On December 11, 2025, the Ecma International General Assembly formally adopted CycloneDX v1.7 as ECMA-424, 2nd Edition. The vote concluded a deliberate twelve-month standards process inside Technical Committee 54 (TC54) that began with the v1.6 ratification as the 1st Edition in June 2024 and culminated with the 1.7 spec release on October 28, 2025. ECMA-424 status matters because it puts CycloneDX on the same procedural footing as JavaScript (ECMA-262) and JSON (ECMA-404) for international harmonization and ISO/IEC fast-track submission, which is the next stop on the standards roadmap. For SBOM consumers — particularly regulated buyers in the EU and federal procurement — the second edition is the version they will reference in contracts and Cyber Resilience Act conformity packages through 2027.
What is genuinely new in 1.7 versus 1.6?
Five concrete additions distinguish 1.7 from the 1.6 base. First, a root-level citations element lets the SBOM author declare where each piece of metadata originated — a build system, an SBOM generator, an artifact repository, or manual input — alongside a timestamp and provenance link. Second, the cryptographic assets profile (CBOM) has been substantially expanded with a normative algorithmFamily object and a closed enumeration of elliptic curves; the loose 1.6 curve string is deprecated in favor of the new typed enum. Third, intellectual-property metadata has been formalized: components can now declare patents or patent families that read on the component. Fourth, formulations have been broadened so that the same construct used to describe how a component was built can describe how any referenceable object — services, declarations, even the BOM itself — came together. Fifth, distribution constraints embed a Traffic Light Protocol (TLP) classification directly inside the BOM so that downstream sharing decisions are mechanically enforceable rather than out-of-band.
How does the new citations block look in practice?
A 1.7 SBOM emitted from a CI build that combined a Syft scan and a manually corrected license field looks like this:
{
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"version": 1,
"metadata": {
"timestamp": "2025-12-09T14:22:00Z",
"tools": [{ "vendor": "anchore", "name": "syft", "version": "1.18.0" }]
},
"citations": [
{
"bom-ref": "cit-syft-scan",
"source": "tool:syft@1.18.0",
"timestamp": "2025-12-09T14:22:00Z",
"appliesTo": ["pkg:npm/express@4.21.1"]
},
{
"bom-ref": "cit-manual-license",
"source": "human:legal-review",
"timestamp": "2025-12-09T16:05:00Z",
"appliesTo": ["pkg:npm/express@4.21.1/license"]
}
],
"distribution": {
"tlp": "AMBER",
"constraints": "do-not-redistribute-outside-organization"
}
}
The citations array is optional in 1.7 but strongly encouraged for any SBOM that crosses an organizational boundary, because it lets a consumer attribute disagreements between two SBOMs to specific sources rather than treating the document as a monolithic claim.
What changed for cryptographic assets?
CycloneDX has carried a cryptographic-asset component type since 1.6, but the 1.7 update completes it into a usable CBOM. The new algorithmFamily object captures normative properties — primitive type, security strength, NIST status, mode-of-operation requirements — rather than relying on free-text strings that earlier tools parsed inconsistently. Elliptic curves are now drawn from a closed enumeration containing the NIST P-curves, the Brainpool curves, Curve25519/X25519, Curve448, and the secp curves used by Bitcoin and TLS. Tools generating CBOMs for post-quantum migration inventories — a recurring 2025 requirement under both NIST's CNSA 2.0 timeline and the UK NCSC's PQC roadmap — can now emit machine-checkable claims about which components depend on algorithms scheduled for deprecation.
How does TLP enforcement work inside the BOM?
The new distribution block carries a TLP classification (CLEAR, GREEN, AMBER, AMBER+STRICT, RED) and an optional constraints string. A 1.7-aware repository — for instance an internal SBOM index that consumes attestations from CI — must honor the constraint when serving the SBOM via API. The practical effect is that a vendor can publish an AMBER SBOM to a procurement portal and have the portal enforce that the SBOM is not re-published to a public mirror. The constraint is not cryptographic; it is a declared policy that consumer tools are expected to respect, similar to how robots.txt operates.
Is 1.7 backward compatible with my existing toolchain?
Yes — 1.7 is fully backward compatible with 1.4 through 1.6. A 1.6 consumer reading a 1.7 BOM will ignore the citations and distribution blocks under standard JSON Schema permissive parsing. The breaking changes are confined to deprecations: the 1.6 curve string property remains valid but emits a tooling warning, and 1.7 generators are expected to migrate to the typed algorithmFamily.curve enum within two minor versions. Producers running cyclonedx-cli convert --output-version 1.6 can downgrade a 1.7 document for legacy consumers without losing the components or services trees.
Which generators and tools support 1.7 today?
As of mid-December 2025, the official cyclonedx-cli 0.27, cyclonedx-go 0.13, @cyclonedx/cyclonedx-npm 4.0, and cyclonedx-python-lib 9.0 emit and validate 1.7. Syft 1.18 and Trivy 0.59 both ship 1.7 output. Dependency-Track 4.13 (released December 2025) accepts 1.7 ingestion. Microsoft's SBOM Tool added 1.7 support in its 4.0 release; Anchore's Grype consumes 1.7 VEX blocks correctly. ECMA-424 2nd Edition language ships in the Ecma TC54 PDF and the canonical JSON Schema at cyclonedx.org/schema/bom-1.7.schema.json.
How Safeguard Helps
Safeguard's ingestion pipeline parses CycloneDX 1.4 through 1.7 natively and normalizes the new citations array into the unified provenance graph so operators can ask "which components in this product had their license assigned by a tool versus a human reviewer?" Griffin AI consumes the algorithmFamily enum to power post-quantum readiness queries — "list every product that ships an RSA-2048 signing primitive in the build pipeline" — without operators writing SPARQL. Policy gates can enforce that exported SBOMs carry the correct TLP classification for the destination tier, blocking accidental re-export of an AMBER SBOM to a public partner portal. For EU CRA conformity packages, Safeguard's bundle exporter pins the CycloneDX version to 1.6 or 1.7 depending on the conformity assessment body's requirements, and attaches the ECMA-424 reference automatically.