The newest version of the CycloneDX (CDX) bill of materials specification, CDX v1.7, was released in late October of 2025. CycloneDX 1.7 doesn’t represent a huge shift from 1.6 — it’s fully backward compatible with CDX versions 1.4 through 1.6 — but teams focused on due diligence, patent matters, and cryptographic governance will likely find several useful additions in the new standard.
Here’s a brief breakdown of the most significant changes in CycloneDX v1.7.
New Patent-Related Fields
CycloneDX has traditionally been viewed as the more security-focused of the two primary SBOM formats (and SPDX the more IP legal and compliance-focused), but that distinction no longer really holds.
Case in point: Following the addition of support for commercial software licenses in CDX v1.5, CDX v1.7 introduces new metadata fields that communicate patent information; this enables SBOM producers to refer to patents or patent families associated with a component. We can see this being particularly valuable for teams going through a technical due diligence audit.
The new patent-related fields are represented as “Patent Assertions.” They include the “asserter” (e.g. person or organization), the ability to make assertions (e.g. “ownership,” “license,” “exclusive-rights,” etc.) about the patent(s) associated with the given component, and a notes field.
Structured Citations for Additional Context
CycloneDX 1.7 introduces a new “Citations” root-level element. This joins the likes of “Components,” “Services,” and “Vulnerabilities,” among others, as the standard’s root-level elements.
Citations allow SBOM authors to declare where specific BOM data originated — such as a build system, an SBOM generation tool (like FOSSA), an artifact repository, or manual input. The goal, per CDX’s announcement of the new version of the specification, is to enable “verifiable chains of provenance, ensuring that every enrichment step, external reference, or tool contribution can be traced and audited with confidence.”
CDX 1.7 adds fields like “Attributed To” and “Process” to help SBOM producers provide this information in a standardized manner.
Expanded Cryptography Support (CBOM)
CycloneDX 1.7 significantly expands the spec’s ability to represent cryptographic material, including cryptographic algorithm families and elliptic curves. These improvements build on the “CBOM” (Cryptographic Bill of Materials) concept introduced in 1.6, which allowed BOM producers to describe cryptographic assets embedded in software or firmware.
The CBOM use case has become increasingly important as regulators, industry groups, and major OEMs demand more transparency into cryptography usage across the supply chain. CycloneDX 1.7 gives BOM producers a more expressive and standardized way to communicate this data.
Notable additions in the latest version of CDX include:
- The “Algorithm Family” object to communicate specific properties of a cryptographic algorithm.
- A standardized list of valid Elliptic Curves; the “Curve” property in CycloneDX 1.6 has been deprecated as a result.
The Bottom Line on CycloneDX 1.7
Although the latest release of CycloneDX 1.7 doesn’t feature a large number of major changes from previous versions, it does offer several new capabilities that are particularly relevant for the way modern software is developed. (We should also note that CDX 1.7 is expected to be ratified as an official ECMA standard in the very near future. It will join CDX 1.6 in this capacity as an official ECMA standard.)
For more information on CDX and SBOM management, we encourage you to check out the updated “Authoritative Guide to SBOM,” which is a comprehensive and highly useful publication from the CDX team. Alternatively, if your organization is looking for a new way to automate SBOM management (including generation and ingestion of CDX v1.7 documents), please reach out to our team.