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@jkowalleck @mrutkows
ci: pinned action comments exact versions
099448d 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck @mrutkows
chore: adjust zizmor
b7644fc 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck @mrutkows
chore: adjust zizmor
d324050 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck @mrutkows
wip
5fc7545 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck @mrutkows
wip
3b95b6e 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck @mrutkows
wip
478fc66 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck @mrutkows
wip
97bc955 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@mrutkows
Add AI/ML schema and update .gitignore
6062ab9
@mrutkows
Encode the AI/ML schema draft for v2.0
a3cfd5e 
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
@mrutkows
Encode the AI/ML schema draft for v2.0
2c07996 
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mrutkows mrutkows

Labels

cap: ai/ml Capability: AI/ML CDX 2.0 related to release v2.0 draft format: JSON

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@mrutkows @stevespringett @bhess @Mehrn0ush @jkowalleck @jvdsn @wiebe-vandendriessche