OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
Currently, an SBOM could be declared as aggregate=complete without offering evidence. Ideally a suitable evidence must be presented under declarations.evidence for such claims, using the bom-ref as the link.
Currently, only an author is allowed for evidence. This could be enhanced to support tools (components or services) since some of these declarations could be part automated.
Currently, an SBOM could be declared as
aggregate=complete
without offering evidence. Ideally a suitable evidence must be presented under declarations.evidence for such claims, using the bom-ref as the link.Currently, only an author is allowed for evidence. This could be enhanced to support tools (components or services) since some of these declarations could be part automated.