CBOM: add custom fingerprints by bhess · Pull Request #903 · CycloneDX/specification

bhess · 2026-04-02T15:23:12Z

Extend the fingerprint definition in cyclonedx-cryptography-2.0.schema.json to support custom fingerprint algorithms alongside standard hash algorithms.

Changes

Replace the flat $ref: hash on certificateProperties.fingerprint and relatedCryptoMaterialProperties.fingerprint with a single central $defs/fingerprint definition
$defs/fingerprint uses oneOf with two branches:
- Standard Hash — alg + content (refs to existing hashAlgorithm / hashValue); fully backward compatible
- Custom Fingerprint — customAlg + customContent for non-standard algorithms

Backward Compatibility

Existing documents with {"alg": "SHA-256", "content": "..."} satisfy the Standard Hash branch unchanged.

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>

jkowalleck · 2026-04-16T18:19:30Z

RFC notice sent on May 04, 2026

Public RFC period ends June 01, 2026

jkowalleck · 2026-05-12T10:47:28Z

+          "additionalProperties": false,
+          "properties": {
+            "alg": {
+              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm"


please add a title and description

Suggested change

"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm"

"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm",

"title": "Standard, well-known Fingerprint Algorithm",

"description": "The standard, well-known algorithm used to compute the fingerprint."

jkowalleck · 2026-05-12T10:48:28Z

+              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm"
+            },
+            "content": {
+              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue"


please add a title and description

Suggested change

"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue"

"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue",

"title": "Standard, well-known Fingerprint Content",

"description": "The value of the fingerprint computed using the standard, well-known algorithm."

jkowalleck · 2026-05-12T10:59:53Z

+      "title": "Fingerprint",
+      "description": "The fingerprint is a cryptographic hash of the asset.",
+      "oneOf": [
+        {


@stevespringett

this data structure looks pretty much like cyclonedx-common-2.0.schema.json#$defs/hash.

To prevent any confusion, we should add narrow titles/descriptions to cyclonedx-common-2.0.schema.json#$defs/hash/properties/alg and cyclonedx-common-2.0.schema.json#$defs/hash/properties/content

something like

{ // cyclonedx-common-2.0.schema.json#$defs "hash": { "type": "object", "title": "Hash", "required": [ "alg", "content" ], "additionalProperties": false, "properties": { "alg": { "$ref": "#/$defs/hashAlgorithm", "titile": "Hash algorithm", "description": "Standard, well-known algorithm used to compute the hash" }, "content": { "$ref": "#/$defs/hashValue", "titile": "Hash value", "description": "The value of the hash computed using the standard, well-known algorithm" } } }, }

Adds custom fingerprints

ebcf4c2

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>

bhess requested a review from a team as a code owner April 2, 2026 15:23

bhess added the cap: cryptography Capability: Cryptography (CBOM) label Apr 2, 2026

Mehrn0ush approved these changes Apr 8, 2026

View reviewed changes

stevespringett added request for comment RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration proposed core enhancement labels Apr 16, 2026

stevespringett added this to the 2.0 milestone Apr 16, 2026

jkowalleck requested review from DarthHater, coderpatros, jkowalleck, mrutkows and stevespringett April 16, 2026 18:20

jkowalleck requested changes May 12, 2026

View reviewed changes

jkowalleck reviewed May 12, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CBOM: add custom fingerprints#903

CBOM: add custom fingerprints#903
bhess wants to merge 1 commit into
CycloneDX:2.0-devfrom
bhess:bhe-20-fingerprint

bhess commented Apr 2, 2026

Uh oh!

jkowalleck commented Apr 16, 2026 •

edited

Loading

Uh oh!

jkowalleck May 12, 2026

Uh oh!

jkowalleck May 12, 2026

Uh oh!

jkowalleck May 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

-              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm"
+              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm",
+              "title": "Standard, well-known Fingerprint Algorithm",
+              "description": "The standard, well-known algorithm used to compute the fingerprint."

-              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue"
+              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue",
+              "title": "Standard, well-known Fingerprint Content",
+              "description": "The value of the fingerprint computed using the standard, well-known algorithm."

Uh oh!

Conversation

bhess commented Apr 2, 2026

Changes

Backward Compatibility

Uh oh!

jkowalleck commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jkowalleck May 12, 2026

Choose a reason for hiding this comment

Uh oh!

jkowalleck May 12, 2026

Choose a reason for hiding this comment

Uh oh!

jkowalleck May 12, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

jkowalleck commented Apr 16, 2026 •

edited

Loading