Refactor code structure for improved readability and maintainability; optimize performance in key functions.
This commit is contained in:
master
31
docs/migration/cyclonedx-1-6-to-1-7.md
Normal file
31
docs/migration/cyclonedx-1-6-to-1-7.md
Normal file
@@ -0,0 +1,31 @@
|
||||
# CycloneDX 1.6 to 1.7 migration
|
||||
|
||||
## Summary
|
||||
- Default SBOM output is now CycloneDX 1.7 (JSON and Protobuf).
|
||||
- CycloneDX 1.6 ingestion remains supported for backward compatibility.
|
||||
- VEX exports include CycloneDX 1.7 fields for ratings, sources, and affected versions.
|
||||
|
||||
## What changed
|
||||
- `specVersion` is emitted as `1.7`.
|
||||
- Media types include explicit 1.7 versions:
|
||||
- `application/vnd.cyclonedx+json; version=1.7`
|
||||
- `application/vnd.cyclonedx+protobuf; version=1.7`
|
||||
- VEX documents may now include:
|
||||
- `vulnerability.ratings[]` with CVSS v4/v3/v2 metadata
|
||||
- `vulnerability.source` with provider and PURL/URL reference
|
||||
- `vulnerability.affects[].versions[]` entries
|
||||
|
||||
## Required updates for consumers
|
||||
1. Update Accept and Content-Type headers to request or send CycloneDX 1.7.
|
||||
2. If you validate against JSON schemas, switch to the CycloneDX 1.7 schema.
|
||||
3. Ensure parsers ignore unknown fields for forward compatibility.
|
||||
4. Update OCI referrer media types to the 1.7 values.
|
||||
|
||||
## Compatibility notes
|
||||
- CycloneDX 1.6 SBOMs are still accepted on ingest.
|
||||
- CycloneDX 1.7 is the default output on Scanner and export surfaces.
|
||||
|
||||
## References
|
||||
- CycloneDX 1.7 specification: https://cyclonedx.org/docs/1.7/
|
||||
- Scanner architecture: `docs/modules/scanner/architecture.md`
|
||||
- SBOM service architecture: `docs/modules/sbomservice/architecture.md`
|
||||
Reference in New Issue
Block a user