From c28e1e62ef2bb01024ffc9b63985be3d09f91481 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 4 Jun 2026 10:21:15 +0200
Subject: [PATCH 1/2] schemas for CycloneDX 1.7.1 & 1.6.2 & 1.5.1

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd    | 20 ++++++++++++----
 .../schema/_res/bom-1.6.SNAPSHOT.schema.json  |  6 ++---
 cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd    | 24 +++++++++++++------
 .../schema/_res/bom-1.7.SNAPSHOT.schema.json  | 12 +++++-----
 cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd    | 24 +++++++++++++------
 tools/schema-downloader.py                    |  2 +-
 6 files changed, 59 insertions(+), 29 deletions(-)

diff --git a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd
index 022c09072..7c9577dad 100644
--- a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd
+++ b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd
@@ -22,7 +22,7 @@ limitations under the License.
            targetNamespace="http://cyclonedx.org/schema/bom/1.5"
            vc:minVersion="1.0"
            vc:maxVersion="1.1"
-           version="1.5.0">
+           version="1.5.1">
 
     <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.SNAPSHOT.xsd"/>
 
@@ -2885,7 +2885,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -2897,7 +2897,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -2911,7 +2911,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -2923,7 +2923,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3008,6 +3008,16 @@ limitations under the License.
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
+            <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>Provides the ability to document properties in a name/value store.
+                        This provides flexibility to include data not officially supported in the standard
+                        without having to use additional namespaces or create extensions. Property names
+                        of interest to the general public are encouraged to be registered in the
+                        CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+                        Formal registration is OPTIONAL.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
         </xs:sequence>
         <xs:attribute name="bom-ref" type="bom:refType">
             <xs:annotation>
diff --git a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json
index 981961dd6..1958b2245 100644
--- a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json
+++ b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json
@@ -536,7 +536,7 @@
       "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.",
       "type": "string",
       "minLength": 1,
-      "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'"
+      "$comment": "TODO (breaking change): add a format constraint that prevents the value from starting with 'urn:cdx:'"
     },
     "refLinkType": {
       "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.",
@@ -1161,7 +1161,7 @@
         "contentType": {
           "type": "string",
           "title": "Content-Type",
-          "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).",
+          "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plain text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).",
           "default": "text/plain",
           "examples": [
             "text/plain",
@@ -2681,7 +2681,7 @@
         "ratings": {
           "type": "array",
           "title": "Ratings",
-          "description": "List of vulnerability ratings",
+          "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.",
           "items": {
             "$ref": "#/definitions/rating"
           }
diff --git a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd
index 427f3c4f0..c3a7f46f0 100644
--- a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd
+++ b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd
@@ -22,7 +22,7 @@ limitations under the License.
            targetNamespace="http://cyclonedx.org/schema/bom/1.6"
            vc:minVersion="1.0"
            vc:maxVersion="1.1"
-           version="1.6.1">
+           version="1.6.2">
 
     <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.SNAPSHOT.xsd"/>
 
@@ -973,7 +973,7 @@ limitations under the License.
                         <xs:documentation>
                             Specifies the format and nature of the data being attached, helping systems correctly
                             interpret and process the content. Common content type examples include `application/json`
-                            for JSON data and `text/plain` for plan text documents.
+                            for JSON data and `text/plain` for plain text documents.
                             RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive
                             list of registered content types, refer to the IANA media types registry at
                             https://www.iana.org/assignments/media-types/media-types.xhtml.
@@ -3256,7 +3256,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3268,7 +3268,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3282,7 +3282,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3294,7 +3294,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3386,6 +3386,16 @@ limitations under the License.
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
+            <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>Provides the ability to document properties in a name/value store.
+                        This provides flexibility to include data not officially supported in the standard
+                        without having to use additional namespaces or create extensions. Property names
+                        of interest to the general public are encouraged to be registered in the
+                        CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+                        Formal registration is OPTIONAL.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
         </xs:sequence>
         <xs:attribute name="bom-ref" type="bom:refType">
             <xs:annotation>
@@ -4218,7 +4228,7 @@ limitations under the License.
             </xs:element>
             <xs:element name="ratings" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
-                    <xs:documentation xml:lang="en">List of vulnerability ratings.</xs:documentation>
+                    <xs:documentation xml:lang="en">List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.</xs:documentation>
                 </xs:annotation>
                 <xs:complexType>
                     <xs:sequence>
diff --git a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json
index c0ed5071d..ad7e54ac2 100644
--- a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json
+++ b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json
@@ -555,7 +555,7 @@
       "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.",
       "type": "string",
       "minLength": 1,
-      "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'"
+      "$comment": "TODO (breaking change): add a format constraint that prevents the value from starting with 'urn:cdx:'"
     },
     "refLinkType": {
       "title": "BOM Reference",
@@ -981,7 +981,7 @@
         "versionRange": {
           "$ref": "#/definitions/versionRange",
           "title": "Component Version Range",
-          "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at <https://github.com/package-url/vers-spec\nMay only be used if `.isExternal` is set to `true`.\nMust be used exclusively, either 'version' or 'versionRange', but not both."
+          "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at https://github.com/package-url/vers-spec\nMay only be used if `.isExternal` is set to `true`.\nMust be used exclusively, either 'version' or 'versionRange', but not both."
         },
         "isExternal": {
           "type": "boolean",
@@ -1079,7 +1079,7 @@
             "ancestors": {
               "type": "array",
               "title": "Ancestors",
-              "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.",
+              "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains an ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.",
               "items": {"$ref": "#/definitions/component"}
             },
             "descendants": {
@@ -1103,7 +1103,7 @@
             "patches": {
               "type": "array",
               "title": "Patches",
-              "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.",
+              "description": "A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.",
               "items": {"$ref": "#/definitions/patch"}
             },
             "notes": {
@@ -1248,7 +1248,7 @@
         "contentType": {
           "type": "string",
           "title": "Content-Type",
-          "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).",
+          "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plain text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).",
           "default": "text/plain",
           "examples": [
             "text/plain",
@@ -2841,7 +2841,7 @@
         "ratings": {
           "type": "array",
           "title": "Ratings",
-          "description": "List of vulnerability ratings",
+          "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.",
           "items": {
             "$ref": "#/definitions/rating"
           }
diff --git a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd
index 40aa7ad93..7318f6ef6 100644
--- a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd
+++ b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd
@@ -22,7 +22,7 @@ limitations under the License.
            targetNamespace="http://cyclonedx.org/schema/bom/1.7"
            vc:minVersion="1.0"
            vc:maxVersion="1.1"
-           version="1.7.0">
+           version="1.7.1">
 
     <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.SNAPSHOT.xsd"/>
 
@@ -1204,7 +1204,7 @@ limitations under the License.
                         <xs:documentation>
                             Specifies the format and nature of the data being attached, helping systems correctly
                             interpret and process the content. Common content type examples include `application/json`
-                            for JSON data and `text/plain` for plan text documents.
+                            for JSON data and `text/plain` for plain text documents.
                             RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive
                             list of registered content types, refer to the IANA media types registry at
                             https://www.iana.org/assignments/media-types/media-types.xhtml.
@@ -3499,7 +3499,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3511,7 +3511,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3525,7 +3525,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3537,7 +3537,7 @@ limitations under the License.
                             </xs:annotation>
                             <xs:complexType>
                                 <xs:sequence>
-                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                    <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
                                 </xs:sequence>
                             </xs:complexType>
                         </xs:element>
@@ -3629,6 +3629,16 @@ limitations under the License.
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
+            <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>Provides the ability to document properties in a name/value store.
+                        This provides flexibility to include data not officially supported in the standard
+                        without having to use additional namespaces or create extensions. Property names
+                        of interest to the general public are encouraged to be registered in the
+                        CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+                        Formal registration is OPTIONAL.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
         </xs:sequence>
         <xs:attribute name="bom-ref" type="bom:refType">
             <xs:annotation>
@@ -4461,7 +4471,7 @@ limitations under the License.
             </xs:element>
             <xs:element name="ratings" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
-                    <xs:documentation xml:lang="en">List of vulnerability ratings.</xs:documentation>
+                    <xs:documentation xml:lang="en">List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.</xs:documentation>
                 </xs:annotation>
                 <xs:complexType>
                     <xs:sequence>
diff --git a/tools/schema-downloader.py b/tools/schema-downloader.py
index 30b7ecd54..b852a1eb9 100755
--- a/tools/schema-downloader.py
+++ b/tools/schema-downloader.py
@@ -21,7 +21,7 @@
 from os.path import dirname, join, realpath
 from urllib.request import urlretrieve
 
-SOURCE_ROOT = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/tags/1.7/schema/'
+SOURCE_ROOT = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/tags/1.7.1/schema/'
 SOURCE_ROOT_LATEST = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/heads/master/schema/'
 TARGET_ROOT = realpath(join(dirname(__file__), '..', 'cyclonedx', 'schema', '_res'))
 

From 7cb8c8ce914f0b807ef0e7e5b801ef088c2b9f09 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 4 Jun 2026 10:30:16 +0200
Subject: [PATCH 2/2] docs

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 cyclonedx/schema/_res/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyclonedx/schema/_res/README.md b/cyclonedx/schema/_res/README.md
index 207414b9e..83fc1dd95 100644
--- a/cyclonedx/schema/_res/README.md
+++ b/cyclonedx/schema/_res/README.md
@@ -4,7 +4,7 @@ some schema for offline use as downloaded via [script](../../../tools/schema-dow
 original sources: <https://github.com/CycloneDX/specification/tree/master/schema>
 
 Currently using version
-[4b3f59453366e27c8073fd24e98bf21ef8892c8e](https://github.com/CycloneDX/specification/commit/4b3f59453366e27c8073fd24e98bf21ef8892c8e)
+[b29bae660048e0ad2fbc5f2972927b442ce951c4](https://github.com/CycloneDX/specification/commit/b29bae660048e0ad2fbc5f2972927b442ce951c4)
 
 | file | note |
 |------|------|