Skip to content

WIP: Develop 2.0 schema for AI/ML BOM#948

Draft
mrutkows wants to merge 120 commits into
CycloneDX:masterfrom
mrutkows:2.0-dev-ai-ml
Draft

WIP: Develop 2.0 schema for AI/ML BOM#948
mrutkows wants to merge 120 commits into
CycloneDX:masterfrom
mrutkows:2.0-dev-ai-ml

Conversation

@mrutkows

@mrutkows mrutkows commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

No description provided.

stevespringett and others added 30 commits June 14, 2025 20:17
@stevespringett
Initial commit
eac0ac6 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Initial commit
9265fba 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added requirement prototype
513ef74 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Initial checkin of blueprint and threat model support
83ce9d0 
Signed-off-by: Steve Springett <steve@springett.us>
Adding threat models
f4d10d4 
Signed-off-by: steve.springett <steve.springett@servicenow.com>
@stevespringett
Merge remote-tracking branch 'origin/master' into 2.0-dev
028c9df 
Syncing with master to incoporate v1.7 spec
@stevespringett
Syncing with master
bde33b2
@stevespringett
Revert "Syncing with master"
dae213a 
This reverts commit bde33b2.
@stevespringett
Merge remote-tracking branch 'origin/master' into 2.0-dev-threatmodeling
833bcc1
@stevespringett
Merge remote-tracking branch 'origin/2.0-dev' into 2.0-dev-threatmode…
e124ae5 
…ling
@stevespringett
Added schema bundler and updated readme.
fbaf3de 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Adding GitHub Action to combine schemas
0d74d96 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updated branches
51fbf49 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Updating action
b4721e1 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schema [skip ci]
91ec8e0
@stevespringett
Updated docgen for 2.0
c4d6c82 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added minified bundling
b6fed22 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
173a276
@stevespringett
Added further optimization to minified version
0427839 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
8668856
@petra-dv
Modified risk and model schemas
7a04e95
@stevespringett
Fixed resolution issues
c46624c 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
ed3eb38
@stevespringett
Added ref verification
7aceff4 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Merge remote-tracking branch 'origin/2.0-dev' into 2.0-dev
70ea2fa
@stevespringett
Updated JSON Schema for Humans
dd45ceb 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Initial commit of CycloneDX linter
b8abb0c 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Moved bundler
f0c447b 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added lock file
41ad354 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Omitting a few properties from being bundled.
319ed73 
Signed-off-by: Steve Springett <steve@springett.us>
stevespringett and others added 4 commits March 26, 2026 23:31
@stevespringett
correted json syntax
935364b 
Signed-off-by: Steve Springett <steve@springett.us>
@github-actions
chore: update bundled schemas [skip ci]
27282d3
@stevespringett
Added mockups
54d16af 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Major updates to threatmodeling and bluepring schemas and their relat…
21ca15a 
…ed schemas. Supersedes and closes CycloneDX#777.

Signed-off-by: Steve Springett <steve@springett.us>
@mrutkows mrutkows self-assigned this Jun 3, 2026
@mrutkows mrutkows added draft format: JSON CDX 2.0 related to release v2.0 cap: ai/ml Capability: AI/ML labels Jun 3, 2026
stevespringett and others added 17 commits June 5, 2026 15:49
@stevespringett
WIP 2.0 threat-modeling schema set
8a14716 
- threat: rewrite into `threat` (catalog) plus `threatScenario` (realization); add attackTree, methodology-gated categories, trustBoundary, threatProfiles
- weakness: created new cyclonedx-weakness-2.0 model
- vulnerability: replace `cwes` with `weaknesses`
- profile: added threatProfiles to threat model;
- risk: add `risks` collection, fix kebab-case, drop orphan control
- behavior, usecase, requirement: refLinkType refs, required bom-ref, uniqueItems
- root: wire in `threats` and `risks`
- tests: update vulnerability test for 2.0

BREAKING: removes vulnerability.cwes and common.weakness.
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Minor refactor and expansion of risk schema
cf91c5c 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Removed unnecessary risk scenario. Added related vulnerabilities and …
05375fd 
…weaknesses. Added assessments - was previously orphaned. Minor other changes.

Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Minor changes to incorporate risks into CDXA
e14fa3f 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Minor updates to assessment
c6956ea 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Minor refactoring of specific parts of blueprint schema along with so…
d305f2e 
…me enhancements and corrections to the risk and threat schema.

Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Corrected mediaType reference issue
354baf4 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Removed methodology. Provided little value
f30e142 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Refactor of how behaviors are represented to account for truly event-…
d5aa9b0 
…based scenarios (eg state machines) which cannot be represented in linear flows.

Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Minor refactor to introduce blueprint relaltionships.
3dca97b 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added data relationships and a few minor other things
d262ad8 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added session management and a few other minor changes
43e8455 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added qualitative-matrix
6735876 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
Added threat origin
f011423 
Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett
2.0 dev threatmodeling staging (CycloneDX#951)
cc44d4b 
A series of enhancements, corrections, and minor refactors of some of
the schemas supporting threat modeling.
@stevespringett
Added control as first-class citizen and expanded use of controls to …
6ec41a6 
…related areas in the spec.

Signed-off-by: Steve Springett <steve@springett.us>
@mrutkows
Preserve .gitignore and cyclonedx-ai-ml-2.0.schema.json from 2.0-dev-…
4f57bbb 
…ai-ml branch
mrutkows added 3 commits June 15, 2026 16:05
@mrutkows
Encode the AI/ML schema draft for v2.0
5ee716f 
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
@mrutkows
Encode the AI/ML schema draft for v2.0
32f7c56 
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
@mrutkows
Encode the AI/ML schema draft for v2.0
550769f 
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mrutkows mrutkows

Labels

cap: ai/ml Capability: AI/ML CDX 2.0 related to release v2.0 draft format: JSON

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mrutkows @stevespringett @petra-dv @bhess