Schema Support

This library has partial support for the CycloneDX specification (we continue to grow support).

The following sub-sections aim to explain what support this library provides and any known gaps in support. We do this by calling out support for data as defined in the latest CycloneDX standard specification, regardless of whether it is supported in prior versions of the CycloneDX schema.

Data Path	Supported?	Notes
`bom[@version]`	Yes
`bom[@serialNumber]`	Yes
`bom.metadata`	Yes
`bom.components`	Yes	Not supported: `modified` (as it is deprecated), `signature`.
`bom.services`	Yes	Not supported: `signature`.
`bom.externalReferences`	Yes
`bom.dependencies`	Yes	Since `2.3.0`
`bom.compositions`	No
`bom.properties`	No	See schema specification bug 130
`bom.vulnerabilities`	Yes	Note: Prior to CycloneDX 1.4, these were present under `bom.components` via a schema extension.
`bom.signature`	No