CycloneDX · mr-zepol · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Feb 7, 2026
@@ -64,12 +64,14 @@ public abstract class CycloneDxSchema
 
   public static final String NS_BOM_16 = "http://cyclonedx.org/schema/bom/1.6";
 
+  public static final String NS_BOM_17 = "http://cyclonedx.org/schema/bom/1.7";
+
   @Deprecated
   public static final String NS_DEPENDENCY_GRAPH_10 = "http://cyclonedx.org/schema/ext/dependency-graph/1.0";
 
-  public static final String NS_BOM_LATEST = NS_BOM_16;
+  public static final String NS_BOM_LATEST = NS_BOM_17;
 
-  public static final Version VERSION_LATEST = Version.VERSION_16;
+  public static final Version VERSION_LATEST = Version.VERSION_17;
 
   public static final List<Version> ALL_VERSIONS = Arrays.asList(Version.values());
 
@@ -104,6 +106,8 @@ public JsonSchema getJsonSchema(Version schemaVersion, final ObjectMapper mapper
         getClass().getClassLoader().getResource("bom-1.5.schema.json").toExternalForm());
     offlineMappings.put("http://cyclonedx.org/schema/bom-1.6.schema.json",
         getClass().getClassLoader().getResource("bom-1.6.schema.json").toExternalForm());
+    offlineMappings.put("http://cyclonedx.org/schema/bom-1.7.schema.json",
+        getClass().getClassLoader().getResource("bom-1.7.schema.json").toExternalForm());
 
     JsonNode schemaNode = mapper.readTree(spdxInstream);
     final MapSchemaMapper offlineSchemaMapper = new MapSchemaMapper(offlineMappings);
@@ -127,9 +131,12 @@ else if (Version.VERSION_14 == schemaVersion) {
     else if(Version.VERSION_15 == schemaVersion){
       return this.getClass().getClassLoader().getResourceAsStream("bom-1.5.schema.json");
     }
-    else {
+    else if(Version.VERSION_16 == schemaVersion){
       return this.getClass().getClassLoader().getResourceAsStream("bom-1.6.schema.json");
     }
+    else {
+      return this.getClass().getClassLoader().getResourceAsStream("bom-1.7.schema.json");
+    }
   }
 
   /**
@@ -159,9 +166,12 @@ else if (Version.VERSION_14 == schemaVersion) {
     else if (Version.VERSION_15 == schemaVersion) {
       return getXmlSchema15();
     }
-    else {
+    else if (Version.VERSION_16 == schemaVersion) {
       return getXmlSchema16();
     }
+    else {
+      return getXmlSchema17();
+    }
   }
 
   /**
@@ -269,6 +279,21 @@ private Schema getXmlSchema16() throws SAXException {
     );
   }
 
+  /**
+   * Returns the CycloneDX XML Schema from the specifications XSD.
+   *
+   * @return a Schema
+   * @throws SAXException a SAXException
+   * @since 10.0.0
+   */
+  private Schema getXmlSchema17() throws SAXException {
+    // Use local copies of schemas rather than resolving from the net. It's faster, and less prone to errors.
+    return getXmlSchema(
+        this.getClass().getClassLoader().getResourceAsStream("spdx.xsd"),
+        this.getClass().getClassLoader().getResourceAsStream("bom-1.7.xsd")
+    );
+  }
+
   public Schema getXmlSchema(InputStream... inputStreams) throws SAXException {
     final SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
     schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");

@@ -12,7 +12,8 @@ public enum Version
   VERSION_13(CycloneDxSchema.NS_BOM_13, "1.3", 1.3, EnumSet.of(XML, JSON)),
   VERSION_14(CycloneDxSchema.NS_BOM_14, "1.4", 1.4, EnumSet.of(XML, JSON)),
   VERSION_15(CycloneDxSchema.NS_BOM_15, "1.5", 1.5, EnumSet.of(XML, JSON)),
-  VERSION_16(CycloneDxSchema.NS_BOM_16, "1.6", 1.6, EnumSet.of(XML, JSON));
+  VERSION_16(CycloneDxSchema.NS_BOM_16, "1.6", 1.6, EnumSet.of(XML, JSON)),
+  VERSION_17(CycloneDxSchema.NS_BOM_17, "1.7", 1.7, EnumSet.of(XML, JSON));
 
   private final String namespace;
 
@@ -61,6 +62,7 @@ public static Version fromVersionString(String versionString) {
         case "1.4": return VERSION_14;
         case "1.5": return VERSION_15;
         case "1.6": return VERSION_16;
+        case "1.7": return VERSION_17;
       }
     }
     return null;

@@ -59,6 +59,7 @@
         "formulation",
         "declarations",
         "definitions",
+        "citations",
         "signature"
 })
 public class Bom extends ExtensibleElement {
@@ -100,6 +101,9 @@ public class Bom extends ExtensibleElement {
     @VersionFilter(Version.VERSION_15)
     private List<Annotation> annotations;
 
+    @VersionFilter(Version.VERSION_17)
+    private List<Citation> citations;
+
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     private List<Property> properties;
 
@@ -239,6 +243,24 @@ public void setAnnotations(List<Annotation> annotations) {
         this.annotations = annotations;
     }
 
+    @JacksonXmlElementWrapper(localName = "citations")
+    @JacksonXmlProperty(localName = "citation")
+    @VersionFilter(Version.VERSION_17)
+    public List<Citation> getCitations() {
+        return citations;
+    }
+
+    public void setCitations(List<Citation> citations) {
+        this.citations = citations;
+    }
+
+    public void addCitation(Citation citation) {
+        if (this.citations == null) {
+            this.citations = new ArrayList<>();
+        }
+        this.citations.add(citation);
+    }
+
     @JacksonXmlElementWrapper(localName = "properties")
     @JacksonXmlProperty(localName = "property")
     @JsonInclude(JsonInclude.Include.NON_EMPTY)

@@ -0,0 +1,140 @@
+/*
+ * This file is part of CycloneDX Core (Java).
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.cyclonedx.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
+import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
+import org.cyclonedx.util.serializer.CustomDateSerializer;
+
+import java.util.Date;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * A citation indicates which entity supplied information for specific fields within the BOM.
+ *
+ * @since 10.0.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(Include.NON_NULL)
+@JsonPropertyOrder({"bomRef", "pointers", "expressions", "timestamp", "attributedTo", "process", "note"})
+public class Citation extends ExtensibleElement {
+
+    @JacksonXmlProperty(isAttribute = true, localName = "bom-ref")
+    @JsonProperty("bom-ref")
+    private String bomRef;
+
+    @JacksonXmlElementWrapper(localName = "pointers")
+    @JacksonXmlProperty(localName = "pointer")
+    private List<String> pointers;
+
+    @JacksonXmlElementWrapper(localName = "expressions")
+    @JacksonXmlProperty(localName = "expression")
+    private List<String> expressions;
+
+    @JsonSerialize(using = CustomDateSerializer.class)
+    private Date timestamp;
+
+    private String attributedTo;
+
+    private String process;
+
+    private String note;
+
+    public String getBomRef() {
+        return bomRef;
+    }
+
+    public void setBomRef(String bomRef) {
+        this.bomRef = bomRef;
+    }
+
+    public List<String> getPointers() {
+        return pointers;
+    }
+
+    public void setPointers(List<String> pointers) {
+        this.pointers = pointers;
+    }
+
+    public List<String> getExpressions() {
+        return expressions;
+    }
+
+    public void setExpressions(List<String> expressions) {
+        this.expressions = expressions;
+    }
+
+    public Date getTimestamp() {
+        return timestamp;
+    }
+
+    public void setTimestamp(Date timestamp) {
+        this.timestamp = timestamp;
+    }
+
+    public String getAttributedTo() {
+        return attributedTo;
+    }
+
+    public void setAttributedTo(String attributedTo) {
+        this.attributedTo = attributedTo;
+    }
+
+    public String getProcess() {
+        return process;
+    }
+
+    public void setProcess(String process) {
+        this.process = process;
+    }
+
+    public String getNote() {
+        return note;
+    }
+
+    public void setNote(String note) {
+        this.note = note;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (!(o instanceof Citation)) return false;
+        Citation citation = (Citation) o;
+        return Objects.equals(bomRef, citation.bomRef) &&
+                Objects.equals(pointers, citation.pointers) &&
+                Objects.equals(expressions, citation.expressions) &&
+                Objects.equals(timestamp, citation.timestamp) &&
+                Objects.equals(attributedTo, citation.attributedTo) &&
+                Objects.equals(process, citation.process) &&
+                Objects.equals(note, citation.note);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(bomRef, pointers, expressions, timestamp, attributedTo, process, note);
+    }
+}
@@ -0,0 +1,60 @@
+/*
+ * This file is part of CycloneDX Core (Java).
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.cyclonedx.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+
+import java.util.Objects;
+
+/**
+ * Data sharing and distribution classifications.
+ *
+ * @since 10.0.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(Include.NON_NULL)
+@JsonPropertyOrder({"tlp"})
+public class Classifications {
+
+    private TlpClassification tlp;
+
+    public TlpClassification getTlp() {
+        return tlp;
+    }
+
+    public void setTlp(TlpClassification tlp) {
+        this.tlp = tlp;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (!(o instanceof Classifications)) return false;
+        Classifications that = (Classifications) o;
+        return tlp == that.tlp;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(tlp);
+    }
+}