CycloneDX 2.0

[stevespringett]

CycloneDX 2.0 is a major version in active development, focused on cleaning up legacy constructs, enforcing semantic correctness, and enabling modern schema reuse and API integration. This issue tracks the scope, rationale, and technical direction of the 2.0 release.

Goals

• Modularize the specification into multiple schemas (e.g. bom, component, metadata, common, etc)
• Remove deprecated fields and legacy aliases
• Constrain properties to their correct types (e.g. cryptoProperties only on cryptographic assets)
• JSON-first focus supporting JSON Schema Draft 2020-12; potentially remove XML support
• Make the schema directly usable as a canonical model for the Ecma Transparency Exchange API
• Normalize naming and structural inconsistencies

[jkowalleck]

• Adopt JSON Schema Draft 2020-12 and drop official XML support

same for protobuf support?

[stevespringett]

same for protobuf support?

There are so many systems that use protobuf for machine-to-machine communication, that I'd like to offer official support for it, but do so in a way where we can generate the .proto from the JSON Schema at release time. I already have a partially working Python script that does this and keeps track of enum order so that we can preserve enum ordering from release to release.

[jkowalleck]

this is confusing to me.

the ticket says it will drop support for anything that is not JSON, esecially XML.
but then it says it will also provide an (autogenerated) XML schema.
and it does not say anything about ProtoBuf.

please improve the ticket, and make clear what is to be expected.
will there be any XSD? will there be any ProtoBuf Schema?

[stevespringett]

please improve the ticket,

This ticket is essentially the "epic". Details will be provided in individual subtickets (the stories). There is too much detail to put into one ticket.