diff --git a/.envrc b/.envrc new file mode 100755 index 0000000..2ca4328 --- /dev/null +++ b/.envrc @@ -0,0 +1,30 @@ +# Run any command in this library's bin/ without the bin/ prefix! +# Prefer exe version over binstub +PATH_add exe +PATH_add bin + +# Only add things to this file that should be shared with the team. + +# **dotenv** (See end of file for .env.local integration) +# .env would override anything in this file, if enabled. +# .env is a DOCKER standard, and if we use it, it would be in deployed, or DOCKER, environments. +# Override and customize anything below in your own .env.local +# If you are using dotenv and not direnv, +# copy the following `export` statements to your own .env file. +export MIMIC_NEXT_MAJOR_VERSION=false +export ARUBA_NO_COVERAGE=false + +### General Ruby ### +# Turn off Ruby Warnings about deprecated code +# export RUBYOPT="-W0" + +# Internal Debugging Controls +export DEBUG=false # do not allow byebug statements (override in .env.local) + +# .env would override anything in this file, if `dotenv` is uncommented below. +# .env is a DOCKER standard, and if we use it, it would be in deployed, or DOCKER, environments, +# and that is why we generally want to leave it commented out. +# dotenv + +# .env.local will override anything in this file. +dotenv_if_exists .env.local diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml index a1df89e..a575090 100644 --- a/.github/workflows/ruby.yml +++ b/.github/workflows/ruby.yml @@ -18,10 +18,14 @@ jobs: fail-fast: false matrix: ruby: - - '3.2.2' - - '3.1.4' - - '3.0.6' - - '2.7.7' + - '3.4.7' + - '3.3.9' + - '3.2.9' +# Not supported by latest bundler. These will be added back to the build matrix later. +# They are not being dropped from support, just from CI testing for now. +# - '3.1.7' +# - '3.0.7' +# - '2.7.8' steps: - uses: actions/checkout@v3 diff --git a/.gitignore b/.gitignore index 29a7627..6fc92f7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,55 @@ -.idea -/Gemfile.lock -/tmp/aruba -/coverage \ No newline at end of file +# Build Artifacts +/pkg/ +/tmp/ +*.gem + +# Bundler +/vendor/bundle/ +/.bundle/ +/gemfiles/*.lock +/gemfiles/.bundle/ +/gemfiles/.bundle/config +/gemfiles/vendor/ +Appraisal.*.gemfile.lock + +# Specs +.rspec_status +/coverage/ +/spec/reports/ +/results/ +.output.txt + +# Documentation +/.yardoc/ +/_yardoc/ +/rdoc/ +/doc/ + +# Ruby Version Managers (RVM, rbenv, etc) +.rvmrc +.ruby-version +.ruby-gemset +.tool-versions + +# Benchmarking +/measurement/ + +# Debugger detritus +.byebug_history + +# direnv - brew install direnv +.env.local + +# OS Detritus +.DS_Store + +# Editors +*~ +/.idea/ + +# vendor +/vendor/ + +# text artifacts +bom.xml +bom.json diff --git a/.rspec b/.rspec new file mode 100644 index 0000000..9007e08 --- /dev/null +++ b/.rspec @@ -0,0 +1,7 @@ +--format documentation +--require spec_helper +--color +--order random +--warnings +--format html +--out results/test_results.html diff --git a/.rubocop.yml b/.rubocop.yml index 0dbd7ac..8d139a1 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -4,6 +4,9 @@ AllCops: inherit_from: .rubocop_todo.yml +Gemspec/DevelopmentDependencies: + EnforcedStyle: gemspec + # The behavior of RuboCop can be controlled via the .rubocop.yml # configuration file. It makes it possible to enable/disable # certain cops (checks) and to alter their behavior if they accept diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index accbce0..5f5b288 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,136 +1,29 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2023-04-05 19:57:43 UTC using RuboCop version 1.49.0. +# on 2025-10-30 06:45:50 UTC using RuboCop version 1.81.6. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new # versions of RuboCop, may require this file to be generated again. -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: Severity, Include. -# Include: **/*.gemspec -Gemspec/DeprecatedAttributeAssignment: - Exclude: - - 'cyclonedx-ruby.gemspec' - # Offense count: 4 # This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: TreatCommentsAsGroupSeparators, ConsiderPunctuation, Include. -# Include: **/*.gemspec +# Configuration parameters: TreatCommentsAsGroupSeparators, ConsiderPunctuation. Gemspec/OrderedDependencies: Exclude: - 'cyclonedx-ruby.gemspec' -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: Severity, Include. -# Include: **/*.gemspec -Gemspec/RequireMFA: - Exclude: - - 'cyclonedx-ruby.gemspec' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -Layout/EmptyLineAfterMagicComment: - Exclude: - - 'lib/bom_builder.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: EnforcedStyle. -# SupportedStyles: around, only_before -Layout/EmptyLinesAroundAccessModifier: - Exclude: - - 'lib/bom_builder.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -Layout/EmptyLinesAroundMethodBody: - Exclude: - - 'lib/bom_component.rb' - -# Offense count: 1 +# Offense count: 2 # This cop supports safe autocorrection (--autocorrect). # Configuration parameters: AllowForAlignment, AllowBeforeTrailingComments, ForceEqualSignAlignment. Layout/ExtraSpacing: Exclude: - 'cyclonedx-ruby.gemspec' -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: EnforcedStyle, IndentationWidth. -# SupportedStyles: special_inside_parentheses, consistent, align_brackets -Layout/FirstArrayElementIndentation: - Exclude: - - 'lib/bom_component.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -Layout/LeadingEmptyLines: - Exclude: - - 'lib/bom_component.rb' - -# Offense count: 2 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: EnforcedStyle. -# SupportedStyles: final_newline, final_blank_line -Layout/TrailingEmptyLines: - Exclude: - - 'Rakefile' - - 'lib/bom_component.rb' - -# Offense count: 3 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: AllowInHeredoc. -Layout/TrailingWhitespace: - Exclude: - - 'Rakefile' - - 'spec/bom_component_spec.rb' - -# Offense count: 2 -Lint/IneffectiveAccessModifier: - Exclude: - - 'lib/bom_builder.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -Lint/ScriptPermission: - Exclude: - - 'Rakefile' - -# Offense count: 1 -Lint/ShadowingOuterLocalVariable: - Exclude: - - 'lib/bom_builder.rb' - -# Offense count: 19 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: EnforcedStyle. -# SupportedStyles: strict, consistent -Lint/SymbolConversion: - Exclude: - - 'lib/bom_component.rb' - - 'lib/bom_helpers.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: AllowUnusedKeywordArguments, IgnoreEmptyMethods, IgnoreNotImplementedMethods. -Lint/UnusedMethodArgument: - Exclude: - - 'lib/bom_builder.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: ContextCreatingMethods, MethodCreatingMethods. -Lint/UselessAccessModifier: - Exclude: - - 'lib/bom_builder.rb' - # Offense count: 4 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes. Metrics/AbcSize: - Max: 67 + Max: 68 # Offense count: 4 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns. @@ -141,78 +34,38 @@ Metrics/BlockLength: # Offense count: 1 # Configuration parameters: CountComments, CountAsOne. Metrics/ClassLength: - Max: 128 + Max: 129 # Offense count: 1 # Configuration parameters: AllowedMethods, AllowedPatterns. Metrics/CyclomaticComplexity: Max: 9 -# Offense count: 6 +# Offense count: 7 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns. Metrics/MethodLength: - Max: 68 + Max: 69 # Offense count: 1 # Configuration parameters: AllowedMethods, AllowedPatterns. Metrics/PerceivedComplexity: Max: 12 -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: PreferredName. -Naming/RescuedExceptionsVariableName: - Exclude: - - 'Rakefile' - -# Offense count: 3 +# Offense count: 4 # Configuration parameters: AllowedConstants. Style/Documentation: Exclude: - 'spec/**/*' - 'test/**/*' - - 'Rakefile' - - 'lib/bom_builder.rb' - - 'lib/bom_component.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: AllowedVars. -Style/FetchEnvVar: - Exclude: - - 'lib/bom_helpers.rb' + - 'lib/cyclonedx/bom_builder.rb' + - 'lib/cyclonedx/bom_component.rb' + - 'lib/cyclonedx/bom_helpers.rb' + - 'lib/cyclonedx/ruby/deprecation.rb' # Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -Style/FileWrite: +Style/MixinUsage: Exclude: - - 'lib/bom_builder.rb' - -# Offense count: 12 -# This cop supports unsafe autocorrection (--autocorrect-all). -# Configuration parameters: EnforcedStyle. -# SupportedStyles: always, always_true, never -Style/FrozenStringLiteralComment: - Exclude: - - '.simplecov' - - 'Gemfile' - - 'Rakefile' - - 'features/fixtures/simple/Gemfile' - - 'features/step_definitions/json_bom_matching.rb' - - 'features/step_definitions/xml_bom_matching.rb' - - 'features/support/env.rb' - - 'features/support/simplecov_support.rb' - - 'lib/bom_component.rb' - - 'spec/bom_component_spec.rb' - - 'spec/bom_helpers_spec.rb' - - 'spec/spec_helper.rb' - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: AllowedMethods, AllowedPatterns. -Style/MethodCallWithoutArgsParentheses: - Exclude: - - 'lib/bom_helpers.rb' + - 'lib/cyclonedx_deprecated.rb' # Offense count: 1 # This cop supports unsafe autocorrection (--autocorrect-all). @@ -220,13 +73,13 @@ Style/MethodCallWithoutArgsParentheses: # SupportedStyles: literals, strict Style/MutableConstant: Exclude: - - 'lib/bom_builder.rb' + - 'lib/cyclonedx/bom_builder.rb' # Offense count: 2 Style/OpenStructUse: Exclude: - - 'lib/bom_builder.rb' - - 'spec/bom_component_spec.rb' + - 'lib/cyclonedx/bom_builder.rb' + - 'spec/cyclonedx/bom_component_spec.rb' # Offense count: 1 # This cop supports safe autocorrection (--autocorrect). @@ -235,19 +88,6 @@ Style/PercentLiteralDelimiters: Exclude: - 'Rakefile' -# Offense count: 19 -# This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: . -# SupportedStyles: same_as_string_literals, single_quotes, double_quotes -Style/QuotedSymbols: - EnforcedStyle: double_quotes - -# Offense count: 1 -# This cop supports safe autocorrection (--autocorrect). -Style/RedundantBegin: - Exclude: - - 'Rakefile' - # Offense count: 6 # This cop supports safe autocorrection (--autocorrect). Style/RedundantRegexpEscape: @@ -255,7 +95,7 @@ Style/RedundantRegexpEscape: - 'features/step_definitions/json_bom_matching.rb' - 'features/step_definitions/xml_bom_matching.rb' -# Offense count: 20 +# Offense count: 41 # This cop supports safe autocorrection (--autocorrect). # Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline. # SupportedStyles: single_quotes, double_quotes @@ -266,8 +106,6 @@ Style/StringLiterals: - 'cyclonedx-ruby.gemspec' - 'lib/bom_component.rb' - 'lib/bom_helpers.rb' - - 'spec/bom_component_spec.rb' - - 'spec/bom_helpers_spec.rb' # Offense count: 1 # This cop supports safe autocorrection (--autocorrect). @@ -276,15 +114,9 @@ Style/StringLiterals: Style/SymbolArray: EnforcedStyle: brackets -# Offense count: 2 -# This cop supports safe autocorrection (--autocorrect). -Style/SymbolLiteral: - Exclude: - - 'lib/bom_component.rb' - -# Offense count: 5 +# Offense count: 7 # This cop supports safe autocorrection (--autocorrect). -# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns. +# Configuration parameters: AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, IgnoreCopDirectives, AllowedPatterns, SplitStrings. # URISchemes: http, https Layout/LineLength: Max: 237 diff --git a/.simplecov b/.simplecov index f1709c5..dcd8afc 100644 --- a/.simplecov +++ b/.simplecov @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # Copied from https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/.simplecov # Licensed under MIT - https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/LICENSE diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..e50ee65 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,79 @@ +# Changelog + +[![SemVer 2.0.0][📌semver-img]][📌semver] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] + +All notable changes to this project after v1.1.0 will be documented in this file. + +The format is based on [Keep a Changelog][📗keep-changelog], +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html), +and [yes][📌major-versions-not-sacred], platform and engine support are part of the [public API][📌semver-breaking]. +Please file a bug if you notice a violation of semantic versioning. + +[📌semver]: https://semver.org/spec/v2.0.0.html +[📌semver-img]: https://img.shields.io/badge/semver-2.0.0-FFDD67.svg?style=flat +[📌semver-breaking]: https://github.com/semver/semver/issues/716#issuecomment-869336139 +[📌major-versions-not-sacred]: https://tom.preston-werner.com/2022/05/23/major-version-numbers-are-not-sacred.html +[📗keep-changelog]: https://keepachangelog.com/en/1.0.0/ +[📗keep-changelog-img]: https://img.shields.io/badge/keep--a--changelog-1.0.0-FFDD67.svg?style=flat + +## [Unreleased] + +### Added + +- `CONTRIBUTING.md` file to help people find their way to contributing +- `CHANGELOG.md` file to document notable changes in keep-a-changelog format +- `Cyclonedx::BomHelpers` module to house helper methods, replacing global methods +- `Cyclonedx::BomBuilder` class, replacing `Bombuilder` (note the capitalization change) +- `Cyclonedx::BomComponent` class, replacing `BomComponent` +- `Cyclonedx::Ruby::Version::VERSION` constant to hold the version number (also available as `Cyclonedx::VERSION`) +- `Cyclonedx::Ruby::Deprecation` module to help manage deprecations +- dev dependency: `stone_checksums` + - For SHA-256 and SHA-512 checksum generation for each release. +- signed gem releases + - See: [RubyGems Security Guide][🔒️rubygems-security-guide] +- CI matrix testing on Ruby 3.3, 3.4 + +[🔒️rubygems-security-guide]: https://guides.rubygems.org/security/#building-gems + +### Changed + +- Updated gemspec metadata for clarity and consistency +- Modernized Rakefile, dotfiles, and test setup +- `LICENSE` => `LICENSE.txt` to simplify parsing consistency on various platforms and tools +- `cucumber` v8 => v10 +- `aruba` v2.1 => v2.2 + +### Deprecated + +- `BomComponent` => `Cyclonedx::BomComponent` +- `Bombuilder` => `Cyclonedx::BomBuilder` (note the capitalization change) +- `Object.purl` => `Cyclonedx::BomHelpers.purl` +- `Object.random_urn_uuid` => `Cyclonedx::BomHelpers.random_urn_uuid` +- `Object.build_bom` => `Cyclonedx::BomHelpers.build_bom` +- `Object.build_json_bom` => `Cyclonedx::BomHelpers.build_json_bom` +- `Object.build_bom_xml` => `Cyclonedx::BomHelpers.build_bom_xml` +- `Object.get_gem` => `Cyclonedx::BomHelpers.get_gem` + +### Removed + +### Fixed + +- `Nokogiri::XML::Builder` context relies on `method_missing` + - Globally defined `Object#purl` conflicted with ``. + - Moved to `Cyclonedx::BomHelpers.purl` to avoid conflict in v2.0.0 (along with all other global methods) + - Fixed existing usage via the built-in Nokogiri workaround of adding an underscore `purl_` + - The XML tag is unchanged as `` + +### Security + +## [1.1.0] - 2019-07-13 + +- TAG: [v1.1.0][1.1.0t] + +### Added + +- Initial release + +[Unreleased]: https://gitlab.com/CycloneDX/cyclonedx-ruby-gem/-/compare/v1.1.0...HEAD +[1.1.0]: https://github.com/CycloneDX/cyclonedx-ruby-gem/compare/eecfebe3cb0ce961fef8e424162ac94298f02a9f...v1.1.0 +[1.1.0t]: https://github.com/CycloneDX/cyclonedx-ruby-gem/releases/tag/v1.1.0 diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..fded27d --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,133 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the overall + community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or advances of + any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email address, + without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official email address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +[steve.springett@owasp.org][conduct-contact]. +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series of +actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the +community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. + +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][Mozilla CoC]. + +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. + +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations +[conduct-contact]: mailto:steve.springett@owasp.org diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..7157a53 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,137 @@ +# Contributing + +Any contribution is welcome. +Please read the [CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md) first. + +Pull-requests from forks are welcome. +We love to see your purposed changes, but we also like to discuss things first. Please open a [ticket][📜src-gh] and explain your intended changes to the community. And don't forget to mention that discussion in your pull-request later. +Find the needed basics here: +* [how to fork a repository](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) +* [how create a pull request from a fork](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) +* Remember to [![Keep A Changelog][📗keep-changelog-img]][📗keep-changelog] if you make changes. + +## Setup + +This project uses ruby. Have a recent version installed and setup first. + +To install dev-dependencies and tools: + +```shell +bin/setup +``` + +## Environment Variables for Local Development + +Below are the primary environment variables recognized by stone_checksums (and its integrated tools). Unless otherwise noted, set boolean values to the string "true" to enable. + +General/runtime +- MIMIC_NEXT_MAJOR_VERSION: When set to true, simulates the next major version for testing breaking changes [📌semver-breaking] [📌major-versions-not-sacred] (default: false) +- ARUBA_NO_COVERAGE: Disable SimpleCov coverage in Aruba tests (default: false) + +For a quick starting point, this repository’s `.envrc` shows sane defaults, and `.env.local` can override them locally. + +## Testing + +To run all tests + +```console +bundle exec rake test +``` + +Or use the default task, which does the same + +```console +bundle exec rake +``` + +### Spec organization (required) + +- One spec file per class/module. For each class or module under `lib/`, keep all of its unit tests in a single spec file under `spec/` that mirrors the path and file name exactly: `lib/cyclonedx/my_class.rb` -> `spec/cyclonedx/my_class_spec.rb`. +- Exception: Integration specs that intentionally span multiple classes. Place these under `spec/integration/` (or a clearly named integration folder), and do not directly mirror a single class. Name them after the scenario, not a class. + +## Lint It + +Run the linter. + +```console +bundle exec rake rubocop +``` + +### Important: Do not add inline RuboCop disables + +Try not to add `# rubocop:disable ...` / `# rubocop:enable ...` comments to code or specs (except when following the few existing `rubocop:disable` patterns for a rule already being disabled elsewhere in the code). Instead: + +- Prefer configuration-based exclusions when a rule should not apply to certain paths or files (e.g., via `.rubocop.yml`). + - `bundle exec rubocop -a` (preferred) + - `bundle exec rubocop --regenerate-todo` (only when you cannot fix the violations immediately) + +As a general rule, fix style issues rather than ignoring them. For example, our specs should follow RSpec conventions like using `described_class` for the class under test. + +## Sign off your commits + +Please sign off your commits, to show that you agree to publish your changes under the current terms and licenses of the project +, and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/). + +```shell +git commit --signed-off ... +``` + +## Contributors + +Your picture could be here! + +[![Contributors][🖐contributors-img]][🖐contributors] + +Made with [contributors-img][🖐contrib-rocks]. + +## For Maintainers + +### To release a new version: + +#### Automated process + +Coming Soon! + +#### Manual process + +1. Run `bin/setup && bin/rake` as a "test, coverage, & linting" sanity check +2. Update the version number in `version.rb`, and ensure `CHANGELOG.md` reflects changes +3. Run `bin/setup && bin/rake` again as a secondary check, and to update `Gemfile.lock` +4. Run `git commit -am "🔖 Prepare release v"` to commit the changes +5. Run `git push` to trigger the final CI pipeline before release, and merge PRs + - NOTE: Remember to [check the build][🧪build]. +6. Run `export GIT_TRUNK_BRANCH_NAME="$(git remote show origin | grep 'HEAD branch' | cut -d ' ' -f5)" && echo $GIT_TRUNK_BRANCH_NAME` +7. Run `git checkout $GIT_TRUNK_BRANCH_NAME` +8. Run `git pull origin $GIT_TRUNK_BRANCH_NAME` to ensure latest trunk code +9. Optional for older Bundler (< 2.7.0): Set `SOURCE_DATE_EPOCH` so `rake build` and `rake release` use the same timestamp and generate the same checksums + - If your Bundler is >= 2.7.0, you can skip this; builds are reproducible by default. + - Run `export SOURCE_DATE_EPOCH=$EPOCHSECONDS && echo $SOURCE_DATE_EPOCH` + - If the echo above has no output, then it didn't work. + - Note: `zsh/datetime` module is needed, if running `zsh`. + - In older versions of `bash` you can use `date +%s` instead, i.e. `export SOURCE_DATE_EPOCH=$(date +%s) && echo $SOURCE_DATE_EPOCH` +10. Run `bundle exec rake build` +11. Run `bundle exec rake release` which will create a git tag for the version, + push git commits and tags, and push the `.gem` file to the gem host configured in the gemspec. +12. Run `bin/gem_checksums` (more context [1][🔒️rubygems-checksums-pr], [2][🔒️rubygems-guides-pr]) + to create SHA-256 and SHA-512 checksums. This functionality is provided by the `stone_checksums` + [gem][💎stone_checksums]. + - The script automatically commits but does not push the checksums +13. Sanity check the SHA256, comparing with the output from the `bin/gem_checksums` command: + - `sha256sum pkg/-.gem` + +[📜src-gh]: https://github.com/CycloneDX/cyclonedx-ruby-gem +[🧪build]: https://github.com/CycloneDX/cyclonedx-ruby-gem/actions +[🤝conduct]: https://gitlab.com/CycloneDX/cyclonedx-ruby-gem/-/blob/main/CODE_OF_CONDUCT.md +[🖐contrib-rocks]: https://contrib.rocks +[🖐contributors]: https://github.com/CycloneDX/cyclonedx-ruby-gem/graphs/contributors +[🖐contributors-img]: https://contrib.rocks/image?repo=CycloneDX/cyclonedx-ruby-gem +[💎gem-coop]: https://gem.coop +[🔒️rubygems-security-guide]: https://guides.rubygems.org/security/#building-gems +[🔒️rubygems-checksums-pr]: https://github.com/rubygems/rubygems/pull/6022 +[🔒️rubygems-guides-pr]: https://github.com/rubygems/guides/pull/325 +[💎stone_checksums]: https://github.com/galtzo-floss/stone_checksums +[📗keep-changelog]: https://keepachangelog.com/en/1.0.0/ +[📗keep-changelog-img]: https://img.shields.io/badge/keep--a--changelog-1.0.0-FFDD67.svg?style=flat +[📌semver-breaking]: https://github.com/semver/semver/issues/716#issuecomment-869336139 +[📌major-versions-not-sacred]: https://tom.preston-werner.com/2022/05/23/major-version-numbers-are-not-sacred.html +[🏃‍♂️runner-tool-cache]: https://github.com/ruby/ruby-builder/releases/tag/toolcache diff --git a/Gemfile b/Gemfile index 3195f8a..ce4a7ff 100644 --- a/Gemfile +++ b/Gemfile @@ -1,3 +1,5 @@ +# frozen_string_literal: true + source 'https://rubygems.org' # Specify your gem's dependencies in cyclonedx-ruby.gemspec diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..458f039 --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,176 @@ +PATH + remote: . + specs: + cyclonedx-ruby (1.2.0) + activesupport (~> 7.0) + json (~> 2.6) + json_schemer (~> 2.2) + nokogiri (~> 1.15) + ostruct (~> 0.5.5) + rest-client (~> 2.0) + +GEM + remote: https://rubygems.org/ + specs: + activesupport (7.2.3) + base64 + benchmark (>= 0.3) + bigdecimal + concurrent-ruby (~> 1.0, >= 1.3.1) + connection_pool (>= 2.2.5) + drb + i18n (>= 1.6, < 2) + logger (>= 1.4.2) + minitest (>= 5.1) + securerandom (>= 0.3) + tzinfo (~> 2.0, >= 2.0.5) + aruba (2.3.2) + bundler (>= 1.17, < 3.0) + contracts (>= 0.16.0, < 0.18.0) + cucumber (>= 8.0, < 11.0) + rspec-expectations (>= 3.4, < 5.0) + thor (~> 1.0) + ast (2.4.3) + base64 (0.3.0) + benchmark (0.5.0) + bigdecimal (3.3.1) + builder (3.3.0) + concurrent-ruby (1.3.5) + connection_pool (2.5.4) + contracts (0.17.2) + cucumber (10.1.1) + base64 (~> 0.2) + builder (~> 3.2) + cucumber-ci-environment (> 9, < 11) + cucumber-core (> 15, < 17) + cucumber-cucumber-expressions (> 17, < 19) + cucumber-html-formatter (> 20.3, < 22) + diff-lcs (~> 1.5) + logger (~> 1.6) + mini_mime (~> 1.1) + multi_test (~> 1.1) + sys-uname (~> 1.3) + cucumber-ci-environment (10.0.1) + cucumber-core (15.3.0) + cucumber-gherkin (> 27, < 35) + cucumber-messages (> 26, < 30) + cucumber-tag-expressions (> 5, < 9) + cucumber-cucumber-expressions (18.0.1) + bigdecimal + cucumber-gherkin (34.0.0) + cucumber-messages (> 25, < 29) + cucumber-html-formatter (21.15.1) + cucumber-messages (> 19, < 28) + cucumber-messages (27.2.0) + cucumber-tag-expressions (8.0.0) + diff-lcs (1.6.2) + docile (1.4.1) + domain_name (0.6.20240107) + drb (2.2.3) + ffi (1.17.2) + ffi (1.17.2-x86_64-linux-gnu) + hana (1.3.7) + http-accept (1.7.0) + http-cookie (1.1.0) + domain_name (~> 0.5) + i18n (1.14.7) + concurrent-ruby (~> 1.0) + json (2.15.2) + json_schemer (2.4.0) + bigdecimal + hana (~> 1.3) + regexp_parser (~> 2.0) + simpleidn (~> 0.2) + language_server-protocol (3.17.0.5) + lint_roller (1.1.0) + logger (1.7.0) + memoist3 (1.0.0) + mime-types (3.7.0) + logger + mime-types-data (~> 3.2025, >= 3.2025.0507) + mime-types-data (3.2025.0924) + mini_mime (1.1.5) + minitest (5.26.0) + multi_test (1.1.0) + netrc (0.11.0) + nokogiri (1.18.10-x86_64-linux-gnu) + racc (~> 1.4) + ostruct (0.5.5) + parallel (1.27.0) + parser (3.3.10.0) + ast (~> 2.4.1) + racc + prism (1.6.0) + racc (1.8.1) + rainbow (3.1.1) + rake (13.3.1) + regexp_parser (2.11.3) + rest-client (2.1.0) + http-accept (>= 1.7.0, < 2.0) + http-cookie (>= 1.0.2, < 2.0) + mime-types (>= 1.16, < 4.0) + netrc (~> 0.8) + rspec (3.13.2) + rspec-core (~> 3.13.0) + rspec-expectations (~> 3.13.0) + rspec-mocks (~> 3.13.0) + rspec-core (3.13.6) + rspec-support (~> 3.13.0) + rspec-expectations (3.13.5) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.13.0) + rspec-mocks (3.13.6) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.13.0) + rspec-support (3.13.6) + rubocop (1.81.6) + json (~> 2.3) + language_server-protocol (~> 3.17.0.2) + lint_roller (~> 1.1.0) + parallel (~> 1.10) + parser (>= 3.3.0.2) + rainbow (>= 2.2.2, < 4.0) + regexp_parser (>= 2.9.3, < 3.0) + rubocop-ast (>= 1.47.1, < 2.0) + ruby-progressbar (~> 1.7) + unicode-display_width (>= 2.4.0, < 4.0) + rubocop-ast (1.47.1) + parser (>= 3.3.7.2) + prism (~> 1.4) + ruby-progressbar (1.13.0) + securerandom (0.4.1) + simplecov (0.22.0) + docile (~> 1.1) + simplecov-html (~> 0.11) + simplecov_json_formatter (~> 0.1) + simplecov-html (0.13.2) + simplecov_json_formatter (0.1.4) + simpleidn (0.2.3) + stone_checksums (1.0.3) + version_gem (~> 1.1, >= 1.1.9) + sys-uname (1.4.1) + ffi (~> 1.1) + memoist3 (~> 1.0.0) + thor (1.4.0) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) + unicode-display_width (3.2.0) + unicode-emoji (~> 4.1) + unicode-emoji (4.1.0) + version_gem (1.1.9) + +PLATFORMS + x86_64-linux-gnu + +DEPENDENCIES + aruba (~> 2.2) + cucumber (~> 10.1, >= 10.1.1) + cyclonedx-ruby! + rake (~> 13) + rspec (~> 3.12) + rubocop (~> 1.54) + simplecov (~> 0.22.0) + stone_checksums (~> 1.0, >= 1.0.3) + +BUNDLED WITH + 2.7.2 diff --git a/LICENSE b/LICENSE.txt similarity index 100% rename from LICENSE rename to LICENSE.txt diff --git a/README.md b/README.md index d2f94ec..a397d96 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ # CycloneDX Ruby Gem -The CycloneDX Ruby Gem creates a valid CycloneDX Software Bill of Materials (SBOM) from all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human readable, and simple to parse. +The CycloneDX Ruby Gem creates a valid CycloneDX Software Bill of Materials (SBOM) from all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human-readable, and simple to parse. #### Installing from RubyGems @@ -29,14 +29,36 @@ cyclonedx-ruby [options] `-v, --[no-]verbose` Run verbosely `-p, --path path` Path to Ruby project directory - `-f, --format` Bom output format + `-o, --output bom_file_path` Path to output the bom file + `-f, --format bom_output_format` Output format for bom. Supported: xml (default), json + `-s, --spec-version version` CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 + `--include-metadata` Include metadata.tools identifying cyclonedx-ruby as the producer + `--validate` Validate the produced BOM against the selected CycloneDX schema + `--validate-file PATH` Validate an existing BOM file instead of generating one `-h, --help` Show help message **Output:** bom.xml or bom.json file in project directory -#### Example +- By default, outputs conform to CycloneDX spec version 1.7. +- To generate an older spec version, use `--spec-version`. +- To embed metadata about this tool (vendor/name/version) into the BOM, pass `--include-metadata` (supported for spec >= 1.2). + +#### Examples ```bash +# Default (XML, CycloneDX 1.7) cyclonedx-ruby -p /path/to/ruby/project + +# JSON at CycloneDX 1.7 +cyclonedx-ruby -p /path/to/ruby/project -f json + +# XML at CycloneDX 1.3 +cyclonedx-ruby -p /path/to/ruby/project -s 1.3 + +# JSON at CycloneDX 1.2 to a custom path +cyclonedx-ruby -p /path/to/ruby/project -f json -s 1.2 -o bom/out.json + +# Include producer metadata and validate +cyclonedx-ruby -p /path/to/ruby/project --include-metadata --validate ``` @@ -47,5 +69,4 @@ CycloneDX Ruby Gem is Copyright (c) OWASP Foundation. All Rights Reserved. Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE] file for the full license. -[License]: https://github.com/CycloneDX/cyclonedx-ruby-gem/blob/master/LICENSE - +[License]: https://github.com/CycloneDX/cyclonedx-ruby-gem/blob/master/LICENSE.txt diff --git a/Rakefile b/Rakefile index a18e7a9..a176eaf 100644 --- a/Rakefile +++ b/Rakefile @@ -1,42 +1,28 @@ -#!/usr/bin/env rake -$LOAD_PATH << File.expand_path(__dir__) - -require "aruba/platform" - -require "bundler" -Bundler.setup +# frozen_string_literal: true require 'bundler/gem_tasks' -require "cucumber/rake/task" -require "rspec/core/rake_task" +require 'aruba/platform' require 'rake/clean' -# Work around a bug in `rake/clean` from `rake` versions older than 13. It's -# failing when it calls `FileUtils::rm_r` because that method needs to receive -# the `opts` parameter as parameters instead of as a `Hash`. -module Rake - module Cleaner - module_function - - def cleanup(file_name, **opts) - begin - opts = { verbose: Rake.application.options.trace }.merge(opts) - rm_r file_name, **opts - rescue StandardError => ex - puts "Failed to remove #{file_name}: #{ex}" unless file_already_gone?(file_name) - end - end - end -end - # Remove the `coverage` directory when the `:clobber` task is run. CLOBBER.include('coverage') +# Cucumber +require 'cucumber/rake/task' + Cucumber::Rake::Task.new do |t| t.cucumber_opts = %w(--format progress) end -RSpec::Core::RakeTask.new('spec') +# RSpec +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) + +# RuboCop +require 'rubocop/rake_task' + +RuboCop::RakeTask.new # Run the `clobber` task when running the entire test suite, because the # coverage information reported by `simplecov` can be skewed when a `coverage` @@ -44,4 +30,5 @@ RSpec::Core::RakeTask.new('spec') desc "Run the whole test suite." task test: [:clobber, :spec, :cucumber] -task default: :test \ No newline at end of file +# Default Task +task default: :test diff --git a/bin/console b/bin/console new file mode 100755 index 0000000..12ac7a7 --- /dev/null +++ b/bin/console @@ -0,0 +1,11 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true + +require 'bundler/setup' +require 'cyclonedx/ruby' + +# You can add fixtures and/or initialization code here to make experimenting +# with your gem easier. You can also use a different console, if you like. + +require 'irb' +IRB.start(__FILE__) diff --git a/bin/cucumber b/bin/cucumber new file mode 100755 index 0000000..7c35145 --- /dev/null +++ b/bin/cucumber @@ -0,0 +1,16 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true + +# +# This file was generated by Bundler. +# +# The application 'cucumber' is installed as part of a gem, and +# this file is here to facilitate running it. +# + +ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__) + +require 'rubygems' +require 'bundler/setup' + +load Gem.bin_path('cucumber', 'cucumber') diff --git a/bin/gem_checksums b/bin/gem_checksums new file mode 100755 index 0000000..1d625b5 --- /dev/null +++ b/bin/gem_checksums @@ -0,0 +1,16 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true + +# +# This file was generated by Bundler. +# +# The application 'gem_checksums' is installed as part of a gem, and +# this file is here to facilitate running it. +# + +ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__) + +require 'rubygems' +require 'bundler/setup' + +load Gem.bin_path('stone_checksums', 'gem_checksums') diff --git a/bin/rake b/bin/rake new file mode 100755 index 0000000..9510b16 --- /dev/null +++ b/bin/rake @@ -0,0 +1,16 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true + +# +# This file was generated by Bundler. +# +# The application 'rake' is installed as part of a gem, and +# this file is here to facilitate running it. +# + +ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__) + +require 'rubygems' +require 'bundler/setup' + +load Gem.bin_path('rake', 'rake') diff --git a/bin/rspec b/bin/rspec new file mode 100755 index 0000000..1b35905 --- /dev/null +++ b/bin/rspec @@ -0,0 +1,16 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true + +# +# This file was generated by Bundler. +# +# The application 'rspec' is installed as part of a gem, and +# this file is here to facilitate running it. +# + +ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__) + +require 'rubygems' +require 'bundler/setup' + +load Gem.bin_path('rspec-core', 'rspec') diff --git a/bin/setup b/bin/setup new file mode 100755 index 0000000..dce67d8 --- /dev/null +++ b/bin/setup @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -euo pipefail +IFS=$'\n\t' +set -vx + +bundle install + +# Do any other automated setup that you need to do here diff --git a/cucumber.yml b/cucumber.yml index fea5edc..ade123b 100644 --- a/cucumber.yml +++ b/cucumber.yml @@ -1 +1,2 @@ -default: --publish-quiet +default: --publish-quiet --format progress features + diff --git a/cyclonedx-ruby.gemspec b/cyclonedx-ruby.gemspec index 087712e..08816d5 100644 --- a/cyclonedx-ruby.gemspec +++ b/cyclonedx-ruby.gemspec @@ -1,36 +1,72 @@ # frozen_string_literal: true +require_relative "lib/cyclonedx/ruby/version" + Gem::Specification.new do |spec| - spec.name = 'cyclonedx-ruby' - spec.version = '1.2.0' - spec.date = '2023-07-14' + spec.name = 'cyclonedx-ruby' + spec.version = Cyclonedx::Ruby::VERSION + spec.authors = ['Joseph Kobti', 'Steve Springett'] + spec.email = ['josephkobti@outlook.com'] + spec.summary = 'CycloneDX software bill-of-material (SBoM) generation utility' spec.description = 'CycloneDX is a lightweight software bill-of-material (SBOM) specification designed for use in application security contexts and supply chain component analysis. This Gem generates CycloneDX BOMs from Ruby projects.' - spec.authors = ['Joseph Kobti', 'Steve Springett'] - spec.email = 'josephkobti@outlook.com' spec.homepage = 'https://github.com/CycloneDX/cyclonedx-ruby-gem' spec.license = 'Apache-2.0' - spec.required_ruby_version = '>= 2.7.0' - spec.files = Dir.chdir(__dir__) do - `git ls-files -z`.split("\x0").reject do |f| - (File.expand_path(f) == __FILE__) || f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor]) - end - end - spec.bindir = 'exe' - spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) } + spec.metadata["homepage_uri"] = "https://github.com/CycloneDX/cyclonedx-ruby-gem?tab=readme-ov-file#readme" + spec.metadata["source_code_uri"] = "https://github.com/CycloneDX/cyclonedx-ruby-gem/tree/v#{spec.version}" + spec.metadata["changelog_uri"] = "https://github.com/CycloneDX/cyclonedx-ruby-gem/blob/v#{spec.version}/CHANGELOG.md" + spec.metadata["bug_tracker_uri"] = "https://github.com/CycloneDX/cyclonedx-ruby-gem/issues" + spec.metadata["funding_uri"] = "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX" + spec.metadata["rubygems_mfa_required"] = "true" + + # Specify which files are part of the released package. + spec.files = Dir[ + # Code / tasks / data (NOTE: exe/ is specified via spec.bindir and spec.executables below) + "lib/**/*.rb", + "lib/licenses.json", + # Schemas used at runtime + "schema/**/*", + # Signatures + "sig/**/*.rbs" + ] + + # Automatically included with gem package, no need to list again in files. + spec.extra_rdoc_files = Dir[ + # Files (alphabetical) + "CHANGELOG.md", + "LICENSE.txt", + "NOTICE", + "README.md" + ] + spec.rdoc_options += [ + "--title", + "#{spec.name} - #{spec.summary}", + "--main", + "README.md", + "--exclude", + "^sig/", + "--line-numbers", + "--inline-source", + "--quiet" + ] spec.require_paths = ['lib'] + spec.bindir = "exe" + # Listed files are the relative paths from bindir above. + spec.executables = ['cyclonedx-ruby'] spec.add_dependency('json', '~> 2.6') spec.add_dependency('nokogiri', '~> 1.15') spec.add_dependency('ostruct', '~> 0.5.5') spec.add_dependency('rest-client', '~> 2.0') spec.add_dependency('activesupport', '~> 7.0') + spec.add_dependency('json_schemer', '~> 2.2') spec.add_development_dependency 'rake', '~> 13' spec.add_development_dependency 'rspec', '~> 3.12' - spec.add_development_dependency 'cucumber', '~> 8.0' - spec.add_development_dependency 'aruba', '~> 2.1' + spec.add_development_dependency 'cucumber', '~> 10.1', '>= 10.1.1' + spec.add_development_dependency 'aruba', '~> 2.2' spec.add_development_dependency 'simplecov', '~> 0.22.0' spec.add_development_dependency 'rubocop', '~> 1.54' + spec.add_development_dependency 'stone_checksums', '~> 1.0', '>= 1.0.3' end diff --git a/exe/cyclonedx-ruby b/exe/cyclonedx-ruby index 10ff189..69dc957 100755 --- a/exe/cyclonedx-ruby +++ b/exe/cyclonedx-ruby @@ -1,5 +1,14 @@ #!/usr/bin/env ruby # frozen_string_literal: true -require 'bom_builder' -Bombuilder.build(ARGV[0]) +if ENV.fetch('MIMIC_NEXT_MAJOR_VERSION', 'false').casecmp?('true') + require 'cyclonedx/ruby' + path_arg = ARGV[0] + path_arg = nil if path_arg&.start_with?('-') + Cyclonedx::BomBuilder.build(path_arg) +else + require 'bom_builder' + path_arg = ARGV[0] + path_arg = nil if path_arg&.start_with?('-') + Bombuilder.build(path_arg) +end diff --git a/features/fixtures/simple/Gemfile b/features/fixtures/simple/Gemfile index 180e0f6..0f7d066 100644 --- a/features/fixtures/simple/Gemfile +++ b/features/fixtures/simple/Gemfile @@ -1,3 +1,9 @@ +# frozen_string_literal: true + source 'https://rubygems.org' -gem 'activesupport' +gem 'activesupport', '7.0.4.3' +gem 'concurrent-ruby', '1.2.2' +gem 'i18n', '1.12.0' +gem 'minitest', '5.18.0' +gem 'tzinfo', '2.0.6' diff --git a/features/fixtures/simple/Gemfile.lock b/features/fixtures/simple/Gemfile.lock index 66a0f90..cdb6220 100644 --- a/features/fixtures/simple/Gemfile.lock +++ b/features/fixtures/simple/Gemfile.lock @@ -1,15 +1,15 @@ GEM remote: https://rubygems.org/ specs: - activesupport (7.0.7.1) + activesupport (7.0.4.3) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) concurrent-ruby (1.2.2) - i18n (1.14.1) + i18n (1.12.0) concurrent-ruby (~> 1.0) - minitest (5.19.0) + minitest (5.18.0) tzinfo (2.0.6) concurrent-ruby (~> 1.0) @@ -18,7 +18,11 @@ PLATFORMS x86_64-linux DEPENDENCIES - activesupport + activesupport (= 7.0.4.3) + concurrent-ruby (= 1.2.2) + i18n (= 1.12.0) + minitest (= 5.18.0) + tzinfo (= 2.0.6) BUNDLED WITH 2.4.10 diff --git a/features/fixtures/simple/bom.json.expected b/features/fixtures/simple/bom.json.expected index d9d7dce..39b6168 100644 --- a/features/fixtures/simple/bom.json.expected +++ b/features/fixtures/simple/bom.json.expected @@ -1,6 +1,6 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.1", + "specVersion": "1.7", "serialNumber": "urn:uuid:d498cdc2-5494-4031-b37d-ff3d10d336bf", "version": 1, "components": [ @@ -105,4 +105,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/features/fixtures/simple/bom.xml.expected b/features/fixtures/simple/bom.xml.expected index b379102..9cd91a6 100644 --- a/features/fixtures/simple/bom.xml.expected +++ b/features/fixtures/simple/bom.xml.expected @@ -1,5 +1,5 @@ - + activesupport diff --git a/features/help.feature b/features/help.feature index f2ee863..1acf5e4 100644 --- a/features/help.feature +++ b/features/help.feature @@ -12,5 +12,10 @@ Scenario: Generate help on demand -p, --path path (Required) Path to Ruby project directory -o, --output bom_file_path (Optional) Path to output the bom.xml file to -f, --format bom_output_format (Optional) Output format for bom. Currently support xml (default) and json. + -s, --spec-version version (Optional) CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 + --validate Validate the produced BOM against the selected CycloneDX schema + --validate-file PATH Validate an existing BOM file instead of generating one + --include-metadata Include metadata.tools identifying cyclonedx-ruby as the producer + --enrich-components Include bom-ref and publisher fields on components (uses purl and first author) -h, --help Show help message """ diff --git a/features/json_format.feature b/features/json_format.feature index ae231fb..7f24c00 100644 --- a/features/json_format.feature +++ b/features/json_format.feature @@ -40,4 +40,3 @@ Feature: Creating BOM using Json format """ And a file named "bom.json" should exist And the generated Json BOM file "bom.json" matches "bom.json.expected" - diff --git a/features/metadata_tools.feature b/features/metadata_tools.feature new file mode 100644 index 0000000..bb0bc5a --- /dev/null +++ b/features/metadata_tools.feature @@ -0,0 +1,73 @@ +Feature: Include metadata.tools in BOM + + Scenario: JSON output includes metadata.tools when flag is set + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format json --include-metadata` + Then a file named "bom.json" should exist + And the output should contain: + """ + 5 gems were written to BOM located at ./bom.json + """ + And the file "bom.json" should contain: + """ + "metadata": { + """ + And the file "bom.json" should contain: + """ + "tools": [ + """ + And the file "bom.json" should contain: + """ + "vendor": "CycloneDX" + """ + And the file "bom.json" should contain: + """ + "name": "cyclonedx-ruby" + """ + + Scenario: JSON metadata BOM validates against schema + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format json --include-metadata --validate` + Then the output should contain: + """ + 5 gems were written to BOM located at ./bom.json + """ + And a file named "bom.json" should exist + + Scenario: XML output includes metadata.tools when flag is set + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format xml --include-metadata` + Then a file named "bom.xml" should exist + And the output should contain: + """ + 5 gems were written to BOM located at ./bom.xml + """ + And the file "bom.xml" should contain: + """ + + """ + And the file "bom.xml" should contain: + """ + + """ + And the file "bom.xml" should contain: + """ + + """ + And the file "bom.xml" should contain: + """ + CycloneDX + """ + And the file "bom.xml" should contain: + """ + cyclonedx-ruby + """ + + Scenario: XML metadata BOM validates against schema + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format xml --include-metadata --validate` + Then the output should contain: + """ + 5 gems were written to BOM located at ./bom.xml + """ + And a file named "bom.xml" should exist diff --git a/features/step_definitions/json_bom_matching.rb b/features/step_definitions/json_bom_matching.rb index 0a81ea1..65170ff 100644 --- a/features/step_definitions/json_bom_matching.rb +++ b/features/step_definitions/json_bom_matching.rb @@ -1,11 +1,13 @@ +# frozen_string_literal: true + Then('the generated Json BOM file {string} matches {string}') do |generated_file, expected_file| generated_file_contents = File.read(expand_path(generated_file)) expected_file_contents = File.read(expand_path(expected_file)) serial_number_matcher = /\"serialNumber\": \"urn:uuid:[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\"/ normalized_serial_number = '"serialNumber": "urn:uuid:00000000-0000-0000-0000-000000000000"' - normalized_generated_file_contents = generated_file_contents.gsub(serial_number_matcher, normalized_serial_number) - normalized_expected_file_contents = expected_file_contents.gsub(serial_number_matcher, normalized_serial_number) + normalized_generated_file_contents = generated_file_contents.gsub(serial_number_matcher, normalized_serial_number).rstrip + normalized_expected_file_contents = expected_file_contents.gsub(serial_number_matcher, normalized_serial_number).rstrip expect(normalized_expected_file_contents).to eq(normalized_generated_file_contents) end diff --git a/features/step_definitions/xml_bom_matching.rb b/features/step_definitions/xml_bom_matching.rb index 004c9b2..50c6e6f 100644 --- a/features/step_definitions/xml_bom_matching.rb +++ b/features/step_definitions/xml_bom_matching.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Then('the generated XML BOM file {string} matches {string}') do |generated_file, expected_file| generated_file_contents = File.read(expand_path(generated_file)) expected_file_contents = File.read(expand_path(expected_file)) diff --git a/features/support/env.rb b/features/support/env.rb index 331ff6a..96b3862 100644 --- a/features/support/env.rb +++ b/features/support/env.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # Based on https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/features/support/env.rb # Licensed under MIT - https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/LICENSE diff --git a/features/support/simplecov_support.rb b/features/support/simplecov_support.rb index b3a91a3..3c5465f 100644 --- a/features/support/simplecov_support.rb +++ b/features/support/simplecov_support.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # Copied from https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/features/support/simplecov_setup.rb # Licensed under MIT - https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/LICENSE diff --git a/features/validate.feature b/features/validate.feature new file mode 100644 index 0000000..e6cbf21 --- /dev/null +++ b/features/validate.feature @@ -0,0 +1,47 @@ +Feature: Validate generated BOM against CycloneDX schema + + Scenario: Validate XML BOM succeeds + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format xml --validate` + Then the output should contain: + """ + 5 gems were written to BOM located at ./bom.xml + """ + And a file named "bom.xml" should exist + + Scenario: Validate JSON BOM succeeds + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format json --validate` + Then the output should contain: + """ + 5 gems were written to BOM located at ./bom.json + """ + And a file named "bom.json" should exist + + Scenario: Validate fails for invalid XML BOM + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format xml` + Then a file named "bom.xml" should exist + When I run `sh -lc "sed -i 's|http://cyclonedx.org/schema/bom/1.7|http://cyclonedx.org/schema/bom/9.9|' bom.xml"` + And I run `cyclonedx-ruby --validate --validate-file bom.xml --spec-version 1.7` + Then the exit status should be 1 + + Scenario: Validate existing XML BOM succeeds + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format xml` + Then a file named "bom.xml" should exist + When I run `cyclonedx-ruby --validate --validate-file bom.xml --spec-version 1.7` + Then the output should contain: + """ + Validation succeeded for bom.xml (spec 1.7) + """ + + Scenario: Validate existing JSON BOM succeeds + Given I use a fixture named "simple" + And I run `cyclonedx-ruby --path . --format json` + Then a file named "bom.json" should exist + When I run `cyclonedx-ruby --validate --validate-file bom.json --spec-version 1.7` + Then the output should contain: + """ + Validation succeeded for bom.json (spec 1.7) + """ diff --git a/lib/bom_builder.rb b/lib/bom_builder.rb index 388614e..dae336e 100644 --- a/lib/bom_builder.rb +++ b/lib/bom_builder.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # This file is part of CycloneDX Ruby Gem. # # Licensed to the Apache Software Foundation (ASF) under one @@ -20,164 +22,6 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright (c) OWASP Foundation. All Rights Reserved. # -# frozen_string_literal: true -require 'bundler' -require 'fileutils' -require 'json' -require 'logger' -require 'nokogiri' -require 'optparse' -require 'ostruct' -require 'rest_client' -require 'securerandom' -require_relative 'bom_helpers' -require 'active_support/core_ext/hash' - -class Bombuilder - SUPPORTED_BOM_FORMATS = %w[xml json] - - def self.build(path) - original_working_directory = Dir.pwd - setup(path) - specs_list - bom = build_bom(@gems, @bom_output_format) - - begin - @logger.info("Changing directory to the original working directory located at #{original_working_directory}") - Dir.chdir original_working_directory - rescue StandardError => e - @logger.error("Unable to change directory the original working directory located at #{original_working_directory}. #{e.message}: #{e.backtrace.join('\n')}") - abort - end - - bom_directory = File.dirname(@bom_file_path) - begin - FileUtils.mkdir_p(bom_directory) unless File.directory?(bom_directory) - rescue StandardError => e - @logger.error("Unable to create the directory to hold the BOM output at #{@bom_directory}. #{e.message}: #{e.backtrace.join('\n')}") - abort - end - - begin - @logger.info("Writing BOM to #{@bom_file_path}...") - File.open(@bom_file_path, 'w') { |file| file.write(bom) } - - if @options[:verbose] - @logger.info("#{@gems.size} gems were written to BOM located at #{@bom_file_path}") - else - puts "#{@gems.size} gems were written to BOM located at #{@bom_file_path}" - end - rescue StandardError => e - @logger.error("Unable to write BOM to #{@bom_file_path}. #{e.message}: #{e.backtrace.join('\n')}") - abort - end - end - private - def self.setup(path) - @options = {} - OptionParser.new do |opts| - opts.banner = 'Usage: cyclonedx-ruby [options]' - - opts.on('-v', '--[no-]verbose', 'Run verbosely') do |v| - @options[:verbose] = v - end - opts.on('-p', '--path path', '(Required) Path to Ruby project directory') do |path| - @options[:path] = path - end - opts.on('-o', '--output bom_file_path', '(Optional) Path to output the bom.xml file to') do |bom_file_path| - @options[:bom_file_path] = bom_file_path - end - opts.on('-f', '--format bom_output_format', '(Optional) Output format for bom. Currently support xml (default) and json.') do |bom_output_format| - @options[:bom_output_format] = bom_output_format - end - opts.on_tail('-h', '--help', 'Show help message') do - puts opts - exit - end - end.parse! - - @logger = Logger.new($stdout) - @logger.level = if @options[:verbose] - Logger::INFO - else - Logger::ERROR - end - - @gems = [] - licenses_file = File.read "#{__dir__}/licenses.json" - @licenses_list = JSON.parse(licenses_file) - - if @options[:path].nil? - @logger.error('missing path to project directory') - abort - end - - unless File.directory?(@options[:path]) - @logger.error("path provided is not a valid directory. path provided was: #{@options[:path]}") - abort - end - - begin - @logger.info("Changing directory to Ruby project directory located at #{@options[:path]}") - Dir.chdir @options[:path] - rescue StandardError => e - @logger.error("Unable to change directory to Ruby project directory located at #{@options[:path]}. #{e.message}: #{e.backtrace.join('\n')}") - abort - end - - if @options[:bom_output_format].nil? - @bom_output_format = 'xml' - elsif SUPPORTED_BOM_FORMATS.include?(@options[:bom_output_format]) - @bom_output_format = @options[:bom_output_format] - else - @logger.error("Unrecognized cyclonedx bom output format provided. Please choose one of #{SUPPORTED_BOM_FORMATS}") - abort - end - - @bom_file_path = if @options[:bom_file_path].nil? - "./bom.#{@bom_output_format}" - else - @options[:bom_file_path] - end - - @logger.info("BOM will be written to #{@bom_file_path}") - - begin - gemfile_path = "#{@options[:path]}/Gemfile.lock" - @logger.info("Parsing specs from #{gemfile_path}...") - gemfile_contents = File.read(gemfile_path) - @specs = Bundler::LockfileParser.new(gemfile_contents).specs - @logger.info('Specs successfully parsed!') - rescue StandardError => e - @logger.error("Unable to parse specs from #{gemfile_path}. #{e.message}: #{e.backtrace.join('\n')}") - abort - end - end - - def self.specs_list - count = 0 - @specs.each do |dependency| - object = OpenStruct.new - object.name = dependency.name - object.version = dependency.version - object.purl = purl(object.name, object.version) - gem = get_gem(object.name, object.version) - next if gem.nil? - - if gem['licenses']&.length&.positive? - if @licenses_list.include? gem['licenses'].first - object.license_id = gem['licenses'].first - else - object.license_name = gem['licenses'].first - end - end - object.author = gem['authors'] - object.description = gem['summary'] - object.hash = gem['sha'] - @gems.push(object) - count += 1 - @logger.info("#{object.name}:#{object.version} gem added") - end - end -end +require_relative 'cyclonedx/ruby' +require_relative 'cyclonedx_deprecated' diff --git a/lib/bom_component.rb b/lib/bom_component.rb index c2af8fe..be8402f 100644 --- a/lib/bom_component.rb +++ b/lib/bom_component.rb @@ -1,45 +1,4 @@ +# frozen_string_literal: true -class BomComponent - DEFAULT_TYPE = "library".freeze - HASH_ALG = 'SHA-256'.freeze - - def initialize(gem) - @name = gem['name'] - @version = gem['version'] - @description = gem['description'] - @hash = gem['hash'] - @purl = gem['purl'] - @gem = gem - end - - def hash_val - component_hash = { - "type": DEFAULT_TYPE, - "name": @name, - "version": @version, - "description": @description, - "purl": @purl, - "hashes": [ - "alg": HASH_ALG, - "content": @hash - ] - } - - if @gem['license_id'] - component_hash[:"licenses"] = [ - "license": { - "id": @gem['license_id'] - } - ] - elsif @gem['license_name'] - component_hash[:"licenses"] = [ - "license": { - "name": @gem['license_name'] - } - ] - end - - [component_hash] - - end -end \ No newline at end of file +require_relative "cyclonedx/ruby" +require_relative "cyclonedx_deprecated" diff --git a/lib/bom_helpers.rb b/lib/bom_helpers.rb index 01c0392..b74ce59 100644 --- a/lib/bom_helpers.rb +++ b/lib/bom_helpers.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # This file is part of CycloneDX Ruby Gem. # # Licensed to the Apache Software Foundation (ASF) under one @@ -20,87 +22,6 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright (c) OWASP Foundation. All Rights Reserved. # -# frozen_string_literal: true - -require_relative 'bom_component' - -def purl(name, version) - "pkg:gem/#{name}@#{version}" -end - -def random_urn_uuid - "urn:uuid:#{SecureRandom.uuid}" -end - -def build_bom(gems, format) - if format == 'json' - build_json_bom(gems) - else - build_bom_xml(gems) - end -end - -def build_json_bom(gems) - bom_hash = { - "bomFormat": "CycloneDX", - "specVersion": "1.1", - "serialNumber": random_urn_uuid, - "version": 1, - "components": [] - } - - gems.each do |gem| - bom_hash[:components] += BomComponent.new(gem).hash_val() - end - - JSON.pretty_generate(bom_hash) -end - -def build_bom_xml(gems) - builder = Nokogiri::XML::Builder.new(encoding: 'UTF-8') do |xml| - attributes = { 'xmlns' => 'http://cyclonedx.org/schema/bom/1.1', 'version' => '1', 'serialNumber' => random_urn_uuid } - xml.bom(attributes) do - xml.components do - gems.each do |gem| - xml.component('type' => 'library') do - xml.name gem['name'] - xml.version gem['version'] - xml.description gem['description'] - xml.hashes do - xml.hash_ gem['hash'], alg: 'SHA-256' - end - if gem['license_id'] - xml.licenses do - xml.license do - xml.id gem['license_id'] - end - end - elsif gem['license_name'] - xml.licenses do - xml.license do - xml.name gem['license_name'] - end - end - end - xml.purl gem['purl'] - end - end - end - end - end - - builder.to_xml -end -def get_gem(name, version) - url = "https://rubygems.org/api/v1/versions/#{name}.json" - begin - RestClient.proxy = ENV['http_proxy'] - response = RestClient.get(url) - body = JSON.parse(response.body) - body.select { |item| item['number'] == version.to_s }.first - rescue StandardError - @logger.warn("#{name} couldn't be fetched") - nil - end -end +require_relative "cyclonedx/ruby" +require_relative "cyclonedx_deprecated" diff --git a/lib/cyclonedx/bom_builder.rb b/lib/cyclonedx/bom_builder.rb new file mode 100644 index 0000000..a326ae2 --- /dev/null +++ b/lib/cyclonedx/bom_builder.rb @@ -0,0 +1,243 @@ +# frozen_string_literal: true + +module Cyclonedx + class BomBuilder + SUPPORTED_BOM_FORMATS = %w[xml json] + SUPPORTED_SPEC_VERSIONS = %w[1.1 1.2 1.3 1.4 1.5 1.6 1.7] + + extend Cyclonedx::BomHelpers + + def self.build(path) + original_working_directory = Dir.pwd + setup(path) + + # If asked to validate an existing file, do not generate a new one + if @options[:validate] && @options[:validate_file] + content = begin + File.read(@options[:validate_file]) + rescue StandardError => e + @logger.error("Unable to read file for validation: #{@options[:validate_file]}. #{e.message}") + exit(1) + end + # Use explicitly provided format if set, otherwise infer from file extension + format = @options[:bom_output_format] || infer_format_from_path(@options[:validate_file]) + success, message = validate_bom_content(content, format, @spec_version) + unless success + @logger.error(message) + exit(1) + end + puts "Validation succeeded for #{@options[:validate_file]} (spec #{@spec_version})" unless @options[:verbose] + return + end + + specs_list + bom = build_bom(@gems, @bom_output_format, @spec_version, include_metadata: @options[:include_metadata], include_enrichment: @options[:enrich_components]) + + begin + @logger.info("Changing directory to the original working directory located at #{original_working_directory}") + Dir.chdir original_working_directory + rescue StandardError => e + @logger.error("Unable to change to the original working directory located at #{original_working_directory}. #{e.message}: #{Array(e.backtrace).join("\n")}") + abort + end + + bom_directory = File.dirname(@bom_file_path) + begin + FileUtils.mkdir_p(bom_directory) unless File.directory?(bom_directory) + rescue StandardError => e + @logger.error("Unable to create the directory to hold the BOM output at #{bom_directory}. #{e.message}: #{Array(e.backtrace).join("\n")}") + abort + end + + begin + @logger.info("Writing BOM to #{@bom_file_path}...") + File.write(@bom_file_path, bom) + + if @options[:verbose] + @logger.info("#{@gems.size} gems were written to BOM located at #{@bom_file_path}") + else + puts "#{@gems.size} gems were written to BOM located at #{@bom_file_path}" + end + rescue StandardError => e + @logger.error("Unable to write BOM to #{@bom_file_path}. #{e.message}: #{Array(e.backtrace).join("\n")}") + abort + end + + if @options[:validate] + success, message = validate_bom_content(bom, @bom_output_format, @spec_version) + unless success + @logger.error(message) + exit(1) + end + @logger.info("BOM validation succeeded for spec #{@spec_version}") if @options[:verbose] + end + end + + # Infer format from file extension when not explicitly provided + def self.infer_format_from_path(path) + File.extname(path).downcase == '.json' ? 'json' : 'xml' + end + + private + + def self.setup(path) + @options = {} + OptionParser.new do |opts| + opts.banner = 'Usage: cyclonedx-ruby [options]' + + opts.on('-v', '--[no-]verbose', 'Run verbosely') do |v| + @options[:verbose] = v + end + opts.on('-p', '--path path', '(Required) Path to Ruby project directory') do |proj_path_opt| + @options[:path] = proj_path_opt + end + opts.on('-o', '--output bom_file_path', '(Optional) Path to output the bom.xml file to') do |bom_file_path| + @options[:bom_file_path] = bom_file_path + end + opts.on('-f', '--format bom_output_format', '(Optional) Output format for bom. Currently support xml (default) and json.') do |bom_output_format| + @options[:bom_output_format] = bom_output_format + end + opts.on('-s', '--spec-version version', '(Optional) CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7') do |spec_version| + @options[:spec_version] = spec_version + end + opts.on('--validate', 'Validate the produced BOM against the selected CycloneDX schema') do + @options[:validate] = true + end + opts.on('--validate-file PATH', 'Validate an existing BOM file instead of generating one') do |path| + @options[:validate_file] = path + end + opts.on('--include-metadata', 'Include metadata.tools identifying cyclonedx-ruby as the producer') do + @options[:include_metadata] = true + end + opts.on('--enrich-components', 'Include bom-ref and publisher fields on components (uses purl and first author)') do + @options[:enrich_components] = true + end + opts.on_tail('-h', '--help', 'Show help message') do + puts opts + exit + end + end.parse! + + # Allow passing the path as a positional arg via exe wrapper + @options[:path] ||= path + + @logger = Logger.new($stdout) + @logger.level = if @options[:verbose] + Logger::INFO + else + Logger::ERROR + end + + @gems = [] + # Adjusted to point to lib/licenses.json relative to this file's directory (lib/cyclonedx) + licenses_path = File.expand_path('../licenses.json', __dir__) + licenses_file = File.read(licenses_path) + @licenses_list = JSON.parse(licenses_file) + + # If only validating a file, project path is optional; otherwise require + if @options[:validate_file].nil? || !@options[:validate] + if @options[:path].nil? + @logger.error('missing path to project directory') + abort + end + + unless File.directory?(@options[:path]) + @logger.error("path provided is not a valid directory. path provided was: #{@options[:path]}") + abort + end + end + + # Normalize to an absolute project path to avoid relative path issues later + @project_path = File.expand_path(@options[:path]) if @options[:path] + @provided_path = @options[:path] + + if @project_path + begin + @logger.info("Changing directory to Ruby project directory located at #{@provided_path}") + Dir.chdir @project_path + rescue StandardError => e + @logger.error("Unable to change directory to Ruby project directory located at #{@provided_path}. #{e.message}: #{Array(e.backtrace).join("\n")}") + abort + end + end + + if @options[:bom_output_format].nil? + @bom_output_format = 'xml' + elsif SUPPORTED_BOM_FORMATS.include?(@options[:bom_output_format]) + @bom_output_format = @options[:bom_output_format] + else + @logger.error("Unrecognized cyclonedx bom output format provided. Please choose one of #{SUPPORTED_BOM_FORMATS}") + abort + end + + # Spec version selection + requested_spec = @options[:spec_version] || '1.7' + if SUPPORTED_SPEC_VERSIONS.include?(requested_spec) + @spec_version = requested_spec + else + @logger.error("Unrecognized CycloneDX spec version '#{requested_spec}'. Please choose one of #{SUPPORTED_SPEC_VERSIONS}") + abort + end + + # Spec version selection + requested_spec = @options[:spec_version] || '1.7' + if SUPPORTED_SPEC_VERSIONS.include?(requested_spec) + @spec_version = requested_spec + else + @logger.error("Unrecognized CycloneDX spec version '#{requested_spec}'. Please choose one of #{SUPPORTED_SPEC_VERSIONS}") + abort + end + + @bom_file_path = if @options[:bom_file_path].nil? + "./bom.#{@bom_output_format}" + else + @options[:bom_file_path] + end + + @logger.info("BOM will be written to #{@bom_file_path}") if @project_path + + if @project_path + begin + # Use absolute path so it's correct regardless of current working directory + gemfile_path = File.join(@project_path, 'Gemfile.lock') + # Compute display path for logs: './Gemfile.lock' when provided path is '.', else '/Gemfile.lock' + display_gemfile_path = (@provided_path == '.' ? './Gemfile.lock' : File.join(@provided_path, 'Gemfile.lock')) + @logger.info("Parsing specs from #{display_gemfile_path}...") + gemfile_contents = File.read(gemfile_path) + @specs = Bundler::LockfileParser.new(gemfile_contents).specs + @logger.info('Specs successfully parsed!') + rescue StandardError => e + @logger.error("Unable to parse specs from #{gemfile_path}. #{e.message}: #{Array(e.backtrace).join("\n")}") + abort + end + end + end + + def self.specs_list + count = 0 + @specs.each do |dependency| + object = OpenStruct.new + object.name = dependency.name + object.version = dependency.version + object.purl = purl(object.name, object.version) + gem = get_gem(object.name, object.version, @logger) + next if gem.nil? + + if gem['licenses']&.length&.positive? + if @licenses_list.include? gem['licenses'].first + object.license_id = gem['licenses'].first + else + object.license_name = gem['licenses'].first + end + end + + object.author = gem['authors'] + object.description = gem['summary'] + object.hash = gem['sha'] + @gems.push(object) + count += 1 + @logger.info("#{object.name}:#{object.version} gem added") + end + end + end +end diff --git a/lib/cyclonedx/bom_component.rb b/lib/cyclonedx/bom_component.rb new file mode 100644 index 0000000..1fe13b5 --- /dev/null +++ b/lib/cyclonedx/bom_component.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: true + +module Cyclonedx + class BomComponent + DEFAULT_TYPE = 'library' + HASH_ALG = 'SHA-256' + + def initialize(gem) + @gem = gem + @name = fetch('name') + @version = fetch('version') + @description = fetch('description') + @hash = fetch('hash') + @purl = fetch('purl') + end + + def hash_val(include_enrichment: false) + component_hash = { + type: DEFAULT_TYPE, + name: @name, + version: @version, + description: @description, + purl: @purl, + hashes: [ + { + alg: HASH_ALG, + content: @hash + } + ] + } + + if include_enrichment + # Add bom-ref using the purl when present + component_hash[:"bom-ref"] = @purl if @purl && !@purl.to_s.empty? + # Add publisher using first author if present + author = fetch('author') + if author && !author.to_s.strip.empty? + first_author = author.to_s.split(/[,&]/).first.to_s.strip + component_hash[:publisher] = first_author unless first_author.empty? + end + end + + if fetch('license_id') + component_hash[:"licenses"] = [ + { + "license": { + "id": fetch('license_id') + } + } + ] + elsif fetch('license_name') + component_hash[:"licenses"] = [ + { + "license": { + "name": fetch('license_name') + } + } + ] + end + + [component_hash] + end + + private + + def fetch(key) + if @gem.respond_to?(:[]) && @gem[key] + @gem[key] + elsif @gem.respond_to?(key) + @gem.public_send(key) + else + nil + end + end + end +end diff --git a/lib/cyclonedx/bom_helpers.rb b/lib/cyclonedx/bom_helpers.rb new file mode 100644 index 0000000..b8d5969 --- /dev/null +++ b/lib/cyclonedx/bom_helpers.rb @@ -0,0 +1,241 @@ +# frozen_string_literal: true + +# This file is part of CycloneDX Ruby Gem. +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. +# + +require 'securerandom' + +require_relative 'bom_component' + +module Cyclonedx + module BomHelpers + module_function + + def cyclonedx_xml_namespace(spec_version) + "http://cyclonedx.org/schema/bom/#{spec_version}" + end + + def purl(name, version) + "pkg:gem/#{name}@#{version}" + end + + def random_urn_uuid + "urn:uuid:#{SecureRandom.uuid}" + end + + # Determine if the selected spec version supports metadata/tools (>= 1.2) + def metadata_supported?(spec_version) + %w[1.2 1.3 1.4 1.5 1.6 1.7].include?(spec_version) + end + + # Identity of this producer tool + def tool_identity + { + vendor: 'CycloneDX', + name: 'cyclonedx-ruby', + version: ::Cyclonedx::Ruby::Version::VERSION + } + end + + # Safe accessor for Hash or OpenStruct-like objects + def _get(obj, key) + if obj.respond_to?(:[]) && obj[key] + obj[key] + elsif obj.respond_to?(key) + obj.public_send(key) + else + nil + end + end + + def build_bom(gems, format, spec_version, include_metadata: false, include_enrichment: false) + if format == 'json' + build_json_bom(gems, spec_version, include_metadata: include_metadata, include_enrichment: include_enrichment) + else + build_bom_xml(gems, spec_version, include_metadata: include_metadata, include_enrichment: include_enrichment) + end + end + + def build_json_bom(gems, spec_version, include_metadata: false, include_enrichment: false) + bom_hash = { + bomFormat: 'CycloneDX', + specVersion: spec_version, + serialNumber: random_urn_uuid, + version: 1, + components: [] + } + + # Optionally include metadata.tools when supported by selected spec + if include_metadata && metadata_supported?(spec_version) + ti = tool_identity + ti = ti.compact # omit nil values like version + bom_hash[:metadata] = { + tools: [ti] + } + end + + gems.each do |gem| + bom_hash[:components] += Cyclonedx::BomComponent.new(gem).hash_val(include_enrichment: include_enrichment) + end + + JSON.pretty_generate(bom_hash) + end + + def build_bom_xml(gems, spec_version, include_metadata: false, include_enrichment: false) + builder = Nokogiri::XML::Builder.new(encoding: 'UTF-8') do |xml| + attributes = { 'xmlns' => cyclonedx_xml_namespace(spec_version), 'version' => '1', 'serialNumber' => random_urn_uuid } + xml.bom(attributes) do + # Optionally include metadata.tools when supported by selected spec + if include_metadata && metadata_supported?(spec_version) + xml.metadata do + xml.tools do + xml.tool do + xml.vendor tool_identity[:vendor] + xml.name tool_identity[:name] + xml.version tool_identity[:version] if tool_identity[:version] + end + end + end + end + + xml.components do + gems.each do |gem| + comp_attrs = { 'type' => 'library' } + if include_enrichment + # Add bom-ref attribute using purl if available + ref = _get(gem, 'purl') + comp_attrs['bom-ref'] = ref if ref && !ref.to_s.empty? + end + xml.component(comp_attrs) do + xml.name _get(gem, 'name') + xml.version _get(gem, 'version') + xml.description _get(gem, 'description') + xml.hashes do + xml.hash_ _get(gem, 'hash'), alg: 'SHA-256' + end + if _get(gem, 'license_id') + xml.licenses do + xml.license do + xml.id _get(gem, 'license_id') + end + end + elsif _get(gem, 'license_name') + xml.licenses do + xml.license do + xml.name _get(gem, 'license_name') + end + end + end + # The globally scoped legacy `Object#purl` method breaks the Nokogiri builder context + # Fortunately Nokogiri has a built-in workaround, adding an underscore to the method name. + # The resulting XML tag is still ``. + # Globally scoped legacy `Object#purl` will be removed in v2.0.0, and this hack can be removed then. + xml.purl_ _get(gem, 'purl') + + if include_enrichment + # Add optional publisher element if author info exists + author = _get(gem, 'author') + if author && !author.to_s.strip.empty? + first_author = author.to_s.split(/[,&]/).first.to_s.strip + xml.publisher first_author unless first_author.empty? + end + end + end + end + end + end + end + + builder.to_xml + end + + # Validate content against the selected CycloneDX schema (local files, offline) + # Returns [true, nil] on success; [false, "message"] on failure + def validate_bom_content(content, format, spec_version) + schema_dir = File.expand_path("../../schema", __dir__) + case format + when 'json' + schema_path = File.join(schema_dir, "bom-#{spec_version}.schema.json") + begin + schema = JSON.parse(File.read(schema_path)) + resolver = lambda do |uri| + begin + u = uri.is_a?(URI) ? uri : URI.parse(uri.to_s) + basename = File.basename(u.path.to_s) + local_path = File.join(schema_dir, basename) + return JSON.parse(File.read(local_path)) if File.exist?(local_path) + rescue StandardError + # fall through to unknown ref handling in schemer + end + nil + end + schemer = JSONSchemer.schema(schema, ref_resolver: resolver) + data = JSON.parse(content) + errors = schemer.validate(data).to_a + return [true, nil] if errors.empty? + # Build a compact error message + msgs = errors.first(5).map do |e| + path = Array(e['data_pointer']).join + "#{e['type']}: #{e['message']} at #{path}" + end + [false, "JSON schema validation failed (#{errors.size} errors). First: #{msgs.join('; ')}"] + rescue Errno::ENOENT + [false, "JSON schema not found at #{schema_path}"] + rescue StandardError => e + [false, "JSON schema validation error: #{e.class}: #{e.message}"] + end + else + schema_path = File.join(schema_dir, "bom-#{spec_version}.xsd") + begin + # Use local XML catalog to resolve imports like http://cyclonedx.org/schema/spdx + previous_catalog = ENV['XML_CATALOG_FILES'] + ENV['XML_CATALOG_FILES'] = File.join(schema_dir, 'xmlcatalog.xml') + xsd = Nokogiri::XML::Schema(File.read(schema_path)) + doc = Nokogiri::XML(content) { |cfg| cfg.nonet } + errors = xsd.validate(doc) + return [true, nil] if errors.empty? + [false, "XML schema validation failed: #{errors.first.message}"] + rescue Errno::ENOENT + [false, "XML schema not found at #{schema_path}"] + rescue StandardError => e + [false, "XML schema validation error: #{e.class}: #{e.message}"] + ensure + ENV['XML_CATALOG_FILES'] = previous_catalog + end + end + end + + def get_gem(name, version, logger) + url = "https://rubygems.org/api/v1/versions/#{name}.json" + begin + RestClient.proxy = ENV.fetch('http_proxy', nil) + response = RestClient::Request.execute(method: :get, url: url, read_timeout: 2, open_timeout: 2) + body = JSON.parse(response.body) + body.select { |item| item['number'] == version.to_s }.first + rescue StandardError + logger.warn("#{name} couldn't be fetched") + nil + end + end + end +end diff --git a/lib/cyclonedx/ruby.rb b/lib/cyclonedx/ruby.rb new file mode 100644 index 0000000..050a5ce --- /dev/null +++ b/lib/cyclonedx/ruby.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +# External gems +require 'bundler' +require 'fileutils' +require 'json' +require 'logger' +require 'nokogiri' +require 'optparse' +require 'ostruct' +require 'rest_client' +require 'securerandom' +require 'active_support/core_ext/hash' +require 'json_schemer' + +# This gem +require_relative 'ruby/version' +require_relative 'bom_component' # no dependencies +require_relative 'bom_helpers' # depends on bom_component +require_relative 'bom_builder' # depends on bom_helpers + +module Cyclonedx + module Ruby + class Error < StandardError; end + # Your code goes here... + end +end diff --git a/lib/cyclonedx/ruby/deprecation.rb b/lib/cyclonedx/ruby/deprecation.rb new file mode 100644 index 0000000..e2a9469 --- /dev/null +++ b/lib/cyclonedx/ruby/deprecation.rb @@ -0,0 +1,57 @@ +# frozen_string_literal: true + +# Provides tools that allow methods to be deprecated with new releases of the gem. +# +# Usage: +# # class method deprecation example +# class MyClass +# extend Cyclonedx::Ruby::Deprecation +# +# deprecated_alias :old_method, :new_method, self +# +# def self.new_method +# # new implementation +# end +# end +# +# # instance method deprecation example +# class MyClass +# extend Cyclonedx::Ruby::Deprecation +# +# deprecated_alias :old_method, :new_method +# +# def new_method +# # new implementation +# end +# end + +module Cyclonedx + module Ruby + module Deprecation + class << self + attr_accessor :deprecate_in_silence + end + + @deprecate_in_silence = false + + # Define a deprecated alias for a method + # @param [Symbol] scope - :instance or :class (default :instance) + # @param [Symbol] name - name of method to define + # @param [Symbol] replacement - name of method (to alias) + # @param [Constant] receiver - Receiver of the replacement method, use nil for instance methods (default nil) + def deprecated_alias(scope, name, replacement, receiver = nil) + if scope == :class + define_singleton_method(name) do |*args, &block| + warn("Cyclonedx: #{self}.#{name} deprecated (please use .#{replacement})") unless Cyclonedx::Ruby::Deprecation.deprecate_in_silence + receiver ? receiver.send(replacement, *args, &block) : send(replacement, *args, &block) + end + else + define_method(name) do |*args, &block| + warn("Cyclonedx: #{self.class}##{name} deprecated (please use #{receiver ? "#{receiver}.#{replacement}" : replacement})") unless Cyclonedx::Ruby::Deprecation.deprecate_in_silence + receiver ? receiver.send(replacement, *args, &block) : send(replacement, *args, &block) + end + end + end + end + end +end diff --git a/lib/cyclonedx/ruby/version.rb b/lib/cyclonedx/ruby/version.rb new file mode 100644 index 0000000..82d4071 --- /dev/null +++ b/lib/cyclonedx/ruby/version.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +module Cyclonedx + module Ruby + module Version + VERSION = '1.2.0' + end + VERSION = Version::VERSION # Make VERSION available in traditional way + end +end diff --git a/lib/cyclonedx_deprecated.rb b/lib/cyclonedx_deprecated.rb new file mode 100644 index 0000000..0bd0c8b --- /dev/null +++ b/lib/cyclonedx_deprecated.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +require_relative 'cyclonedx/ruby/deprecation' + +# Legacy class name kept for compatibility until v2.0.0 +Bombuilder = Cyclonedx::BomBuilder + +# Legacy class name kept for compatibility until v2.0.0 +BomComponent = Cyclonedx::BomComponent + +# Legacy global methods included in Object (root namespace) kept for compatibility until v2.0.0 +extend Cyclonedx::Ruby::Deprecation + +deprecated_alias :instance, :purl, :purl, Cyclonedx::BomHelpers +deprecated_alias :instance, :random_urn_uuid, :random_urn_uuid, Cyclonedx::BomHelpers +deprecated_alias :instance, :build_bom, :build_bom, Cyclonedx::BomHelpers +deprecated_alias :instance, :build_json_bom, :build_json_bom, Cyclonedx::BomHelpers +deprecated_alias :instance, :build_bom_xml, :build_bom_xml, Cyclonedx::BomHelpers +deprecated_alias :instance, :get_gem, :get_gem, Cyclonedx::BomHelpers + +# Sanity +raise 'Deprecated methods broken' unless purl('activesupport', '7.0.1') == 'pkg:gem/activesupport@7.0.1' diff --git a/schema/LICENSE b/schema/LICENSE new file mode 100644 index 0000000..0808751 --- /dev/null +++ b/schema/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright OWASP Foundation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/schema/README.md b/schema/README.md new file mode 100644 index 0000000..473e244 --- /dev/null +++ b/schema/README.md @@ -0,0 +1,98 @@ + +# CycloneDX Bill of Materials Specification (ECMA-424) + +[![License][license-image]][license-url] +[![ECMA TC54](https://img.shields.io/badge/ECMA-TC54-FC7C00?labelColor=404040)](https://tc54.org) +[![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/) +[![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack&labelColor=393939)](https://cyclonedx.org/slack/invite) +[![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX) +[![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/CycloneDX_Spec) +[![Build Docs](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml) +[![CT Java](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml) +[![CT JavaScript](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml) +[![CT PHP](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml) +[![CT ProtoBuf](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml) + +---- + +OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for +cyber risk reduction. CycloneDX is an [Ecma International](https://ecma-international.org/) standard published as +[ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/). +The [OWASP Foundation](https://owasp.org/) and Ecma International [Technical Committee for Software & System Transparency (TC54)](https://tc54.org/) +drive the continued advancement of the specification. + +The specification supports: +* Software Bill of Materials (SBOM) +* Software-as-a-Service Bill of Materials (SaaSBOM) +* Hardware Bill of Materials (HBOM) +* Machine Learning Bill of Materials (ML-BOM) +* Cryptography Bill of Materials (CBOM) +* Manufacturing Bill of Materials (MBOM) +* Operations Bill of Materials (OBOM) +* Vulnerability Disclosure Reports (VDR) +* Vulnerability Exploitability eXchange (VEX) +* CycloneDX Attestations (CDXA) + +## A Note on the Standard and Schemas +CycloneDX is an Ecma International standard published as ECMA-424 under a [royalty-free patent policy](https://ecma-international.org/policies/by-ipr/royalty-free-patent-policy-extension-option/). +The CycloneDX schemas in this repository are the official interpretations of the standard and are available under the +[Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0.txt). The JSON Schema is the reference implementation +for the standard. + +## Use Cases +The CycloneDX project maintains a [list of achievable use cases](https://cyclonedx.org/use-cases/). Examples for each +use case are provided in both XML and JSON. + + +## Tool Center +The [CycloneDX Tool Center](https://cyclonedx.org/tool-center/) is a community effort to establish a marketplace of +free, open source, and proprietary tools and solutions that support the CycloneDX specification. + + +## Media Types + +The following media types are officially registered with IANA: + +| Media Type | Format | Assignment | +|------------|--------|------------| +| `application/vnd.cyclonedx+xml` | XML | [IANA](https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+xml) | +| `application/vnd.cyclonedx+json` | JSON | [IANA](https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+json) | +| `application/x.vnd.cyclonedx+protobuf` | Protocol Buffer | | + +Specific versions of CycloneDX can be specified by using the version parameter. For example: `application/vnd.cyclonedx+xml; version=1.6`. + + +## Recognized file patterns + +The following file names are conventionally used for storing CycloneDX BOM files: +* `bom.json` for JSON encoded CycloneDX BOM files. +* `bom.xml` for XML encoded CycloneDX BOM files. + +Alternatively, files that match the glob pattern below are also recognized: +* `*.cdx.json` for JSON encoded CycloneDX BOM files. +* `*.cdx.xml` for XML encoded CycloneDX BOM files. + + +## Release History + +| Version | Release Date | +|-------------------|-----------------| +| CycloneDX 1.7 | 21 October 2025 | +| CycloneDX 1.6 | 09 April 2024 | +| CycloneDX 1.5 | 26 June 2023 | +| CycloneDX 1.4 | 12 January 2022 | +| CycloneDX 1.3 | 04 May 2021 | +| CycloneDX 1.2 | 26 May 2020 | +| CycloneDX 1.1 | 03 March 2019 | +| CycloneDX 1.0 | 26 March 2018 | +| Initial Prototype | 01 May 2017 | + + +## Copyright & License + +CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved. + +Permission to modify and redistribute is granted under the terms of the [Apache License 2.0][license-url] + +[license-image]: https://img.shields.io/badge/license-apache%20v2-brightgreen.svg +[license-url]: https://github.com/CycloneDX/specification/blob/master/LICENSE diff --git a/schema/bom-1.0.xsd b/schema/bom-1.0.xsd new file mode 100644 index 0000000..9cf8814 --- /dev/null +++ b/schema/bom-1.0.xsd @@ -0,0 +1,247 @@ + + + + + + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'runtime' + scope will be assumed. + + + + + + + + + + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + + + + + + + An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. + + + + + Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + + + + + + Specifies the package-url (PURL). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + A boolean value indicating is the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Specifies optional sub-components. This is not a dependency tree. It simply provides + an optional way to group large sets of components together. + + + + + + + + + + + + + Specifies the type of component. Software applications, libraries, frameworks, and + other dependencies should be classified as 'application'. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + The version allows component publishers/authors to make changes to existing + BOMs to update various aspects of the document such as description or licenses. When a system + is presented with multiiple BOMs for the same component, the system should use the most recent + version of the BOM. The default version is '1' and should be incremented for each version of the + BOM that is published. Each version of a component should have a unique BOM and if no changes are + made to the BOMs, then each BOM will have a version of '1'. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + \ No newline at end of file diff --git a/schema/bom-1.1.xsd b/schema/bom-1.1.xsd new file mode 100644 index 0000000..069c7f4 --- /dev/null +++ b/schema/bom-1.1.xsd @@ -0,0 +1,738 @@ + + + + + + + + + CycloneDX Software Bill-of-Material Specification + https://cyclonedx.org/ + Apache License, Version 2.0 + + Steve Springett + + + + + + + Identifier-DataType for interlinked elements. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'runtime' + scope should be assumed by the consumer of the BOM + + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + An optional copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. + Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (PURL). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating is the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + + Specifies optional sub-components. This is not a dependency tree. It provides a way + to specify a hierarchical representation of component assemblies, similar to + system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + Valid choices are: application, framework, library, operating-system, device, or file + Refer to the bom:classification documentation for information describing each one + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + Specifies the optional full text of the license + + + + + The URL to the license file. If specified, a 'license' + externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + Specifies attributes of the license text + + + + Specifies the content type of the license text. Defaults to text/plain + if not specified. + + + + + + Specifies the optional encoding the license text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, container image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware should include a component for the physical hardware itself, and another + component of type 'application' or 'operating-system' (whichever is relevant), describing + information about the firmware. + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-material document (CycloneDX, SPDX, SWID, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + Direct or repository download location + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant + but which are not included with the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URL to the external reference + + + + + An optional comment describing the external reference + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + The version allows component publishers/authors to make changes to existing + BOMs to update various aspects of the document such as description or licenses. When a system + is presented with multiple BOMs for the same component, the system should use the most recent + version of the BOM. The default version is '1' and should be incremented for each version of the + BOM that is published. Each version of a component should have a unique BOM and if no changes are + made to the BOMs, then each BOM will have a version of '1'. + + + + + Every BOM generated should have a unique serial number, even if the contents + of the BOM being generated have not changed over time. The process or tool responsible for + creating the BOM should create random UUID's for every BOM generated. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + \ No newline at end of file diff --git a/schema/bom-1.2-strict.schema.json b/schema/bom-1.2-strict.schema.json new file mode 100644 index 0000000..8b1996f --- /dev/null +++ b/schema/bom-1.2-strict.schema.json @@ -0,0 +1,1029 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.2b.schema.json", + "type": "object", + "title": "CycloneDX Software Bill-of-Material Specification", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion", + "version" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string", + "enum": [ + "http://cyclonedx.org/schema/bom-1.2a.schema.json" + ] + }, + "bomFormat": { + "$id": "#/properties/bomFormat", + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "$id": "#/properties/specVersion", + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification a BOM is written to (starting at version 1.2)", + "examples": ["1.2"] + }, + "serialNumber": { + "$id": "#/properties/serialNumber", + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.", + "default": "", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "$id": "#/properties/version", + "type": "integer", + "title": "BOM Version", + "description": "The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.", + "default": 1, + "examples": [1] + }, + "metadata": { + "$id": "#/properties/metadata", + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "$id": "#/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + }, + "services": { + "$id": "#/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + }, + "externalReferences": { + "$id": "#/properties/externalReferences", + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + }, + "dependencies": { + "$id": "#/properties/dependencies", + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships." + } + }, + "definitions": { + "refType": { + "$comment": "Identifier-DataType for interlinked elements.", + "type": "string" + }, + "metadata": { + "type": "object", + "title": "BOM Metadata Object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the document was created." + }, + "tools": { + "type": "array", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + }, + "authors" :{ + "type": "array", + "title": "Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "title": "Manufacture", + "description": "The organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "The tool used to create the BOM.", + "additionalProperties": false, + "properties": { + "vendor": { + "type": "string", + "format": "string", + "title": "Tool Vendor", + "description": "The date and time (timestamp) when the document was created." + }, + "name": { + "type": "string", + "format": "string", + "title": "Tool Name", + "description": "The date and time (timestamp) when the document was created." + }, + "version": { + "type": "string", + "format": "string", + "title": "Tool Version", + "description": "The date and time (timestamp) when the document was created." + }, + "hashes": { + "$id": "#/definitions/tool/properties/hashes", + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity Object", + "description": "", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the organization", + "default": "", + "examples": [ + "Example Inc." + ], + "pattern": "^(.*)$" + }, + "url": { + "type": "array", + "title": "URL", + "description": "The URL of the organization. Multiple URLs are allowed.", + "default": "", + "examples": ["https://example.com"], + "pattern": "^(.*)$" + }, + "contact": { + "type": "array", + "title": "Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact Object", + "description": "", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "default": "", + "examples": ["Contact name"], + "pattern": "^(.*)$" + }, + "email": { + "type": "string", + "title": "Email Address", + "description": "The email address of the contact. Multiple email addresses are allowed.", + "default": "", + "examples": ["firstname.lastname@example.com"], + "pattern": "^(.*)$" + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact. Multiple phone numbers are allowed.", + "default": "", + "examples": ["800-555-1212"], + "pattern": "^(.*)$" + } + } + }, + "component": { + "type": "object", + "title": "Component Object", + "required": [ + "type", + "name", + "version" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "operating-system", + "device", + "firmware", + "file" + ], + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "default": "", + "examples": ["library"], + "pattern": "^(.*)$" + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "default": "", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique.", + "default": "", + "pattern": "^(.*)$" + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "author": { + "type": "string", + "title": "Component Author", + "description": "The person(s) or organization(s) that authored the component", + "default": "", + "examples": ["Acme Inc"], + "pattern": "^(.*)$" + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "default": "", + "examples": ["Acme Inc"], + "pattern": "^(.*)$" + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "default": "", + "examples": ["com.acme"], + "pattern": "^(.*)$" + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "default": "", + "examples": ["tomcat-catalina"], + "pattern": "^(.*)$" + }, + "version": { + "type": "string", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", + "default": "", + "examples": ["9.0.14"], + "pattern": "^(.*)$" + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component", + "default": "", + "pattern": "^(.*)$" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope should be assumed by the consumer of the BOM", + "default": "required", + "pattern": "^(.*)$" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "type": "array", + "title": "Component License(s)", + "items": { + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/definitions/license" + }, + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ], + "pattern": "^(.*)$" + } + }, + "oneOf":[ + { + "required": ["license"] + }, + { + "required": ["expression"] + } + ] + } + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"], + "pattern": "^(.*)$" + }, + "cpe": { + "type": "string", + "title": "Component Common Platform Enumeration (CPE)", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"], + "pattern": "^(.*)$" + }, + "purl": { + "type": "string", + "title": "Component Package URL (purl)", + "default": "", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"], + "pattern": "^(.*)$" + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "additionalProperties": false, + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree.", + "pattern": "^(.*)$" + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "components": { + "$id": "#/definitions/component/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "default": "The URL to the SWID file.", + "pattern": "^(.*)$" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", + "default": "text/plain" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ], + "default": "", + "pattern": "^(.*)$" + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data" + } + } + }, + "hash": { + "type": "object", + "title": "Hash Objects", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ], + "title": "Hash Algorithm", + "default": "", + "pattern": "^(.*)$" + }, + "hash-content": { + "type": "string", + "title": "Hash Content (value)", + "default": "", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License Object", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license ID", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "default": "", + "examples": ["Acme Software License"], + "pattern": "^(.*)$" + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "pattern": "^(.*)$" + } + } + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.", + "pattern": "^(.*)$" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit", + "pattern": "^(.*)$" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "title": "Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality" + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "pattern": "^(.*)$" + } + } + }, + "issue": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "title": "Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier of the issue assigned by the source of the issue", + "pattern": "^(.*)$" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the issue", + "pattern": "^(.*)$" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the issue", + "pattern": "^(.*)$" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'", + "pattern": "^(.*)$" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "pattern": "^(.*)$" + } + } + }, + "references": { + "type": "array", + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "default": "", + "examples": ["https://example.com"], + "pattern": "^(.*)$" + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action", + "pattern": "^(.*)$" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "Specifies an individual external reference", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the external reference", + "pattern": "^(.*)$" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference", + "pattern": "^(.*)$" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the \"other\" type.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "distribution", + "license", + "build-meta", + "build-system", + "other" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference", + "description": "References a component by the components bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." + } + } + }, + "service": { + "type": "object", + "title": "Service Object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique.", + "default": "", + "pattern": "^(.*)$" + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "default": "", + "examples": ["com.acme"], + "pattern": "^(.*)$" + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "default": "", + "examples": ["ticker-service"], + "pattern": "^(.*)$" + }, + "version": { + "type": "string", + "title": "Service Version", + "description": "The service version.", + "default": "", + "examples": ["1.0.0"], + "pattern": "^(.*)$" + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service", + "default": "", + "pattern": "^(.*)$" + }, + "endpoints": { + "type": "array", + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "default": "", + "examples": ["https://example.com/api/v1/ticker"], + "pattern": "^(.*)$" + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/dataClassification"}, + "title": "Data Classification", + "description": "Specifies the data classification." + }, + "licenses": { + "type": "array", + "title": "Component License(s)", + "items": { + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/definitions/license" + }, + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ], + "pattern": "^(.*)$" + } + }, + "oneOf":[ + { + "required": ["license"] + }, + { + "required": ["expression"] + } + ] + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "services": { + "$id": "#/definitions/service/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + } + } + }, + "dataClassification": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlow" + }, + "classification": { + "type": "string" + } + } + }, + "dataFlow": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "title": "Data flow direction", + "default": "", + "pattern": "^(.*)$" + } + } +} diff --git a/schema/bom-1.2.schema.json b/schema/bom-1.2.schema.json new file mode 100644 index 0000000..f7d1fd6 --- /dev/null +++ b/schema/bom-1.2.schema.json @@ -0,0 +1,1001 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.2b.schema.json", + "type": "object", + "title": "CycloneDX Software Bill-of-Material Specification", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion", + "version" + ], + "properties": { + "bomFormat": { + "$id": "#/properties/bomFormat", + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "$id": "#/properties/specVersion", + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification a BOM is written to (starting at version 1.2)", + "examples": ["1.2"] + }, + "serialNumber": { + "$id": "#/properties/serialNumber", + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.", + "default": "", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "$id": "#/properties/version", + "type": "integer", + "title": "BOM Version", + "description": "The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.", + "default": 1, + "examples": [1] + }, + "metadata": { + "$id": "#/properties/metadata", + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "$id": "#/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + }, + "services": { + "$id": "#/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + }, + "externalReferences": { + "$id": "#/properties/externalReferences", + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + }, + "dependencies": { + "$id": "#/properties/dependencies", + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships." + } + }, + "definitions": { + "refType": { + "$comment": "Identifier-DataType for interlinked elements.", + "type": "string" + }, + "metadata": { + "type": "object", + "title": "BOM Metadata Object", + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the document was created." + }, + "tools": { + "type": "array", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + }, + "authors" :{ + "type": "array", + "title": "Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "title": "Manufacture", + "description": "The organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "The tool used to create the BOM.", + "properties": { + "vendor": { + "type": "string", + "format": "string", + "title": "Tool Vendor", + "description": "The date and time (timestamp) when the document was created." + }, + "name": { + "type": "string", + "format": "string", + "title": "Tool Name", + "description": "The date and time (timestamp) when the document was created." + }, + "version": { + "type": "string", + "format": "string", + "title": "Tool Version", + "description": "The date and time (timestamp) when the document was created." + }, + "hashes": { + "$id": "#/definitions/tool/properties/hashes", + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity Object", + "description": "", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the organization", + "default": "", + "examples": [ + "Example Inc." + ], + "pattern": "^(.*)$" + }, + "url": { + "type": "array", + "title": "URL", + "description": "The URL of the organization. Multiple URLs are allowed.", + "default": "", + "examples": ["https://example.com"], + "pattern": "^(.*)$" + }, + "contact": { + "type": "array", + "title": "Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact Object", + "description": "", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "default": "", + "examples": ["Contact name"], + "pattern": "^(.*)$" + }, + "email": { + "type": "string", + "title": "Email Address", + "description": "The email address of the contact. Multiple email addresses are allowed.", + "default": "", + "examples": ["firstname.lastname@example.com"], + "pattern": "^(.*)$" + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact. Multiple phone numbers are allowed.", + "default": "", + "examples": ["800-555-1212"], + "pattern": "^(.*)$" + } + } + }, + "component": { + "type": "object", + "title": "Component Object", + "required": [ + "type", + "name", + "version" + ], + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "operating-system", + "device", + "firmware", + "file" + ], + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "default": "", + "examples": ["library"], + "pattern": "^(.*)$" + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "default": "", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique.", + "default": "", + "pattern": "^(.*)$" + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "author": { + "type": "string", + "title": "Component Author", + "description": "The person(s) or organization(s) that authored the component", + "default": "", + "examples": ["Acme Inc"], + "pattern": "^(.*)$" + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "default": "", + "examples": ["Acme Inc"], + "pattern": "^(.*)$" + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "default": "", + "examples": ["com.acme"], + "pattern": "^(.*)$" + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "default": "", + "examples": ["tomcat-catalina"], + "pattern": "^(.*)$" + }, + "version": { + "type": "string", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", + "default": "", + "examples": ["9.0.14"], + "pattern": "^(.*)$" + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component", + "default": "", + "pattern": "^(.*)$" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope should be assumed by the consumer of the BOM", + "default": "required", + "pattern": "^(.*)$" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "type": "array", + "title": "Component License(s)", + "items": { + "properties": { + "license": { + "$ref": "#/definitions/license" + }, + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ], + "pattern": "^(.*)$" + } + }, + "oneOf":[ + { + "required": ["license"] + }, + { + "required": ["expression"] + } + ] + } + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"], + "pattern": "^(.*)$" + }, + "cpe": { + "type": "string", + "title": "Component Common Platform Enumeration (CPE)", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"], + "pattern": "^(.*)$" + }, + "purl": { + "type": "string", + "title": "Component Package URL (purl)", + "default": "", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"], + "pattern": "^(.*)$" + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree.", + "pattern": "^(.*)$" + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "components": { + "$id": "#/definitions/component/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "default": "The URL to the SWID file.", + "pattern": "^(.*)$" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", + "default": "text/plain" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ], + "default": "", + "pattern": "^(.*)$" + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data" + } + } + }, + "hash": { + "type": "object", + "title": "Hash Objects", + "required": [ + "alg", + "content" + ], + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ], + "title": "Hash Algorithm", + "default": "", + "pattern": "^(.*)$" + }, + "hash-content": { + "type": "string", + "title": "Hash Content (value)", + "default": "", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License Object", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "properties": { + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license ID", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "default": "", + "examples": ["Acme Software License"], + "pattern": "^(.*)$" + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "pattern": "^(.*)$" + } + } + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.", + "pattern": "^(.*)$" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit", + "pattern": "^(.*)$" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "title": "Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality" + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "pattern": "^(.*)$" + } + } + }, + "issue": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "required": [ + "type" + ], + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "title": "Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier of the issue assigned by the source of the issue", + "pattern": "^(.*)$" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the issue", + "pattern": "^(.*)$" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the issue", + "pattern": "^(.*)$" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'", + "pattern": "^(.*)$" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "pattern": "^(.*)$" + } + } + }, + "references": { + "type": "array", + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "default": "", + "examples": ["https://example.com"], + "pattern": "^(.*)$" + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action", + "pattern": "^(.*)$" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "Specifies an individual external reference", + "required": [ + "url", + "type" + ], + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the external reference", + "pattern": "^(.*)$" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference", + "pattern": "^(.*)$" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the \"other\" type.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "distribution", + "license", + "build-meta", + "build-system", + "other" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.", + "required": [ + "ref" + ], + "properties": { + "ref": { + "$ref": "#/definitions/refType", + "format": "string", + "title": "Reference", + "description": "References a component by the components bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." + } + } + }, + "service": { + "type": "object", + "title": "Service Object", + "required": [ + "name" + ], + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique.", + "default": "", + "pattern": "^(.*)$" + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "default": "", + "examples": ["com.acme"], + "pattern": "^(.*)$" + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "default": "", + "examples": ["ticker-service"], + "pattern": "^(.*)$" + }, + "version": { + "type": "string", + "title": "Service Version", + "description": "The service version.", + "default": "", + "examples": ["1.0.0"], + "pattern": "^(.*)$" + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service", + "default": "", + "pattern": "^(.*)$" + }, + "endpoints": { + "type": "array", + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "default": "", + "examples": ["https://example.com/api/v1/ticker"], + "pattern": "^(.*)$" + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/dataClassification"}, + "title": "Data Classification", + "description": "Specifies the data classification." + }, + "licenses": { + "type": "array", + "title": "Component License(s)", + "items": { + "properties": { + "license": { + "$ref": "#/definitions/license" + }, + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ], + "pattern": "^(.*)$" + } + }, + "oneOf":[ + { + "required": ["license"] + }, + { + "required": ["expression"] + } + ] + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "services": { + "$id": "#/definitions/service/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + } + } + }, + "dataClassification": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "properties": { + "flow": { + "$ref": "#/definitions/dataFlow" + }, + "classification": { + "type": "string" + } + } + }, + "dataFlow": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "title": "Data flow direction", + "default": "", + "pattern": "^(.*)$" + } + } +} diff --git a/schema/bom-1.2.xsd b/schema/bom-1.2.xsd new file mode 100644 index 0000000..6b68fa6 --- /dev/null +++ b/schema/bom-1.2.xsd @@ -0,0 +1,1425 @@ + + + + + + + + + CycloneDX Software Bill-of-Material Specification + https://cyclonedx.org/ + Apache License, Version 2.0 + + Steve Springett + + + + + + + Identifier-DataType for interlinked elements. + + + + + + + + + The date and time (timestamp) when the document was created. + + + + + The tool(s) used in the creation of the BOM. + + + + + + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacture, but may also be a distributor or repackager. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies a tool (manual or automated). + + + + + The vendor of the tool used to create the BOM. + + + + + The name of the tool used to create the BOM. + + + + + The version of the tool used to create the BOM. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. Multiple email addresses are allowed. + + + + + The phone number of the contact. Multiple phone numbers are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacture, but may also be a distributor or repackager. + + + + + The person(s) or organization(s) that authored the component + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'runtime' + scope should be assumed by the consumer of the BOM + + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + An optional copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. + Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (PURL). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating is the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + + Specifies optional sub-components. This is not a dependency tree. It provides a way + to specify a hierarchical representation of component assemblies, similar to + system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The optional mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + Specifies the optional full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + Specifies attributes of the text + + + + Specifies the content type of the text. Defaults to text/plain + if not specified. + + + + + + Specifies the optional encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware should include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-material document (CycloneDX, SPDX, SWID, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + Direct or repository download location + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant + but which are not included with the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URL to the external reference + + + + + An optional comment describing the external reference + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the optional text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + References a component or service by the its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Components that do not have their own dependencies MUST be declared as empty + elements within the graph. Components that are not represented in the dependency graph MAY + have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque + and not an indicator of a component being dependency-free. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + + + + Specifies the data classification. + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + Provides the ability to document external references related to the service. + + + + + + Specifies optional sub-service. This is not a dependency tree. It provides a way + to specify a hierarchical representation of service assemblies, similar to + system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + + + + + + + + + + Provides additional information about a BOM. + + + + + Provides the ability to document a list of components. + + + + + Provides the ability to document a list of external services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + The version allows component publishers/authors to make changes to existing + BOMs to update various aspects of the document such as description or licenses. When a system + is presented with multiple BOMs for the same component, the system should use the most recent + version of the BOM. The default version is '1' and should be incremented for each version of the + BOM that is published. Each version of a component should have a unique BOM and if no changes are + made to the BOMs, then each BOM will have a version of '1'. + + + + + Every BOM generated should have a unique serial number, even if the contents + of the BOM being generated have not changed over time. The process or tool responsible for + creating the BOM should create random UUID's for every BOM generated. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/schema/bom-1.3-strict.schema.json b/schema/bom-1.3-strict.schema.json new file mode 100644 index 0000000..67196c1 --- /dev/null +++ b/schema/bom-1.3-strict.schema.json @@ -0,0 +1,1089 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.3a.schema.json", + "type": "object", + "title": "CycloneDX Software Bill-of-Material Specification", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion", + "version" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string", + "enum": [ + "http://cyclonedx.org/schema/bom-1.3.schema.json" + ] + }, + "bomFormat": { + "$id": "#/properties/bomFormat", + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "$id": "#/properties/specVersion", + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification a BOM is written to (starting at version 1.2)", + "examples": ["1.3"] + }, + "serialNumber": { + "$id": "#/properties/serialNumber", + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "$id": "#/properties/version", + "type": "integer", + "title": "BOM Version", + "description": "The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.", + "default": 1, + "examples": [1] + }, + "metadata": { + "$id": "#/properties/metadata", + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "$id": "#/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + }, + "services": { + "$id": "#/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + }, + "externalReferences": { + "$id": "#/properties/externalReferences", + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + }, + "dependencies": { + "$id": "#/properties/dependencies", + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships." + }, + "compositions": { + "$id": "#/properties/compositions", + "type": "array", + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." + } + }, + "definitions": { + "refType": { + "$comment": "Identifier-DataType for interlinked elements.", + "type": "string" + }, + "metadata": { + "type": "object", + "title": "BOM Metadata Object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the document was created." + }, + "tools": { + "type": "array", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + }, + "authors" :{ + "type": "array", + "title": "Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "title": "Manufacture", + "description": "The organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "type": "array", + "title": "BOM License(s)", + "items": {"$ref": "#/definitions/licenseChoice"} + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "The tool used to create the BOM.", + "additionalProperties": false, + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The date and time (timestamp) when the document was created." + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The date and time (timestamp) when the document was created." + }, + "version": { + "type": "string", + "title": "Tool Version", + "description": "The date and time (timestamp) when the document was created." + }, + "hashes": { + "$id": "#/definitions/tool/properties/hashes", + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity Object", + "description": "", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "URL", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact Object", + "description": "", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component Object", + "required": [ + "type", + "name", + "version" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "operating-system", + "device", + "firmware", + "file" + ], + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "author": { + "type": "string", + "title": "Component Author", + "description": "The person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "type": "string", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", + "examples": ["9.0.14"] + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope should be assumed by the consumer of the BOM", + "default": "required" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "type": "array", + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"] + }, + "cpe": { + "type": "string", + "title": "Component Common Platform Enumeration (CPE)", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] + }, + "purl": { + "type": "string", + "title": "Component Package URL (purl)", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "additionalProperties": false, + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "components": { + "$id": "#/definitions/component/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", + "default": "text/plain" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ] + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data" + } + } + }, + "hash": { + "type": "object", + "title": "Hash Objects", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ], + "title": "Hash Algorithm" + }, + "hash-content": { + "type": "string", + "title": "Hash Content (value)", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License Object", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license ID", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "examples": ["Acme Software License"] + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + } + } + }, + "licenseChoice": { + "type": "object", + "title": "License(s)", + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/definitions/license" + }, + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + } + }, + "oneOf":[ + { + "required": ["license"] + }, + { + "required": ["expression"] + } + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "title": "Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality" + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "title": "Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "Specifies an individual external reference", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the external reference", + "format": "iri-reference" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the \"other\" type.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "distribution", + "license", + "build-meta", + "build-system", + "other" + ] + }, + "hashes": { + "$id": "#/definitions/externalReference/properties/hashes", + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference", + "description": "References a component by the components bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." + } + } + }, + "service": { + "type": "object", + "title": "Service Object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "type": "string", + "title": "Service Version", + "description": "The service version.", + "examples": ["1.0.0"] + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/dataClassification"}, + "title": "Data Classification", + "description": "Specifies the data classification." + }, + "licenses": { + "type": "array", + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "services": { + "$id": "#/definitions/service/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "dataClassification": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlow" + }, + "classification": { + "type": "string" + } + } + }, + "dataFlow": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "title": "Data flow direction" + }, + + "copyright": { + "type": "object", + "title": "Copyright", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text" + } + } + }, + + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "licenses": { + "type": "array", + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "copyright": { + "type": "array", + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright" + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describe how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_third_party_only", + "unknown", + "not_specified" + ] + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + } + } +} diff --git a/schema/bom-1.3.proto b/schema/bom-1.3.proto new file mode 100644 index 0000000..50a6aba --- /dev/null +++ b/schema/bom-1.3.proto @@ -0,0 +1,452 @@ +syntax = "proto3"; +package cyclonedx.v1_3; +import "google/protobuf/timestamp.proto"; + +// Specifies attributes of the text +message AttachedText { + // Specifies the content type of the text. Defaults to text/plain if not specified. + optional string content_type = 1; + // Specifies the optional encoding the text is represented in + optional string encoding = 2; + // SimpleContent value of element + string value = 3; +} + +message Bom { + // The version of the CycloneDX specification a BOM is written to (starting at version 1.3) + string spec_version = 1; + // The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'. + optional int32 version = 2; + // Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated. + optional string serial_number = 3; + // Provides additional information about a BOM. + optional Metadata metadata = 4; + // Provides the ability to document a list of components. + repeated Component components = 5; + // Provides the ability to document a list of external services. + repeated Service services = 6; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 7; + // Provides the ability to document dependency relationships. + repeated Dependency dependencies = 8; + // Provides the ability to document aggregate completeness + repeated Composition compositions = 9; +} + +enum Classification { + CLASSIFICATION_NULL = 0; + // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. + CLASSIFICATION_APPLICATION = 1; + // A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries. + CLASSIFICATION_FRAMEWORK = 2; + // A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended. + CLASSIFICATION_LIBRARY = 3; + // A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system + CLASSIFICATION_OPERATING_SYSTEM = 4; + // A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + CLASSIFICATION_DEVICE = 5; + // A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files. + CLASSIFICATION_FILE = 6; + // A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + CLASSIFICATION_CONTAINER = 7; + // A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware + CLASSIFICATION_FIRMWARE = 8; +} + +message Commit { + // A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + optional string uid = 1; + // The URL to the commit. This URL will typically point to a commit in a version control system. + optional string url = 2; + // The author who created the changes in the commit + optional IdentifiableAction author = 3; + // The person who committed or pushed the commit + optional IdentifiableAction committer = 4; + // The text description of the contents of the commit + optional string message = 5; +} + +message Component { + // Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. + Classification type = 1; + // The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type. + optional string mime_type = 2; + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 3; + // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 4; + // The person(s) or organization(s) that authored the component + optional string author = 5; + // The person(s) or organization(s) that published the component + optional string publisher = 6; + // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. + optional string group = 7; + // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery + string name = 8; + // The component version. The version should ideally comply with semantic versioning but is not enforced. + string version = 9; + // Specifies a description for the component + optional string description = 10; + // Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM + optional Scope scope = 11; + repeated Hash hashes = 12; + repeated LicenseChoice licenses = 13; + // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. + optional string copyright = 14; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + optional string cpe = 15; + // Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec + optional string purl = 16; + // Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + optional Swid swid = 17; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original. + optional bool modified = 18; + // Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. + optional Pedigree pedigree = 19; + // Provides the ability to document external references related to the component or to the project the component describes. + repeated ExternalReference external_references = 20; + // Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Component components = 21; + // Specifies optional, custom, properties + repeated Property properties = 22; + // Specifies optional license and copyright evidence + repeated Evidence evidence = 23; +} + +// Specifies the data classification. +message DataClassification { + // Specifies the flow direction of the data. + DataFlow flow = 1; + // SimpleContent value of element + string value = 2; +} + +// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. +enum DataFlow { + DATA_FLOW_NULL = 0; + DATA_FLOW_INBOUND = 1; + DATA_FLOW_OUTBOUND = 2; + DATA_FLOW_BI_DIRECTIONAL = 3; + DATA_FLOW_UNKNOWN = 4; +} + +message Dependency { + // References a component or service by the its bom-ref attribute + string ref = 1; + repeated Dependency dependencies = 2; +} + +message Diff { + // Specifies the optional text of the diff + optional AttachedText text = 1; + // Specifies the URL to the diff + optional string url = 2; +} + +message ExternalReference { + // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. + ExternalReferenceType type = 1; + // The URL to the external reference + string url = 2; + // An optional comment describing the external reference + optional string comment = 3; + // Optional integrity hashes for the external resource content + repeated Hash hashes = 4; +} + +enum ExternalReferenceType { + // Use this if no other types accurately describe the purpose of the external reference + EXTERNAL_REFERENCE_TYPE_OTHER = 0; + // Version Control System + EXTERNAL_REFERENCE_TYPE_VCS = 1; + // Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2; + // Website + EXTERNAL_REFERENCE_TYPE_WEBSITE = 3; + // Security advisories + EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4; + // Bill-of-material document (CycloneDX, SPDX, SWID, etc) + EXTERNAL_REFERENCE_TYPE_BOM = 5; + // Mailing list or discussion group + EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6; + // Social media account + EXTERNAL_REFERENCE_TYPE_SOCIAL = 7; + // Real-time chat platform + EXTERNAL_REFERENCE_TYPE_CHAT = 8; + // Documentation, guides, or how-to instructions + EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9; + // Community or commercial support + EXTERNAL_REFERENCE_TYPE_SUPPORT = 10; + // Direct or repository download location + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11; + // The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness + EXTERNAL_REFERENCE_TYPE_LICENSE = 12; + // Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; + // URL to an automated build system + EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; +} + +enum HashAlg { + HASH_ALG_NULL = 0; + HASH_ALG_MD_5 = 1; + HASH_ALG_SHA_1 = 2; + HASH_ALG_SHA_256 = 3; + HASH_ALG_SHA_384 = 4; + HASH_ALG_SHA_512 = 5; + HASH_ALG_SHA_3_256 = 6; + HASH_ALG_SHA_3_384 = 7; + HASH_ALG_SHA_3_512 = 8; + HASH_ALG_BLAKE_2_B_256 = 9; + HASH_ALG_BLAKE_2_B_384 = 10; + HASH_ALG_BLAKE_2_B_512 = 11; + HASH_ALG_BLAKE_3 = 12; +} + +// Specifies the file hash of the component +message Hash { + // Specifies the algorithm used to create the hash + HashAlg alg = 1; + // SimpleContent value of element + string value = 2; +} + +message IdentifiableAction { + // The timestamp in which the action occurred + optional google.protobuf.Timestamp timestamp = 1; + // The name of the individual who performed the action + optional string name = 2; + // The email address of the individual who performed the action + optional string email = 3; +} + +enum IssueClassification { + ISSUE_CLASSIFICATION_NULL = 0; + // A fault, flaw, or bug in software + ISSUE_CLASSIFICATION_DEFECT = 1; + // A new feature or behavior in software + ISSUE_CLASSIFICATION_ENHANCEMENT = 2; + // A special type of defect which impacts security + ISSUE_CLASSIFICATION_SECURITY = 3; +} + +message Issue { + // Specifies the type of issue + IssueClassification type = 1; + // The identifier of the issue assigned by the source of the issue + optional string id = 2; + // The name of the issue + optional string name = 3; + // A description of the issue + optional string description = 4; + optional Source source = 5; + repeated string references = 6; +} + +// The source of the issue where it is documented. +message Source { + // The name of the source. For example "National Vulnerability Database", "NVD", and "Apache" + optional string name = 1; + // The url of the issue documentation as provided by the source + optional string url = 2; +} + +message LicenseChoice { + oneof choice { + License license = 1; + string expression = 2; + } +} + +message License { + oneof license { + // A valid SPDX license ID + string id = 1; + // If SPDX does not define the license used, this field may be used to provide the license name + string name = 2; + } + // Specifies the optional full text of the attachment + optional AttachedText text = 3; + // The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness. + optional string url = 4; +} + +message Metadata { + // The date and time (timestamp) when the document was created. + optional google.protobuf.Timestamp timestamp = 1; + // The tool(s) used in the creation of the BOM. + repeated Tool tools = 2; + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors. + repeated OrganizationalContact authors = 3; + // The component that the BOM describes. + optional Component component = 4; + // The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5; + // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 6; + // The license information for the BOM document + optional LicenseChoice licenses = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; +} + +message OrganizationalContact { + // The name of the contact + optional string name = 1; + // The email address of the contact. + optional string email = 2; + // The phone number of the contact. + optional string phone = 3; +} + +message OrganizationalEntity { + // The name of the organization + optional string name = 1; + // The URL of the organization. Multiple URLs are allowed. + repeated string url = 2; + // A contact person at the organization. Multiple contacts are allowed. + repeated OrganizationalContact contact = 3; +} + +enum PatchClassification { + PATCH_CLASSIFICATION_NULL = 0; + // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + PATCH_CLASSIFICATION_UNOFFICIAL = 1; + // A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch + PATCH_CLASSIFICATION_MONKEY = 2; + // A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + PATCH_CLASSIFICATION_BACKPORT = 3; + // A patch created by selectively applying commits from other versions or branches of the same software. + PATCH_CLASSIFICATION_CHERRY_PICK = 4; +} + +message Patch { + // Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality + PatchClassification type = 1; + // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff + optional Diff diff = 2; + repeated Issue resolves = 3; +} + +// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known. +message Pedigree { + // Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from. + repeated Component ancestors = 1; + // Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component. + repeated Component descendants = 2; + // Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor. + repeated Component variants = 3; + // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. + repeated Commit commits = 4; + // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits. + repeated Patch patches = 5; + // Notes, observations, and other non-structured commentary describing the components pedigree. + optional string notes = 6; +} + +enum Scope { + // Default + SCOPE_UNSPECIFIED = 0; + // The component is required for runtime + SCOPE_REQUIRED = 1; + // The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'. + SCOPE_OPTIONAL = 2; + // Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime. + SCOPE_EXCLUDED = 3; +} + +message Service { + // An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The organization that provides the service. + optional OrganizationalEntity provider = 2; + // The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided. + optional string group = 3; + // The name of the service. This will often be a shortened, single name of the service. + string name = 4; + // The service version. + optional string version = 5; + // Specifies a description for the service. + optional string description = 6; + repeated string endpoints = 7; + // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. + optional bool authenticated = 8; + // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. + optional bool x_trust_boundary = 9; + repeated DataClassification data = 10; + repeated LicenseChoice licenses = 11; + // Provides the ability to document external references related to the service. + repeated ExternalReference external_references = 12; + // Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Service services = 13; + // Specifies optional, custom, properties + repeated Property properties = 14; +} + +message Swid { + // Maps to the tagId of a SoftwareIdentity. + string tag_id = 1; + // Maps to the name of a SoftwareIdentity. + string name = 2; + // Maps to the version of a SoftwareIdentity. + optional string version = 3; + // Maps to the tagVersion of a SoftwareIdentity. + optional int32 tag_version = 4; + // Maps to the patch of a SoftwareIdentity. + optional bool patch = 5; + // Specifies the full content of the SWID tag. + optional AttachedText text = 6; + // The URL to the SWID file. + optional string url = 7; +} + +// Specifies a tool (manual or automated). +message Tool { + // The vendor of the tool used to create the BOM. + optional string vendor = 1; + // The name of the tool used to create the BOM. + optional string name = 2; + // The version of the tool used to create the BOM. + optional string version = 3; + repeated Hash hashes = 4; +} + +// Specifies a property +message Property { + string name = 1; + optional string value = 2; +} + +enum Aggregate { + // Default, no statement about the aggregate completeness is being made + AGGREGATE_NOT_SPECIFIED = 0; + // The aggregate composition is complete + AGGREGATE_COMPLETE = 1; + // The aggregate composition is incomplete + AGGREGATE_INCOMPLETE = 2; + // The aggregate composition is incomplete for first party components, complete for third party components + AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; + // The aggregate composition is incomplete for third party components, complete for first party components + AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; + // The aggregate composition completeness is unknown + AGGREGATE_UNKNOWN = 5; +} + +message Composition { + // Indicates the aggregate completeness + Aggregate aggregate = 1; + // The assemblies the aggregate completeness applies to + repeated string assemblies = 2; + // The dependencies the aggregate completeness applies to + repeated string dependencies = 3; +} + +message EvidenceCopyright { + // Copyright text + string text = 1; +} + +message Evidence { + repeated LicenseChoice licenses = 1; + repeated EvidenceCopyright copyright = 2; +} diff --git a/schema/bom-1.3.schema.json b/schema/bom-1.3.schema.json new file mode 100644 index 0000000..63a35b7 --- /dev/null +++ b/schema/bom-1.3.schema.json @@ -0,0 +1,1058 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.3a.schema.json", + "type": "object", + "title": "CycloneDX Software Bill-of-Material Specification", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion", + "version" + ], + "properties": { + "bomFormat": { + "$id": "#/properties/bomFormat", + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "$id": "#/properties/specVersion", + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification a BOM is written to (starting at version 1.2)", + "examples": ["1.3"] + }, + "serialNumber": { + "$id": "#/properties/serialNumber", + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "$id": "#/properties/version", + "type": "integer", + "title": "BOM Version", + "description": "The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.", + "default": 1, + "examples": [1] + }, + "metadata": { + "$id": "#/properties/metadata", + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "$id": "#/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + }, + "services": { + "$id": "#/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + }, + "externalReferences": { + "$id": "#/properties/externalReferences", + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + }, + "dependencies": { + "$id": "#/properties/dependencies", + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships." + }, + "compositions": { + "$id": "#/properties/compositions", + "type": "array", + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." + } + }, + "definitions": { + "refType": { + "$comment": "Identifier-DataType for interlinked elements.", + "type": "string" + }, + "metadata": { + "type": "object", + "title": "BOM Metadata Object", + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the document was created." + }, + "tools": { + "type": "array", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + }, + "authors" :{ + "type": "array", + "title": "Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "title": "Manufacture", + "description": "The organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "type": "array", + "title": "BOM License(s)", + "items": {"$ref": "#/definitions/licenseChoice"} + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "The tool used to create the BOM.", + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The date and time (timestamp) when the document was created." + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The date and time (timestamp) when the document was created." + }, + "version": { + "type": "string", + "title": "Tool Version", + "description": "The date and time (timestamp) when the document was created." + }, + "hashes": { + "$id": "#/definitions/tool/properties/hashes", + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity Object", + "description": "", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "URL", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact Object", + "description": "", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component Object", + "required": [ + "type", + "name", + "version" + ], + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "operating-system", + "device", + "firmware", + "file" + ], + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "author": { + "type": "string", + "title": "Component Author", + "description": "The person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "type": "string", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", + "examples": ["9.0.14"] + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope should be assumed by the consumer of the BOM", + "default": "required" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "type": "array", + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"] + }, + "cpe": { + "type": "string", + "title": "Component Common Platform Enumeration (CPE)", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] + }, + "purl": { + "type": "string", + "title": "Component Package URL (purl)", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "components": { + "$id": "#/definitions/component/properties/components", + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components" + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", + "default": "text/plain" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ] + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data" + } + } + }, + "hash": { + "type": "object", + "title": "Hash Objects", + "required": [ + "alg", + "content" + ], + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ], + "title": "Hash Algorithm" + }, + "hash-content": { + "type": "string", + "title": "Hash Content (value)", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License Object", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "properties": { + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license ID", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "examples": ["Acme Software License"] + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + } + } + }, + "licenseChoice": { + "type": "object", + "title": "License(s)", + "properties": { + "license": { + "$ref": "#/definitions/license" + }, + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + } + }, + "oneOf":[ + { + "required": ["license"] + }, + { + "required": ["expression"] + } + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "title": "Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality" + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "required": [ + "type" + ], + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "title": "Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "Specifies an individual external reference", + "required": [ + "url", + "type" + ], + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the external reference", + "format": "iri-reference" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the \"other\" type.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "distribution", + "license", + "build-meta", + "build-system", + "other" + ] + }, + "hashes": { + "$id": "#/definitions/externalReference/properties/hashes", + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.", + "required": [ + "ref" + ], + "properties": { + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference", + "description": "References a component by the components bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." + } + } + }, + "service": { + "type": "object", + "title": "Service Object", + "required": [ + "name" + ], + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "type": "string", + "title": "Service Version", + "description": "The service version.", + "examples": ["1.0.0"] + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/dataClassification"}, + "title": "Data Classification", + "description": "Specifies the data classification." + }, + "licenses": { + "type": "array", + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References" + }, + "services": { + "$id": "#/definitions/service/properties/services", + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "dataClassification": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "properties": { + "flow": { + "$ref": "#/definitions/dataFlow" + }, + "classification": { + "type": "string" + } + } + }, + "dataFlow": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "title": "Data flow direction" + }, + + "copyright": { + "type": "object", + "title": "Copyright", + "required": [ + "text" + ], + "properties": { + "text": { + "type": "string", + "title": "Copyright Text" + } + } + }, + + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "properties": { + "licenses": { + "type": "array", + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "copyright": { + "type": "array", + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright" + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "properties": { + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describe how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_third_party_only", + "unknown", + "not_specified" + ] + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + } + } +} diff --git a/schema/bom-1.3.xsd b/schema/bom-1.3.xsd new file mode 100644 index 0000000..49aa748 --- /dev/null +++ b/schema/bom-1.3.xsd @@ -0,0 +1,1640 @@ + + + + + + + + + CycloneDX Software Bill-of-Material Specification + https://cyclonedx.org/ + Apache License, Version 2.0 + + + + + + Identifier-DataType for interlinked elements. + + + + + + + + + The date and time (timestamp) when the document was created. + + + + + The tool(s) used in the creation of the BOM. + + + + + + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacturer, but may also be a distributor or repackager. + + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies a tool (manual or automated). + + + + + The vendor of the tool used to create the BOM. + + + + + The name of the tool used to create the BOM. + + + + + The version of the tool used to create the BOM. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. + + + + + The phone number of the contact. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacturer, but may also be a distributor or repackager. + + + + + The person(s) or organization(s) that authored the component + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'runtime' + scope should be assumed by the consumer of the BOM + + + + + + + + + + + + + An optional copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. + Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (PURL). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating is the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. + + + + + + Specifies optional sub-components. This is not a dependency tree. It provides a way + to specify a hierarchical representation of component assemblies, similar to + system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document evidence collected through various forms of extraction or analysis. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The optional mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + Specifies the optional full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + Specifies attributes of the text + + + + Specifies the content type of the text. Defaults to text/plain + if not specified. + + + + + + Specifies the optional encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware should include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-material document (CycloneDX, SPDX, SWID, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + Direct or repository download location + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant + but which are not included with the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URL to the external reference + + + + + An optional comment describing the external reference + + + + + + + + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the optional text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + References a component or service by the its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Components that do not have their own dependencies MUST be declared as empty + elements within the graph. Components that are not represented in the dependency graph MAY + have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque + and not an indicator of a component being dependency-free. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + + + + Specifies the data classification. + + + + + + + + + Provides the ability to document external references related to the service. + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. + + + + + + Specifies optional sub-service. This is not a dependency tree. It provides a way + to specify a hierarchical representation of service assemblies, similar to + system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Specifies an aggregate type that describe how complete a relationship is. + + + + + + The bom-ref identifiers of the components or services being described. Assemblies refer to + nested relationships whereby a constituent part may include other constituent parts. References + do not cascade to child parts. References are explicit for the specified constituent part only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the components or services being described. Dependencies refer to a + relationship whereby an independent constituent part requires another independent constituent + part. References do not cascade to transitive dependencies. References are explicit for the + specified dependency only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + + The relationship is complete. No further relationships including constituent components, services, or dependencies exist. + + + + + The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + + + + + The relationship completeness is not specified. + + + + + + + + + References a component or service by the its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies an individual property with a name and value. + + + + + + The name of the property. Duplicate names are allowed, each potentially having a different value. + + + + + + + + + + + + Provides additional information about a BOM. + + + + + Provides the ability to document a list of components. + + + + + Provides the ability to document a list of external services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. + + + + + Provides the ability to document properties in a name-value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Unlike key-value + stores, properties support duplicate names, each potentially having different values. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + The version allows component publishers/authors to make changes to existing + BOMs to update various aspects of the document such as description or licenses. When a system + is presented with multiple BOMs for the same component, the system should use the most recent + version of the BOM. The default version is '1' and should be incremented for each version of the + BOM that is published. Each version of a component should have a unique BOM and if no changes are + made to the BOMs, then each BOM will have a version of '1'. + + + + + Every BOM generated should have a unique serial number, even if the contents + of the BOM being generated have not changed over time. The process or tool responsible for + creating the BOM should create random UUID's for every BOM generated. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/schema/bom-1.4.proto b/schema/bom-1.4.proto new file mode 100644 index 0000000..2bf7d1d --- /dev/null +++ b/schema/bom-1.4.proto @@ -0,0 +1,677 @@ +syntax = "proto3"; +package cyclonedx.v1_4; +import "google/protobuf/timestamp.proto"; + +// Specifies attributes of the text +message AttachedText { + // Specifies the content type of the text. Defaults to text/plain if not specified. + optional string content_type = 1; + // Specifies the optional encoding the text is represented in + optional string encoding = 2; + // SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + string value = 3; +} + +message Bom { + // The version of the CycloneDX specification a BOM is written to (starting at version 1.3) + string spec_version = 1; + // The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'. + optional int32 version = 2; + // Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated. + optional string serial_number = 3; + // Provides additional information about a BOM. + optional Metadata metadata = 4; + // Provides the ability to document a list of components. + repeated Component components = 5; + // Provides the ability to document a list of external services. + repeated Service services = 6; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 7; + // Provides the ability to document dependency relationships. + repeated Dependency dependencies = 8; + // Provides the ability to document aggregate completeness + repeated Composition compositions = 9; + // Vulnerabilities identified in components or services. + repeated Vulnerability vulnerabilities = 10; +} + +enum Classification { + CLASSIFICATION_NULL = 0; + // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. + CLASSIFICATION_APPLICATION = 1; + // A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries. + CLASSIFICATION_FRAMEWORK = 2; + // A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended. + CLASSIFICATION_LIBRARY = 3; + // A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system + CLASSIFICATION_OPERATING_SYSTEM = 4; + // A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + CLASSIFICATION_DEVICE = 5; + // A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files. + CLASSIFICATION_FILE = 6; + // A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + CLASSIFICATION_CONTAINER = 7; + // A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware + CLASSIFICATION_FIRMWARE = 8; +} + +message Commit { + // A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + optional string uid = 1; + // The URL to the commit. This URL will typically point to a commit in a version control system. + optional string url = 2; + // The author who created the changes in the commit + optional IdentifiableAction author = 3; + // The person who committed or pushed the commit + optional IdentifiableAction committer = 4; + // The text description of the contents of the commit + optional string message = 5; +} + +message Component { + // Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. + Classification type = 1; + // The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type. + optional string mime_type = 2; + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 3; + // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 4; + // The person(s) or organization(s) that authored the component + optional string author = 5; + // The person(s) or organization(s) that published the component + optional string publisher = 6; + // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. + optional string group = 7; + // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery + string name = 8; + // The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is RECOMMENDED to use an empty string to represent components without version information. + string version = 9; + // Specifies a description for the component + optional string description = 10; + // Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM + optional Scope scope = 11; + repeated Hash hashes = 12; + repeated LicenseChoice licenses = 13; + // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. + optional string copyright = 14; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + optional string cpe = 15; + // Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec + optional string purl = 16; + // Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + optional Swid swid = 17; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original. + optional bool modified = 18; + // Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. + optional Pedigree pedigree = 19; + // Provides the ability to document external references related to the component or to the project the component describes. + repeated ExternalReference external_references = 20; + // Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Component components = 21; + // Specifies optional, custom, properties + repeated Property properties = 22; + // Specifies optional license and copyright evidence + repeated Evidence evidence = 23; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 24; +} + +// Specifies the data classification. +message DataClassification { + // Specifies the flow direction of the data. + DataFlow flow = 1; + // SimpleContent value of element + string value = 2; +} + +// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. +enum DataFlow { + DATA_FLOW_NULL = 0; + DATA_FLOW_INBOUND = 1; + DATA_FLOW_OUTBOUND = 2; + DATA_FLOW_BI_DIRECTIONAL = 3; + DATA_FLOW_UNKNOWN = 4; +} + +message Dependency { + // References a component or service by the its bom-ref attribute + string ref = 1; + repeated Dependency dependencies = 2; +} + +message Diff { + // Specifies the optional text of the diff + optional AttachedText text = 1; + // Specifies the URL to the diff + optional string url = 2; +} + +message ExternalReference { + // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. + ExternalReferenceType type = 1; + // The URL to the external reference + string url = 2; + // An optional comment describing the external reference + optional string comment = 3; + // Optional integrity hashes for the external resource content + repeated Hash hashes = 4; +} + +enum ExternalReferenceType { + // Use this if no other types accurately describe the purpose of the external reference + EXTERNAL_REFERENCE_TYPE_OTHER = 0; + // Version Control System + EXTERNAL_REFERENCE_TYPE_VCS = 1; + // Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2; + // Website + EXTERNAL_REFERENCE_TYPE_WEBSITE = 3; + // Security advisories + EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4; + // Bill-of-material document (CycloneDX, SPDX, SWID, etc) + EXTERNAL_REFERENCE_TYPE_BOM = 5; + // Mailing list or discussion group + EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6; + // Social media account + EXTERNAL_REFERENCE_TYPE_SOCIAL = 7; + // Real-time chat platform + EXTERNAL_REFERENCE_TYPE_CHAT = 8; + // Documentation, guides, or how-to instructions + EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9; + // Community or commercial support + EXTERNAL_REFERENCE_TYPE_SUPPORT = 10; + // Direct or repository download location + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11; + // The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness + EXTERNAL_REFERENCE_TYPE_LICENSE = 12; + // Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; + // URL to an automated build system + EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; +} + +enum HashAlg { + HASH_ALG_NULL = 0; + HASH_ALG_MD_5 = 1; + HASH_ALG_SHA_1 = 2; + HASH_ALG_SHA_256 = 3; + HASH_ALG_SHA_384 = 4; + HASH_ALG_SHA_512 = 5; + HASH_ALG_SHA_3_256 = 6; + HASH_ALG_SHA_3_384 = 7; + HASH_ALG_SHA_3_512 = 8; + HASH_ALG_BLAKE_2_B_256 = 9; + HASH_ALG_BLAKE_2_B_384 = 10; + HASH_ALG_BLAKE_2_B_512 = 11; + HASH_ALG_BLAKE_3 = 12; +} + +// Specifies the file hash of the component +message Hash { + // Specifies the algorithm used to create the hash + HashAlg alg = 1; + // SimpleContent value of element + string value = 2; +} + +message IdentifiableAction { + // The timestamp in which the action occurred + optional google.protobuf.Timestamp timestamp = 1; + // The name of the individual who performed the action + optional string name = 2; + // The email address of the individual who performed the action + optional string email = 3; +} + +enum IssueClassification { + ISSUE_CLASSIFICATION_NULL = 0; + // A fault, flaw, or bug in software + ISSUE_CLASSIFICATION_DEFECT = 1; + // A new feature or behavior in software + ISSUE_CLASSIFICATION_ENHANCEMENT = 2; + // A special type of defect which impacts security + ISSUE_CLASSIFICATION_SECURITY = 3; +} + +message Issue { + // Specifies the type of issue + IssueClassification type = 1; + // The identifier of the issue assigned by the source of the issue + optional string id = 2; + // The name of the issue + optional string name = 3; + // A description of the issue + optional string description = 4; + optional Source source = 5; + repeated string references = 6; +} + +// The source of the issue where it is documented. +message Source { + // The name of the source. For example "National Vulnerability Database", "NVD", and "Apache" + optional string name = 1; + // The url of the issue documentation as provided by the source + optional string url = 2; +} + +message LicenseChoice { + oneof choice { + License license = 1; + string expression = 2; + } +} + +message License { + oneof license { + // A valid SPDX license ID + string id = 1; + // If SPDX does not define the license used, this field may be used to provide the license name + string name = 2; + } + // Specifies the optional full text of the attachment + optional AttachedText text = 3; + // The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness. + optional string url = 4; +} + +message Metadata { + // The date and time (timestamp) when the document was created. + optional google.protobuf.Timestamp timestamp = 1; + // The tool(s) used in the creation of the BOM. + repeated Tool tools = 2; + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors. + repeated OrganizationalContact authors = 3; + // The component that the BOM describes. + optional Component component = 4; + // The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5; + // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 6; + // The license information for the BOM document + optional LicenseChoice licenses = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; +} + +message OrganizationalContact { + // The name of the contact + optional string name = 1; + // The email address of the contact. + optional string email = 2; + // The phone number of the contact. + optional string phone = 3; +} + +message OrganizationalEntity { + // The name of the organization + optional string name = 1; + // The URL of the organization. Multiple URLs are allowed. + repeated string url = 2; + // A contact person at the organization. Multiple contacts are allowed. + repeated OrganizationalContact contact = 3; +} + +enum PatchClassification { + PATCH_CLASSIFICATION_NULL = 0; + // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + PATCH_CLASSIFICATION_UNOFFICIAL = 1; + // A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch + PATCH_CLASSIFICATION_MONKEY = 2; + // A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + PATCH_CLASSIFICATION_BACKPORT = 3; + // A patch created by selectively applying commits from other versions or branches of the same software. + PATCH_CLASSIFICATION_CHERRY_PICK = 4; +} + +message Patch { + // Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality + PatchClassification type = 1; + // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff + optional Diff diff = 2; + repeated Issue resolves = 3; +} + +// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known. +message Pedigree { + // Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from. + repeated Component ancestors = 1; + // Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component. + repeated Component descendants = 2; + // Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor. + repeated Component variants = 3; + // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. + repeated Commit commits = 4; + // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits. + repeated Patch patches = 5; + // Notes, observations, and other non-structured commentary describing the components pedigree. + optional string notes = 6; +} + +enum Scope { + // Default + SCOPE_UNSPECIFIED = 0; + // The component is required for runtime + SCOPE_REQUIRED = 1; + // The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'. + SCOPE_OPTIONAL = 2; + // Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime. + SCOPE_EXCLUDED = 3; +} + +message Service { + // An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The organization that provides the service. + optional OrganizationalEntity provider = 2; + // The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided. + optional string group = 3; + // The name of the service. This will often be a shortened, single name of the service. + string name = 4; + // The service version. + optional string version = 5; + // Specifies a description for the service. + optional string description = 6; + repeated string endpoints = 7; + // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. + optional bool authenticated = 8; + // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. + optional bool x_trust_boundary = 9; + repeated DataClassification data = 10; + repeated LicenseChoice licenses = 11; + // Provides the ability to document external references related to the service. + repeated ExternalReference external_references = 12; + // Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Service services = 13; + // Specifies optional, custom, properties + repeated Property properties = 14; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 15; +} + +message Swid { + // Maps to the tagId of a SoftwareIdentity. + string tag_id = 1; + // Maps to the name of a SoftwareIdentity. + string name = 2; + // Maps to the version of a SoftwareIdentity. + optional string version = 3; + // Maps to the tagVersion of a SoftwareIdentity. + optional int32 tag_version = 4; + // Maps to the patch of a SoftwareIdentity. + optional bool patch = 5; + // Specifies the full content of the SWID tag. + optional AttachedText text = 6; + // The URL to the SWID file. + optional string url = 7; +} + +// Specifies a tool (manual or automated). +message Tool { + // The vendor of the tool used to create the BOM. + optional string vendor = 1; + // The name of the tool used to create the BOM. + optional string name = 2; + // The version of the tool used to create the BOM. + optional string version = 3; + repeated Hash hashes = 4; + // Provides the ability to document external references related to the tool. + repeated ExternalReference external_references = 5; +} + +// Specifies a property +message Property { + string name = 1; + optional string value = 2; +} + +enum Aggregate { + // Default, no statement about the aggregate completeness is being made + AGGREGATE_NOT_SPECIFIED = 0; + // The aggregate composition is complete + AGGREGATE_COMPLETE = 1; + // The aggregate composition is incomplete + AGGREGATE_INCOMPLETE = 2; + // The aggregate composition is incomplete for first party components, complete for third party components + AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; + // The aggregate composition is incomplete for third party components, complete for first party components + AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; + // The aggregate composition completeness is unknown + AGGREGATE_UNKNOWN = 5; +} + +message Composition { + // Indicates the aggregate completeness + Aggregate aggregate = 1; + // The assemblies the aggregate completeness applies to + repeated string assemblies = 2; + // The dependencies the aggregate completeness applies to + repeated string dependencies = 3; +} + +message EvidenceCopyright { + // Copyright text + string text = 1; +} + +message Evidence { + repeated LicenseChoice licenses = 1; + repeated EvidenceCopyright copyright = 2; +} + +message Note { + // The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + optional string locale = 1; + // Specifies the full content of the release note. + optional AttachedText text = 2; +} + +message ReleaseNotes { + // The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. + string type = 1; + // The title of the release. + optional string title = 2; + // The URL to an image that may be prominently displayed with the release note. + optional string featuredImage = 3; + // The URL to an image that may be used in messaging on social media platforms. + optional string socialImage = 4; + // A short description of the release. + optional string description = 5; + // The date and time (timestamp) when the release note was created. + optional google.protobuf.Timestamp timestamp = 6; + // Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names). + repeated string aliases = 7; + // Optional tags that may aid in search or retrieval of the release note. + repeated string tags = 8; + // A collection of issues that have been resolved. + repeated Issue resolves = 9; + // Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages. + repeated Note notes = 10; + // Specifies optional, custom, properties + repeated Property properties = 11; +} + +message Vulnerability { + // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier that uniquely identifies the vulnerability. + optional string id = 2; + // The source that published the vulnerability. + optional Source source = 3; + // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. + repeated VulnerabilityReference references = 4; + // List of vulnerability ratings + repeated VulnerabilityRating ratings = 5; + // List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + repeated int32 cwes = 6; + // A description of the vulnerability as provided by the source. + optional string description = 7; + // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause. + optional string detail = 8; + // Recommendations of how the vulnerability can be remediated or mitigated. + optional string recommendation = 9; + // Published advisories of the vulnerability if provided. + repeated Advisory advisories = 10; + // The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + optional google.protobuf.Timestamp created = 11; + // The date and time (timestamp) when the vulnerability record was first published. + optional google.protobuf.Timestamp published = 12; + // The date and time (timestamp) when the vulnerability record was last updated. + optional google.protobuf.Timestamp updated = 13; + // Individuals or organizations credited with the discovery of the vulnerability. + optional VulnerabilityCredits credits = 14; + // The tool(s) used to identify, confirm, or score the vulnerability. + repeated Tool tools = 15; + // An assessment of the impact and exploitability of the vulnerability. + optional VulnerabilityAnalysis analysis = 16; + // affects + repeated VulnerabilityAffects affects = 17; + // Specifies optional, custom, properties + repeated Property properties = 18; +} + +message VulnerabilityReference { + // An identifier that uniquely identifies the vulnerability. + optional string id = 1; + // The source that published the vulnerability. + optional Source source = 2; +} + +message VulnerabilityRating { + // The source that calculated the severity or risk rating of the vulnerability. + optional Source source = 1; + // The numerical score of the rating. + optional double score = 2; + // Textual representation of the severity that corresponds to the numerical score of the rating. + optional Severity severity = 3; + // Specifies the severity or risk scoring methodology or standard used. + optional ScoreMethod method = 4; + // Textual representation of the metric values used to score the vulnerability. + optional string vector = 5; + // An optional reason for rating the vulnerability as it was. + optional string justification = 6; +} + +enum Severity { + SEVERITY_UNKNOWN = 0; + SEVERITY_CRITICAL = 1; + SEVERITY_HIGH = 2; + SEVERITY_MEDIUM = 3; + SEVERITY_LOW = 4; + SEVERITY_INFO = 5; + SEVERITY_NONE = 6; +} + +enum ScoreMethod { + // An undefined score method + SCORE_METHOD_NULL = 0; + // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ + SCORE_METHOD_CVSSV2 = 1; + // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/ + SCORE_METHOD_CVSSV3 = 2; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/ + SCORE_METHOD_CVSSV31 = 3; + // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + SCORE_METHOD_OWASP = 4; + // Other scoring method + SCORE_METHOD_OTHER = 5; +} + +message Advisory { + // An optional name of the advisory. + optional string title = 1; + // Location where the advisory can be obtained. + string url = 2; +} + +message VulnerabilityCredits { + // The organizations credited with vulnerability discovery. + repeated OrganizationalEntity organizations = 1; + // The individuals, not associated with organizations, that are credited with vulnerability discovery. + repeated OrganizationalContact individuals = 2; +} + +message VulnerabilityAnalysis { + // Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + optional ImpactAnalysisState state = 1; + // The rationale of why the impact analysis state was asserted. + optional ImpactAnalysisJustification justification = 2; + // A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable. + repeated VulnerabilityResponse response = 3; + // Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability. + optional string detail = 4; +} + +enum ImpactAnalysisState { + // An undefined impact analysis state + IMPACT_ANALYSIS_STATE_NULL = 0; + // The vulnerability has been remediated. + IMPACT_ANALYSIS_STATE_RESOLVED = 1; + // The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). + IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2; + // The vulnerability may be directly or indirectly exploitable. + IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3; + // The vulnerability is being investigated. + IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4; + // The vulnerability is not specific to the component or service and was falsely identified or associated. + IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5; + // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases. + IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6; +} + +enum ImpactAnalysisJustification { + // An undefined impact analysis justification + IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; + // The code has been removed or tree-shaked. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; + // The vulnerable code is not invoked at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2; + // Exploitability requires a configurable option to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3; + // Exploitability requires a dependency that is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4; + // Exploitability requires a certain environment which is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5; + // Exploitability requires a compiler flag to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6; + // Exploits are prevented at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7; + // Attacks are blocked at physical, logical, or network perimeter. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8; + // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9; +} + +enum VulnerabilityResponse { + VULNERABILITY_RESPONSE_NULL = 0; + VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + VULNERABILITY_RESPONSE_UPDATE = 3; + VULNERABILITY_RESPONSE_ROLLBACK = 4; + VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; +} + +message VulnerabilityAffects { + // References a component or service by the objects bom-ref + string ref = 1; + // Zero or more individual versions or range of versions. + repeated VulnerabilityAffectedVersions versions = 2; +} + +message VulnerabilityAffectedVersions { + oneof choice { + // A single version of a component or service. + string version = 1; + // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec + string range = 2; + } + // The vulnerability status for the version or range of versions. + optional VulnerabilityAffectedStatus status = 3; +} + +enum VulnerabilityAffectedStatus { + // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. + VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; +} diff --git a/schema/bom-1.4.schema.json b/schema/bom-1.4.schema.json new file mode 100644 index 0000000..85d019f --- /dev/null +++ b/schema/bom-1.4.schema.json @@ -0,0 +1,1697 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "type": "object", + "title": "CycloneDX Software Bill of Materials Standard", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion", + "version" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string", + "enum": [ + "http://cyclonedx.org/schema/bom-1.4.schema.json" + ] + }, + "bomFormat": { + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces. This value MUST be \"CycloneDX\".", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification a BOM conforms to (starting at version 1.2).", + "examples": ["1.4"] + }, + "serialNumber": { + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers are RECOMMENDED.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "type": "integer", + "title": "BOM Version", + "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "default": 1, + "examples": [1] + }, + "metadata": { + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components." + }, + "services": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services." + }, + "externalReferences": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + }, + "dependencies": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships." + }, + "compositions": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." + }, + "vulnerabilities": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/vulnerability"}, + "uniqueItems": true, + "title": "Vulnerabilities", + "description": "Vulnerabilities identified in components or services." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "definitions": { + "refType": { + "$comment": "Identifier-DataType for interlinked elements.", + "type": "string" + }, + "metadata": { + "type": "object", + "title": "BOM Metadata Object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." + }, + "tools": { + "type": "array", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "additionalItems": false, + "items": {"$ref": "#/definitions/tool"} + }, + "authors" :{ + "type": "array", + "title": "Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "additionalItems": false, + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "title": "Manufacture", + "description": "The organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "type": "array", + "title": "BOM License(s)", + "additionalItems": false, + "items": {"$ref": "#/definitions/licenseChoice"} + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "additionalItems": false, + "items": {"$ref": "#/definitions/property"} + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "Information about the automated or manual tool used", + "additionalProperties": false, + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The name of the vendor who created the tool" + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The name of the tool" + }, + "version": { + "type": "string", + "title": "Tool Version", + "description": "The version of the tool" + }, + "hashes": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + }, + "externalReferences": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity Object", + "description": "", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "URL", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "additionalItems": false, + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact Object", + "description": "", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component Object", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "operating-system", + "device", + "firmware", + "file" + ], + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "author": { + "type": "string", + "title": "Component Author", + "description": "The person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "type": "string", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", + "examples": ["9.0.14"] + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", + "default": "required" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "additionalItems": false, + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"] + }, + "cpe": { + "type": "string", + "title": "Component Common Platform Enumeration (CPE)", + "description": "Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe)", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] + }, + "purl": { + "type": "string", + "title": "Component Package URL (purl)", + "description": "Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Specifies metadata and content for [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html)." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "additionalProperties": false, + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "additionalItems": false, + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "additionalItems": false, + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "additionalItems": false, + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "additionalItems": false, + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "additionalItems": false, + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + }, + "components": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "additionalItems": false, + "items": {"$ref": "#/definitions/property"} + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", + "default": "text/plain" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ] + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "hash": { + "type": "object", + "title": "Hash Objects", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ], + "title": "Hash Algorithm" + }, + "hash-content": { + "type": "string", + "title": "Hash Content (value)", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License Object", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license ID", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "examples": ["Acme Software License"] + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + } + } + }, + "licenseChoice": { + "type": "object", + "title": "License(s)", + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/definitions/license" + }, + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + } + }, + "oneOf":[ + { + "required": ["license"] + }, + { + "required": ["expression"] + } + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "title": "Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.\n\n* __unofficial__ = A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch)\n* __monkey__ = A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch)\n* __backport__ = A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting)\n* __cherry-pick__ = A patch created by selectively applying commits from other versions or branches of the same software." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Diff", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "title": "Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "Specifies an individual external reference", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the external reference", + "format": "iri-reference" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the \"other\" type.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "distribution", + "license", + "build-meta", + "build-system", + "release-notes", + "other" + ] + }, + "hashes": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference", + "description": "References a component by the components bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "additionalItems": false, + "items": { + "$ref": "#/definitions/refType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." + } + } + }, + "service": { + "type": "object", + "title": "Service Object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "type": "string", + "title": "Service Version", + "description": "The service version.", + "examples": ["1.0.0"] + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "data": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/dataClassification"}, + "title": "Data Classification", + "description": "Specifies the data classification." + }, + "licenses": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "externalReferences": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." + }, + "services": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "additionalItems": false, + "items": {"$ref": "#/definitions/property"} + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "dataClassification": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlow", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + }, + "classification": { + "type": "string", + "title": "Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + } + } + }, + "dataFlow": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + }, + + "copyright": { + "type": "object", + "title": "Copyright", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text" + } + } + }, + + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "licenses": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/licenseChoice"}, + "title": "Component License(s)" + }, + "copyright": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright" + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describe how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_third_party_only", + "unknown", + "not_specified" + ] + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + }, + "localeType": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { + "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "locale": { + "$ref": "#/definitions/localeType", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + }, + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/definitions/attachment" + } + } + }, + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/definitions/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." + }, + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "One or more tags that may aid in search or retrieval of the release note." + }, + "resolves": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues that have been resolved." + }, + "notes": { + "type": "array", + "additionalItems": false, + "items": {"$ref": "#/definitions/note"}, + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "additionalItems": false, + "items": {"$ref": "#/definitions/property"} + } + } + }, + "advisory": { + "type": "object", + "title": "Advisory", + "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.", + "required": ["url"], + "additionalProperties": false, + "properties": { + "title": { + "type": "string", + "title": "Title", + "description": "An optional name of the advisory." + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "Location where the advisory can be obtained." + } + } + }, + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.", + "enum": [ + "critical", + "high", + "medium", + "low", + "info", + "none", + "unknown" + ] + }, + "scoreMethod": { + "type": "string", + "title": "Method", + "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)", + "enum": [ + "CVSSv2", + "CVSSv3", + "CVSSv31", + "OWASP", + "other" + ] + }, + "impactAnalysisState": { + "type": "string", + "title": "Impact Analysis State", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", + "enum": [ + "resolved", + "resolved_with_pedigree", + "exploitable", + "in_triage", + "false_positive", + "not_affected" + ] + }, + "impactAnalysisJustification": { + "type": "string", + "title": "Impact Analysis Justification", + "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", + "enum": [ + "code_not_present", + "code_not_reachable", + "requires_configuration", + "requires_dependency", + "requires_environment", + "protected_by_compiler", + "protected_at_runtime", + "protected_at_perimeter", + "protected_by_mitigating_control" + ] + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the severity or risk ratings of a vulnerability.", + "additionalProperties": false, + "properties": { + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that calculated the severity or risk rating of the vulnerability." + }, + "score": { + "type": "number", + "title": "Score", + "description": "The numerical score of the rating." + }, + "severity": { + "$ref": "#/definitions/severity", + "description": "Textual representation of the severity that corresponds to the numerical score of the rating." + }, + "method": { + "$ref": "#/definitions/scoreMethod" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability" + }, + "justification": { + "type": "string", + "title": "Justification", + "description": "An optional reason for rating the vulnerability as it was" + } + } + }, + "vulnerabilitySource": { + "type": "object", + "title": "Source", + "description": "The source of vulnerability information. This is often the organization that published the vulnerability.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-39182" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", + "National Vulnerability Database", + "OSS Index", + "VulnDB", + "GitHub Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines a weakness in an component or service that could be exploited or triggered by a threat source.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "references": { + "type": "array", + "title": "References", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", + "additionalItems": false, + "items": { + "required": [ + "id", + "source" + ], + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "An identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + } + } + } + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of vulnerability ratings", + "additionalItems": false, + "items": { + "$ref": "#/definitions/rating" + } + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "examples": [399], + "additionalItems": false, + "items": { + "$ref": "#/definitions/cwe" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the vulnerability as provided by the source." + }, + "detail": { + "type": "string", + "title": "Details", + "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause." + }, + "recommendation": { + "type": "string", + "title": "Details", + "description": "Recommendations of how the vulnerability can be remediated or mitigated." + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "additionalItems": false, + "items": { + "$ref": "#/definitions/advisory" + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database." + }, + "published": { + "type": "string", + "format": "date-time", + "title": "Published", + "description": "The date and time (timestamp) when the vulnerability record was first published." + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Updated", + "description": "The date and time (timestamp) when the vulnerability record was last updated." + }, + "credits": { + "type": "object", + "title": "Credits", + "description": "Individuals or organizations credited with the discovery of the vulnerability.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The organizations credited with vulnerability discovery.", + "additionalItems": false, + "items": { + "$ref": "#/definitions/organizationalEntity" + } + }, + "individuals": { + "type": "array", + "title": "Individuals", + "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.", + "additionalItems": false, + "items": { + "$ref": "#/definitions/organizationalContact" + } + } + } + }, + "tools": { + "type": "array", + "title": "Creation Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "additionalItems": false, + "items": {"$ref": "#/definitions/tool"} + }, + "analysis": { + "type": "object", + "title": "Impact Analysis", + "description": "An assessment of the impact and exploitability of the vulnerability.", + "additionalProperties": false, + "properties": { + "state": { + "$ref": "#/definitions/impactAnalysisState" + }, + "justification": { + "$ref": "#/definitions/impactAnalysisJustification" + }, + "response": { + "type": "array", + "title": "Response", + "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.", + "additionalItems": false, + "items": { + "type": "string", + "enum": [ + "can_not_fix", + "will_not_fix", + "update", + "rollback", + "workaround_available" + ] + } + }, + "detail": { + "type": "string", + "title": "Detail", + "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability." + } + } + }, + "affects": { + "type": "array", + "uniqueItems": true, + "additionalItems": false, + "items": { + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference", + "description": "References a component or service by the objects bom-ref" + }, + "versions": { + "type": "array", + "title": "Versions", + "description": "Zero or more individual versions or range of versions.", + "additionalItems": false, + "items": { + "oneOf": [ + { + "required": ["version"] + }, + { + "required": ["range"] + } + ], + "additionalProperties": false, + "properties": { + "version": { + "description": "A single version of a component or service.", + "$ref": "#/definitions/version" + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "$ref": "#/definitions/range" + }, + "status": { + "description": "The vulnerability status for the version or range of versions.", + "$ref": "#/definitions/affectedStatus", + "default": "affected" + } + } + } + } + } + }, + "title": "Affects", + "description": "The components or services that are affected by the vulnerability." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "additionalItems": false, + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "affectedStatus": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ] + }, + "version": { + "description": "A single version of a component or service.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "signature": { + "$ref": "jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } +} diff --git a/schema/bom-1.4.xsd b/schema/bom-1.4.xsd new file mode 100644 index 0000000..7b0f8ea --- /dev/null +++ b/schema/bom-1.4.xsd @@ -0,0 +1,2419 @@ + + + + + + + + + CycloneDX Software Bill of Materials Standard + https://cyclonedx.org/ + Apache License, Version 2.0 + + + + + + Identifier-DataType for interlinked elements. + + + + + + + + + The date and time (timestamp) when the BOM was created. + + + + + The tool(s) used in the creation of the BOM. + + + + + + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacturer, but may also be a distributor or repackager. + + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Information about the automated or manual tool used + + + + + The name of the vendor who created the tool + + + + + The name of the tool + + + + + The version of the tool + + + + + + + + + + + + Provides the ability to document external references related to the tool. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. + + + + + The phone number of the contact. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacturer, but may also be a distributor or repackager. + + + + + The person(s) or organization(s) that authored the component + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'required' + scope SHOULD be assumed by the consumer of the BOM. + + + + + + + + + + + + + A copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (purl). The purl, if specified, MUST be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating if the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + A list of software and hardware components included in the parent component. This is not a + dependency tree. It provides a way to specify a hierarchical representation of component + assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document evidence collected through various forms of extraction or analysis. + + + + + Specifies optional release notes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The OPTIONAL mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + Specifies the optional full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + + + + Specifies the content type of the text. Defaults to text/plain + if not specified. + + + + + + Specifies the optional encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware SHOULD include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-material document (CycloneDX, SPDX, SWID, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + Direct or repository download location + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + URL to release notes + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant + but which are not included with the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URL to the external reference + + + + + An optional comment describing the external reference + + + + + + + + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the optional text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + An individual issue that has been resolved. + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + References a component or service by the its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Components that do not have their own dependencies MUST be declared as empty + elements within the graph. Components that are not represented in the dependency graph MAY + have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque + and not an indicator of a component being dependency-free. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + + + + Specifies the data classification. + + + + + + + + + Provides the ability to document external references related to the service. + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + A list of services included or deployed behind the parent service. This is not a dependency + tree. It provides a way to specify a hierarchical representation of service assemblies. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies optional release notes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Specifies an aggregate type that describe how complete a relationship is. + + + + + + The bom-ref identifiers of the components or services being described. Assemblies refer to + nested relationships whereby a constituent part may include other constituent parts. References + do not cascade to child parts. References are explicit for the specified constituent part only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the components or services being described. Dependencies refer to a + relationship whereby an independent constituent part requires another independent constituent + part. References do not cascade to transitive dependencies. References are explicit for the + specified dependency only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + + The relationship is complete. No further relationships including constituent components, services, or dependencies exist. + + + + + The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + + + + + The relationship completeness is not specified. + + + + + + + + + Defines a syntax for representing two character language code (ISO-639) followed by an optional two + character country code. The language code MUST be lower case. If the country code is specified, the + country code MUST be upper case. The language code and country code MUST be separated by a minus sign. + Examples: en, en-US, fr, fr-CA + + + + + + + + + + + + The software versioning type. It is RECOMMENDED that the release type use one + of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software + release types is not practical, so standardizing on the recommended values, whenever possible, + is strongly encouraged. + * major = A major release may contain significant changes or may introduce breaking changes. + * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. + * patch = Patch releases are typically unplanned and may resolve defects or important security issues. + * pre-release = A pre-release may include alpha, beta, or release candidates and typically have + limited support. They provide the ability to preview a release prior to its general availability. + * internal = Internal releases are not for public consumption and are intended to be used exclusively + by the project or manufacturer that produced it. + + + + + + The title of the release. + + + + + The URL to an image that may be prominently displayed with the release note. + + + + + The URL to an image that may be used in messaging on social media platforms. + + + + + A short description of the release. + + + + + The date and time (timestamp) when the release note was created. + + + + + + + + One or more alternate names the release may be referred to. This may + include unofficial terms used by development and marketing teams (e.g. code names). + + + + + + + + + + + One or more tags that may aid in search or retrieval of the release note. + + + + + + + + A collection of issues that have been resolved. + + + + + + + + + + + + + Zero or more release notes containing the locale and content. Multiple + note elements may be specified to support release notes in a wide variety of languages. + + + + + + The ISO-639 (or higher) language code and optional ISO-3166 + (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + + + + + Specifies the full content of the release note. + + + + + + + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + References a component or service by the its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies an individual property with a name and value. + + + + + + The name of the property. Duplicate names are allowed, each potentially having a different value. + + + + + + + + + + + Defines a weakness in an component or service that could be exploited or triggered by a threat source. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + Zero or more pointers to vulnerabilities that are the equivalent of the + vulnerability specified. Often times, the same vulnerability may exist in multiple sources of + vulnerability intelligence, but have different identifiers. References provide a way to + correlate vulnerabilities across multiple sources of vulnerability intelligence. + + + + + + A pointer to a vulnerability that is the equivalent of the + vulnerability specified. + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + List of vulnerability ratings. + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + A description of the vulnerability as provided by the source. + + + + + If available, an in-depth description of the vulnerability as provided by the + source organization. Details often include examples, proof-of-concepts, and other information + useful in understanding root cause. + + + + + Recommendations of how the vulnerability can be remediated or mitigated. + + + + + + + Published advisories of the vulnerability if provided. + + + + + + + + + + The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + + + + + The date and time (timestamp) when the vulnerability record was first published. + + + + + The date and time (timestamp) when the vulnerability record was last updated. + + + + + Individuals or organizations credited with the discovery of the vulnerability. + + + + + + The organizations credited with vulnerability discovery. + + + + + + + + + + The individuals, not associated with organizations, that are credited with vulnerability discovery. + + + + + + + + + + + + + The tool(s) used to identify, confirm, or score the vulnerability. + + + + + + + + + + + + An assessment of the impact and exploitability of the vulnerability. + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + A response to the vulnerability by the manufacturer, supplier, or + project responsible for the affected component or service. More than one response + is allowed. Responses are strongly encouraged for vulnerabilities where the analysis + state is exploitable. + + + + + + + + + + + Detailed description of the impact including methods used during assessment. + If a vulnerability is not exploitable, this field should include specific details + on why the component or service is not impacted by this vulnerability. + + + + + + + + + The components or services that are affected by the vulnerability. + + + + + + + + + References a component or service by the objects bom-ref. + + + + + Zero or more individual versions or range of versions. + + + + + + + + + + A single version of a component or service. + + + + + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec + + + + + + + The vulnerability status for the version or range of versions. + + + + + + + + + + + + + + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The name of the source. + For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories + + + + + + The url of the vulnerability documentation as provided by the source. + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + + + + + + + + + + The source that calculated the severity or risk rating of the vulnerability. + + + + + The numerical score of the rating. + + + + + Textual representation of the severity that corresponds to the numerical score of the rating. + + + + + The risk scoring methodology/standard used. + + + + + Textual representation of the metric values used to score the vulnerability. + + + + + An optional reason for rating the vulnerability as it was. + + + + + + + + + + An optional name of the advisory. + + + + + Location where the advisory can be obtained. + + + + + + + + + Textual representation of the severity of the vulnerability adopted by the analysis method. If the + analysis method uses values other than what is provided, the user is expected to translate appropriately. + + + + + + + + + + + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The vulnerability has been remediated. + + + + + + + The vulnerability has been remediated and evidence of the changes are provided in the affected + components pedigree containing verifiable commit history and/or diff(s). + + + + + + + The vulnerability may be directly or indirectly exploitable. + + + + + + + The vulnerability is being investigated. + + + + + + + The vulnerability is not specific to the component or service and was falsely identified or associated. + + + + + + + The component or service is not affected by the vulnerability. Justification should be specified + for all not_affected cases. + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + The code has been removed or tree-shaked. + + + + + + + The vulnerable code is not invoked at runtime. + + + + + + + Exploitability requires a configurable option to be set/unset. + + + + + + + Exploitability requires a dependency that is not present. + + + + + + + Exploitability requires a certain environment which is not present. + + + + + + + Exploitability requires a compiler flag to be set/unset. + + + + + + + Exploits are prevented at runtime. + + + + + + + Attacks are blocked at physical, logical, or network perimeter. + + + + + + + Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + + + + + + + + + + Specifies the severity or risk scoring methodology or standard used. + + + + + + + The rating is based on CVSS v2 standard + https://www.first.org/cvss/v2/ + + + + + + + The rating is based on CVSS v3.0 standard + https://www.first.org/cvss/v3-0/ + + + + + + + The rating is based on CVSS v3.1 standard + https://www.first.org/cvss/v3-1/ + + + + + + + The rating is based on OWASP Risk Rating + https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + + + + + + + Use this if the risk scoring methodology is not based on any of the options above + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + + + + + + + + + The vulnerability status of a given version or range of versions of a product. The statuses + 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. + The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. + There can be many reasons for an 'unknown' status, including that an investigation has not been + undertaken or that a vendor has not disclosed the status. + + + + + + + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. + + + + + Provides the ability to document properties in a key/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Vulnerabilities identified in components or services. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Whenever an existing BOM is modified, either manually or through automated + processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with + multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. + The default version is '1'. + + + + + Every BOM generated SHOULD have a unique serial number, even if the contents of + the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. + Use of serial numbers are RECOMMENDED. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto new file mode 100644 index 0000000..d99c1a9 --- /dev/null +++ b/schema/bom-1.5.proto @@ -0,0 +1,1491 @@ +syntax = "proto3"; +package cyclonedx.v1_5; +import "google/protobuf/timestamp.proto"; + +// Specifies attributes of the text +message AttachedText { + // Specifies the content type of the text. Defaults to 'text/plain' if not specified. + optional string content_type = 1; + // Specifies the optional encoding the text is represented in + optional string encoding = 2; + // SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + string value = 3; +} + +message Bom { + // The version of the CycloneDX specification a BOM is written to (starting at version 1.3) + string spec_version = 1; + // The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'. + optional int32 version = 2; + // Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated. + optional string serial_number = 3; + // Provides additional information about a BOM. + optional Metadata metadata = 4; + // Provides the ability to document a list of components. + repeated Component components = 5; + // Provides the ability to document a list of external services. + repeated Service services = 6; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 7; + // Provides the ability to document dependency relationships. + repeated Dependency dependencies = 8; + // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + repeated Composition compositions = 9; + // Vulnerabilities identified in components or services. + repeated Vulnerability vulnerabilities = 10; + // Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders. + repeated Annotation annotations = 11; + // Specifies optional, custom, properties + repeated Property properties = 12; + // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process. + repeated Formula formulation = 13; +} + +enum Classification { + CLASSIFICATION_NULL = 0; + // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. + CLASSIFICATION_APPLICATION = 1; + // A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries. + CLASSIFICATION_FRAMEWORK = 2; + // A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended. + CLASSIFICATION_LIBRARY = 3; + // A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system + CLASSIFICATION_OPERATING_SYSTEM = 4; + // A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + CLASSIFICATION_DEVICE = 5; + // A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files. + CLASSIFICATION_FILE = 6; + // A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + CLASSIFICATION_CONTAINER = 7; + // A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware + CLASSIFICATION_FIRMWARE = 8; + // A special type of software that operates or controls a particular type of device. Refer to https://en.wikipedia.org/wiki/Device_driver + CLASSIFICATION_DEVICE_DRIVER = 9; + // A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms. + CLASSIFICATION_PLATFORM = 10; + // A model based on training data that can make predictions or decisions without being explicitly programmed to do so. + CLASSIFICATION_MACHINE_LEARNING_MODEL = 11; + // A collection of discrete values that convey information. + CLASSIFICATION_DATA = 12; +} + +message Commit { + // A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + optional string uid = 1; + // The URL to the commit. This URL will typically point to a commit in a version control system. + optional string url = 2; + // The author who created the changes in the commit + optional IdentifiableAction author = 3; + // The person who committed or pushed the commit + optional IdentifiableAction committer = 4; + // The text description of the contents of the commit + optional string message = 5; +} + +message Component { + // Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. + Classification type = 1; + // The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type. + optional string mime_type = 2; + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 3; + // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 4; + // The person(s) or organization(s) that authored the component + optional string author = 5; + // The person(s) or organization(s) that published the component + optional string publisher = 6; + // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. + optional string group = 7; + // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery + string name = 8; + // The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is RECOMMENDED to use an empty string to represent components without version information. + string version = 9; + // Specifies a description for the component + optional string description = 10; + // Specifies the scope of the component. If scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM + optional Scope scope = 11; + repeated Hash hashes = 12; + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + repeated LicenseChoice licenses = 13; + // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. + optional string copyright = 14; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + optional string cpe = 15; + // Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec + optional string purl = 16; + // Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + optional Swid swid = 17; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original. + optional bool modified = 18; + // Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. + optional Pedigree pedigree = 19; + // Provides the ability to document external references related to the component or to the project the component describes. + repeated ExternalReference external_references = 20; + // Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Component components = 21; + // Specifies optional, custom, properties + repeated Property properties = 22; + // Specifies optional license and copyright evidence + repeated Evidence evidence = 23; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 24; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + optional ModelCard modelCard = 25; + // This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types. + optional ComponentData data = 26; +} + +// Specifies the data flow. +message DataFlow { + // Specifies the flow direction of the data. + DataFlowDirection flow = 1; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + string value = 2; + // Name for the defined data + optional string name = 3; + // Short description of the data content and usage + optional string description = 4; + // The URI, URL, or BOM-Link of the components or services the data came in from + repeated string source = 5; + // The URI, URL, or BOM-Link of the components or services the data is sent to + repeated string destination = 6; + // Data Governance + optional DataGovernance governance = 7; +} + +// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. +enum DataFlowDirection { + DATA_FLOW_NULL = 0; + DATA_FLOW_INBOUND = 1; + DATA_FLOW_OUTBOUND = 2; + DATA_FLOW_BI_DIRECTIONAL = 3; + DATA_FLOW_UNKNOWN = 4; +} + +message Dependency { + // References a component or service by the its bom-ref attribute + string ref = 1; + repeated Dependency dependencies = 2; +} + +message Diff { + // Specifies the optional text of the diff + optional AttachedText text = 1; + // Specifies the URL to the diff + optional string url = 2; +} + +message ExternalReference { + // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. + ExternalReferenceType type = 1; + // The URL to the external reference + string url = 2; + // An optional comment describing the external reference + optional string comment = 3; + // Optional integrity hashes for the external resource content + repeated Hash hashes = 4; +} + +enum ExternalReferenceType { + // Use this if no other types accurately describe the purpose of the external reference + EXTERNAL_REFERENCE_TYPE_OTHER = 0; + // Version Control System + EXTERNAL_REFERENCE_TYPE_VCS = 1; + // Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2; + // Website + EXTERNAL_REFERENCE_TYPE_WEBSITE = 3; + // Security advisories + EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4; + // Bill-of-material document (CycloneDX, SPDX, SWID, etc) + EXTERNAL_REFERENCE_TYPE_BOM = 5; + // Mailing list or discussion group + EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6; + // Social media account + EXTERNAL_REFERENCE_TYPE_SOCIAL = 7; + // Real-time chat platform + EXTERNAL_REFERENCE_TYPE_CHAT = 8; + // Documentation, guides, or how-to instructions + EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9; + // Community or commercial support + EXTERNAL_REFERENCE_TYPE_SUPPORT = 10; + // Direct or repository download location + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11; + // The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness + EXTERNAL_REFERENCE_TYPE_LICENSE = 12; + // Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; + // URL to an automated build system + EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; + // Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT. + EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT = 15; + // Human or machine-readable statements containing facts, evidence, or testimony + EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16; + // An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + EXTERNAL_REFERENCE_TYPE_THREAT_MODEL = 17; + // The defined assumptions, goals, and capabilities of an adversary. + EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL = 18; + // Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT = 19; + // The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 20; + // A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product + EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 21; + // A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization + EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 22; + // Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 23; + // SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 24; + // Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 25; + // Report generated by analyzing the call stack of a running application + EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 26; + // Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 27; + // Report containing a formal assessment of an organization, business unit, or team against a maturity model + EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 28; + // Industry, regulatory, or other certification from an accredited (if applicable) certification body + EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 29; + // Report or system in which quality metrics can be obtained + EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 30; + // Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32; + // Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + EXTERNAL_REFERENCE_TYPE_POAM = 33; + // A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + EXTERNAL_REFERENCE_TYPE_LOG = 34; + // Parameters or settings that may be used by other components or services. + EXTERNAL_REFERENCE_TYPE_CONFIGURATION = 35; + // Information used to substantiate a claim. + EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; + // Describes how a component or service was manufactured or deployed. + EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; +} + +enum HashAlg { + HASH_ALG_NULL = 0; + HASH_ALG_MD_5 = 1; + HASH_ALG_SHA_1 = 2; + HASH_ALG_SHA_256 = 3; + HASH_ALG_SHA_384 = 4; + HASH_ALG_SHA_512 = 5; + HASH_ALG_SHA_3_256 = 6; + HASH_ALG_SHA_3_384 = 7; + HASH_ALG_SHA_3_512 = 8; + HASH_ALG_BLAKE_2_B_256 = 9; + HASH_ALG_BLAKE_2_B_384 = 10; + HASH_ALG_BLAKE_2_B_512 = 11; + HASH_ALG_BLAKE_3 = 12; +} + +// Specifies the file hash of the component +message Hash { + // Specifies the algorithm used to create the hash + HashAlg alg = 1; + // SimpleContent value of element + string value = 2; +} + +message IdentifiableAction { + // The timestamp in which the action occurred + optional google.protobuf.Timestamp timestamp = 1; + // The name of the individual who performed the action + optional string name = 2; + // The email address of the individual who performed the action + optional string email = 3; +} + +enum IssueClassification { + ISSUE_CLASSIFICATION_NULL = 0; + // A fault, flaw, or bug in software + ISSUE_CLASSIFICATION_DEFECT = 1; + // A new feature or behavior in software + ISSUE_CLASSIFICATION_ENHANCEMENT = 2; + // A special type of defect which impacts security + ISSUE_CLASSIFICATION_SECURITY = 3; +} + +message Issue { + // Specifies the type of issue + IssueClassification type = 1; + // The identifier of the issue assigned by the source of the issue + optional string id = 2; + // The name of the issue + optional string name = 3; + // A description of the issue + optional string description = 4; + optional Source source = 5; + repeated string references = 6; +} + +// The source of the issue where it is documented. +message Source { + // The name of the source. For example "National Vulnerability Database", "NVD", and "Apache" + optional string name = 1; + // The url of the issue documentation as provided by the source + optional string url = 2; +} + +message LicenseChoice { + oneof choice { + License license = 1; + string expression = 2; + } +} + +message License { + oneof license { + // A valid SPDX license ID + string id = 1; + // If SPDX does not define the license used, this field may be used to provide the license name + string name = 2; + } + // Specifies the optional full text of the attachment + optional AttachedText text = 3; + // The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness. + optional string url = 4; + // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 5; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + optional Licensing licensing = 6; + // Specifies optional, custom, properties + repeated Property properties = 7; +} + +message Licensing { + // License identifiers that may be used to manage licenses and their lifecycle + repeated string altIds = 1; + // The individual or organization that grants a license to another individual or organization + optional OrganizationalEntityOrContact licensor = 2; + // The individual or organization for which a license was granted to + optional OrganizationalEntityOrContact licensee = 3; + // The individual or organization that purchased the license + optional OrganizationalEntityOrContact purchaser = 4; + // The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase + optional string purchaseOrder = 5; + // The type of license(s) that was granted to the licensee + repeated LicensingTypeEnum licenseTypes = 6; + // The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed. + optional google.protobuf.Timestamp lastRenewal = 7; + // The timestamp indicating when the current license expires (if applicable). + optional google.protobuf.Timestamp expiration = 8; +} + +message OrganizationalEntityOrContact { + oneof choice { + OrganizationalEntity organization = 1; + OrganizationalContact individual = 2; + } +} + +enum LicensingTypeEnum { + LICENSING_TYPE_NULL = 0; + // A license that grants use of software solely for the purpose of education or research. + LICENSING_TYPE_ACADEMIC = 1; + // A license covering use of software embedded in a specific piece of hardware. + LICENSING_TYPE_APPLIANCE = 2; + // A Client Access License (CAL) allows client computers to access services provided by server software. + LICENSING_TYPE_CLIENT_ACCESS = 3; + // A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. + LICENSING_TYPE_CONCURRENT_USER = 4; + // A license where the core of a computer's processor is assigned a specific number of points. + LICENSING_TYPE_CORE_POINTS = 5; + // A license for which consumption is measured by non-standard metrics. + LICENSING_TYPE_CUSTOM_METRIC = 6; + // A license that covers a defined number of installations on computers and other types of devices. + LICENSING_TYPE_DEVICE = 7; + // A license that grants permission to install and use software for trial purposes. + LICENSING_TYPE_EVALUATION = 8; + // A license that grants access to the software to one or more pre-defined users. + LICENSING_TYPE_NAMED_USER = 9; + // A license that grants access to the software on one or more pre-defined computers or devices. + LICENSING_TYPE_NODE_LOCKED = 10; + // An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. + LICENSING_TYPE_OEM = 11; + // A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. + LICENSING_TYPE_PERPETUAL = 12; + // A license where each installation consumes points per processor. + LICENSING_TYPE_PROCESSOR_POINTS = 13; + // A license where the licensee pays a fee to use the software or service. + LICENSING_TYPE_SUBSCRIPTION = 14; + // A license that grants access to the software or service by a specified number of users. + LICENSING_TYPE_USER = 15; + // Another license type. + LICENSING_TYPE_OTHER = 16; +} + +message Metadata { + // The date and time (timestamp) when the document was created. + optional google.protobuf.Timestamp timestamp = 1; + // The tool(s) used in the creation of the BOM. + optional Tool tools = 2; + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors. + repeated OrganizationalContact authors = 3; + // The component that the BOM describes. + optional Component component = 4; + // The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5; + // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 6; + // The license information for the BOM document + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + optional LicenseChoice licenses = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; + // The product lifecycle(s) that this BOM represents. + repeated Lifecycles lifecycles = 9; +} + +message Lifecycles { + oneof choice { + // A pre-defined phase in the product lifecycle. + LifecyclePhase phase = 1; + // The name of the lifecycle phase + string name = 2; + } + // The description of the lifecycle phase + optional string description = 3; +} + +enum LifecyclePhase { + // BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use. + LIFECYCLE_PHASE_DESIGN = 0; + // BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use. + LIFECYCLE_PHASE_PRE_BUILD = 1; + // BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from. + LIFECYCLE_PHASE_BUILD = 2; + // BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device. + LIFECYCLE_PHASE_POST_BUILD = 3; + // BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies. + LIFECYCLE_PHASE_OPERATIONS = 4; + // BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions. + LIFECYCLE_PHASE_DISCOVERY = 5; + // BOM containing inventory that will be, or has been retired from operations. + LIFECYCLE_PHASE_DECOMMISSION = 6; +} + +message OrganizationalContact { + // The name of the contact + optional string name = 1; + // The email address of the contact. + optional string email = 2; + // The phone number of the contact. + optional string phone = 3; + // An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; +} + +message OrganizationalEntity { + // The name of the organization + optional string name = 1; + // The URL of the organization. Multiple URLs are allowed. + repeated string url = 2; + // A contact person at the organization. Multiple contacts are allowed. + repeated OrganizationalContact contact = 3; + // An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; +} + +enum PatchClassification { + PATCH_CLASSIFICATION_NULL = 0; + // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + PATCH_CLASSIFICATION_UNOFFICIAL = 1; + // A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch + PATCH_CLASSIFICATION_MONKEY = 2; + // A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + PATCH_CLASSIFICATION_BACKPORT = 3; + // A patch created by selectively applying commits from other versions or branches of the same software. + PATCH_CLASSIFICATION_CHERRY_PICK = 4; +} + +message Patch { + // Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality + PatchClassification type = 1; + // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff + optional Diff diff = 2; + repeated Issue resolves = 3; +} + +// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known. +message Pedigree { + // Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from. + repeated Component ancestors = 1; + // Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component. + repeated Component descendants = 2; + // Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor. + repeated Component variants = 3; + // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. + repeated Commit commits = 4; + // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits. + repeated Patch patches = 5; + // Notes, observations, and other non-structured commentary describing the components pedigree. + optional string notes = 6; +} + +enum Scope { + // Default + SCOPE_UNSPECIFIED = 0; + // The component is required for runtime + SCOPE_REQUIRED = 1; + // The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'. + SCOPE_OPTIONAL = 2; + // Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime. + SCOPE_EXCLUDED = 3; +} + +message Service { + // An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The organization that provides the service. + optional OrganizationalEntity provider = 2; + // The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided. + optional string group = 3; + // The name of the service. This will often be a shortened, single name of the service. + string name = 4; + // The service version. + optional string version = 5; + // Specifies a description for the service. + optional string description = 6; + repeated string endpoints = 7; + // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. + optional bool authenticated = 8; + // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. + optional bool x_trust_boundary = 9; + repeated DataFlow data = 10; + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + repeated LicenseChoice licenses = 11; + // Provides the ability to document external references related to the service. + repeated ExternalReference external_references = 12; + // Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Service services = 13; + // Specifies optional, custom, properties + repeated Property properties = 14; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 15; + // The name of the trust zone the service resides in. + optional string trustZone = 16; +} + +message Swid { + // Maps to the tagId of a SoftwareIdentity. + string tag_id = 1; + // Maps to the name of a SoftwareIdentity. + string name = 2; + // Maps to the version of a SoftwareIdentity. Defaults to '0.0' if not specified. + optional string version = 3; + // Maps to the tagVersion of a SoftwareIdentity. Defaults to '0' if not specified. + optional int32 tag_version = 4; + // Maps to the patch of a SoftwareIdentity. Defaults to 'false' if not specified. + optional bool patch = 5; + // Specifies the full content of the SWID tag. + optional AttachedText text = 6; + // The URL to the SWID file. + optional string url = 7; +} + +// Specifies a tool (manual or automated). +message Tool { + // DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM. + optional string vendor = 1 [deprecated = true]; + // DEPRECATED - DO NOT USE - The name of the tool used to create the BOM. + optional string name = 2 [deprecated = true]; + // DEPRECATED - DO NOT USE - The version of the tool used to create the BOM. + optional string version = 3 [deprecated = true]; + // DEPRECATED - DO NOT USE + repeated Hash hashes = 4 [deprecated = true]; + // DEPRECATED - DO NOT USE - Provides the ability to document external references related to the tool. + repeated ExternalReference external_references = 5 [deprecated = true]; + // A list of software and hardware components used as tools + repeated Component components = 6; + // A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services. + repeated Service services = 7; +} + +// Specifies a property +message Property { + string name = 1; + optional string value = 2; +} + +enum Aggregate { + // The relationship completeness is not specified. + AGGREGATE_NOT_SPECIFIED = 0; + // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + AGGREGATE_COMPLETE = 1; + // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + AGGREGATE_INCOMPLETE = 2; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; + // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + AGGREGATE_UNKNOWN = 5; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9; +} + +message Composition { + // Indicates the aggregate completeness + Aggregate aggregate = 1; + // The assemblies the aggregate completeness applies to + repeated string assemblies = 2; + // The dependencies the aggregate completeness applies to + repeated string dependencies = 3; + // The bom-ref identifiers of the vulnerabilities being described. + repeated string vulnerabilities = 4; + // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 5; +} + +message EvidenceCopyright { + // Copyright text + string text = 1; +} + +message Evidence { + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + repeated LicenseChoice licenses = 1; + repeated EvidenceCopyright copyright = 2; + repeated EvidenceIdentity identity = 3; + repeated EvidenceOccurrences occurrences = 4; + optional Callstack callstack = 5; +} + +// Evidence of the components use through the callstack. +message Callstack { + repeated Frames frames = 1; + + message Frames { + // A package organizes modules into namespaces, providing a unique namespace for each type it contains. + optional string package = 1; + // A module or class that encloses functions/methods and other code. + string module = 2; + // A block of code designed to perform a particular task. + optional string function = 3; + // Optional arguments that are passed to the module or function. + repeated string parameters = 4; + // The line number the code that is called resides on. + optional int32 line = 5; + // The column the code that is called resides. + optional int32 column = 6; + // The full path and filename of the module. + optional string fullFilename = 7; + } +} + +message EvidenceIdentity { + // The identity field of the component which the evidence describes. + EvidenceFieldType field = 1; + // The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + optional float confidence = 2; + // The methods used to extract and/or analyze the evidence. + repeated EvidenceMethods methods = 3; + // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation. + repeated string tools = 4; +} + +message EvidenceMethods { + // The technique used in this method of analysis. + EvidenceTechnique technique = 1; + // The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + float confidence = 2; + // The value or contents of the evidence. + optional string value = 3; +} + +message EvidenceOccurrences { + // An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // The location or path to where the component was found. + string location = 2; +} + +enum EvidenceFieldType { + EVIDENCE_FIELD_NULL = 0; + EVIDENCE_FIELD_GROUP = 1; + EVIDENCE_FIELD_NAME = 2; + EVIDENCE_FIELD_VERSION = 3; + EVIDENCE_FIELD_PURL = 4; + EVIDENCE_FIELD_CPE = 5; + EVIDENCE_FIELD_SWID = 6; + EVIDENCE_FIELD_HASH = 7; +} + +enum EvidenceTechnique { + EVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS = 0; + EVIDENCE_TECHNIQUE_BINARY_ANALYSIS = 1; + EVIDENCE_TECHNIQUE_MANIFEST_ANALYSIS = 2; + EVIDENCE_TECHNIQUE_AST_FINGERPRINT = 3; + EVIDENCE_TECHNIQUE_HASH_COMPARISON = 4; + EVIDENCE_TECHNIQUE_INSTRUMENTATION = 5; + EVIDENCE_TECHNIQUE_DYNAMIC_ANALYSIS = 6; + EVIDENCE_TECHNIQUE_FILENAME = 7; + EVIDENCE_TECHNIQUE_ATTESTATION = 8; + EVIDENCE_TECHNIQUE_OTHER = 9; +} + +message Note { + // The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + optional string locale = 1; + // Specifies the full content of the release note. + optional AttachedText text = 2; +} + +message ReleaseNotes { + // The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. + string type = 1; + // The title of the release. + optional string title = 2; + // The URL to an image that may be prominently displayed with the release note. + optional string featuredImage = 3; + // The URL to an image that may be used in messaging on social media platforms. + optional string socialImage = 4; + // A short description of the release. + optional string description = 5; + // The date and time (timestamp) when the release note was created. + optional google.protobuf.Timestamp timestamp = 6; + // Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names). + repeated string aliases = 7; + // Optional tags that may aid in search or retrieval of the release note. + repeated string tags = 8; + // A collection of issues that have been resolved. + repeated Issue resolves = 9; + // Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages. + repeated Note notes = 10; + // Specifies optional, custom, properties + repeated Property properties = 11; +} + +message Vulnerability { + // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier that uniquely identifies the vulnerability. + optional string id = 2; + // The source that published the vulnerability. + optional Source source = 3; + // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. + repeated VulnerabilityReference references = 4; + // List of vulnerability ratings + repeated VulnerabilityRating ratings = 5; + // List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + repeated int32 cwes = 6; + // A description of the vulnerability as provided by the source. + optional string description = 7; + // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause. + optional string detail = 8; + // Recommendations of how the vulnerability can be remediated or mitigated. + optional string recommendation = 9; + // Published advisories of the vulnerability if provided. + repeated Advisory advisories = 10; + // The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + optional google.protobuf.Timestamp created = 11; + // The date and time (timestamp) when the vulnerability record was first published. + optional google.protobuf.Timestamp published = 12; + // The date and time (timestamp) when the vulnerability record was last updated. + optional google.protobuf.Timestamp updated = 13; + // Individuals or organizations credited with the discovery of the vulnerability. + optional VulnerabilityCredits credits = 14; + // The tool(s) used to identify, confirm, or score the vulnerability. + optional Tool tools = 15; + // An assessment of the impact and exploitability of the vulnerability. + optional VulnerabilityAnalysis analysis = 16; + // affects + repeated VulnerabilityAffects affects = 17; + // Specifies optional, custom, properties + repeated Property properties = 18; + // The date and time (timestamp) when the vulnerability record was rejected (if applicable). + optional google.protobuf.Timestamp rejected = 19; + // Evidence used to reproduce the vulnerability. + optional ProofOfConcept proofOfConcept = 20; + // A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + optional string workaround = 21; +} + +message ProofOfConcept { + // Precise steps to reproduce the vulnerability. + optional string reproductionSteps = 1; + // A description of the environment in which reproduction was possible. + optional string environment = 2; + // Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + repeated AttachedText supportingMaterial = 3; +} + +message VulnerabilityReference { + // An identifier that uniquely identifies the vulnerability. + string id = 1; + // The source that published the vulnerability. + Source source = 2; +} + +message VulnerabilityRating { + // The source that calculated the severity or risk rating of the vulnerability. + optional Source source = 1; + // The numerical score of the rating. + optional double score = 2; + // Textual representation of the severity that corresponds to the numerical score of the rating. + optional Severity severity = 3; + // Specifies the severity or risk scoring methodology or standard used. + optional ScoreMethod method = 4; + // Textual representation of the metric values used to score the vulnerability. + optional string vector = 5; + // An optional reason for rating the vulnerability as it was. + optional string justification = 6; +} + +enum Severity { + SEVERITY_UNKNOWN = 0; + SEVERITY_CRITICAL = 1; + SEVERITY_HIGH = 2; + SEVERITY_MEDIUM = 3; + SEVERITY_LOW = 4; + SEVERITY_INFO = 5; + SEVERITY_NONE = 6; +} + +enum ScoreMethod { + // An undefined score method + SCORE_METHOD_NULL = 0; + // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ + SCORE_METHOD_CVSSV2 = 1; + // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/ + SCORE_METHOD_CVSSV3 = 2; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/ + SCORE_METHOD_CVSSV31 = 3; + // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + SCORE_METHOD_OWASP = 4; + // Other scoring method + SCORE_METHOD_OTHER = 5; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/ + SCORE_METHOD_CVSSV4 = 6; + // Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC + SCORE_METHOD_SSVC = 7; +} + +message Advisory { + // An optional name of the advisory. + optional string title = 1; + // Location where the advisory can be obtained. + string url = 2; +} + +message VulnerabilityCredits { + // The organizations credited with vulnerability discovery. + repeated OrganizationalEntity organizations = 1; + // The individuals, not associated with organizations, that are credited with vulnerability discovery. + repeated OrganizationalContact individuals = 2; +} + +message VulnerabilityAnalysis { + // Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + optional ImpactAnalysisState state = 1; + // The rationale of why the impact analysis state was asserted. + optional ImpactAnalysisJustification justification = 2; + // A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable. + repeated VulnerabilityResponse response = 3; + // Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability. + optional string detail = 4; + // The date and time (timestamp) when the analysis was first issued. + optional google.protobuf.Timestamp firstIssued = 5; + // The date and time (timestamp) when the analysis was last updated. + optional google.protobuf.Timestamp lastUpdated = 6; +} + +enum ImpactAnalysisState { + // An undefined impact analysis state + IMPACT_ANALYSIS_STATE_NULL = 0; + // The vulnerability has been remediated. + IMPACT_ANALYSIS_STATE_RESOLVED = 1; + // The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). + IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2; + // The vulnerability may be directly or indirectly exploitable. + IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3; + // The vulnerability is being investigated. + IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4; + // The vulnerability is not specific to the component or service and was falsely identified or associated. + IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5; + // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases. + IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6; +} + +enum ImpactAnalysisJustification { + // An undefined impact analysis justification + IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; + // The code has been removed or tree-shaked. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; + // The vulnerable code is not invoked at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2; + // Exploitability requires a configurable option to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3; + // Exploitability requires a dependency that is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4; + // Exploitability requires a certain environment which is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5; + // Exploitability requires a compiler flag to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6; + // Exploits are prevented at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7; + // Attacks are blocked at physical, logical, or network perimeter. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8; + // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9; +} + +enum VulnerabilityResponse { + VULNERABILITY_RESPONSE_NULL = 0; + VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + VULNERABILITY_RESPONSE_UPDATE = 3; + VULNERABILITY_RESPONSE_ROLLBACK = 4; + VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; +} + +message VulnerabilityAffects { + // References a component or service by the objects bom-ref + string ref = 1; + // Zero or more individual versions or range of versions. + repeated VulnerabilityAffectedVersions versions = 2; +} + +message VulnerabilityAffectedVersions { + oneof choice { + // A single version of a component or service. + string version = 1; + // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec + string range = 2; + } + // The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified. + optional VulnerabilityAffectedStatus status = 3; +} + +enum VulnerabilityAffectedStatus { + // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. + VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; +} + +message AnnotatorChoice { + oneof choice { + // The organization that created the annotation + OrganizationalEntity organization = 1; + // The person that created the annotation + OrganizationalContact individual = 2; + // The tool or component that created the annotation + Component component = 3; + // The service that created the annotation + Service service = 4; + } +} + +message Annotation { + // An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. + repeated string subjects = 2; + // The organization, person, component, or service which created the textual content of the annotation. + AnnotatorChoice annotator = 3; + // The date and time (timestamp) when the annotation was created. + google.protobuf.Timestamp timestamp = 4; + // The textual content of the annotation. + string text = 5; +} + +message ModelCard { + // An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // Hyper-parameters for construction of the model. + optional ModelParameters modelParameters = 2; + // A quantitative analysis of the model + optional QuantitativeAnalysis quantitativeAnalysis = 3; + // What considerations should be taken into account regarding the model's construction, training, and application? + optional ModelCardConsiderations considerations = 4; + + message ModelParameters { + // The overall approach to learning used by the model for problem solving. + optional Approach approach = 1; + // Directly influences the input and/or output. Examples include classification, regression, clustering, etc. + optional string task = 2; + // The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc. + optional string architectureFamily = 3; + //The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. + optional string modelArchitecture = 4; + // The datasets used to train and evaluate the model. + repeated Datasets datasets = 5; + // The input format(s) of the model + repeated MachineLearningInputOutputParameters inputs = 6; + // The output format(s) from the model + repeated MachineLearningInputOutputParameters outputs = 7; + + message Approach { + optional ModelParameterApproachType type = 1; + } + message Datasets { + oneof choice { + ComponentData dataset = 1; + // References a data component by the components bom-ref attribute + string ref = 2; + } + } + message MachineLearningInputOutputParameters { + // The data format for input/output to the model. Example formats include string, image, time-series + optional string format = 1; + } + } + message QuantitativeAnalysis { + // The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc. + repeated PerformanceMetrics performanceMetrics = 1; + optional GraphicsCollection graphics = 2; + + message PerformanceMetrics { + // The type of performance metric. + optional string type = 1; + // The value of the performance metric. + optional string value = 2; + // The name of the slice this metric was computed on. By default, assume this metric is not sliced. + optional string slice = 3; + // The confidence interval of the metric. + optional ConfidenceInterval confidenceInterval = 4; + + message ConfidenceInterval { + // The lower bound of the confidence interval. + optional string lowerBound = 1; + // The upper bound of the confidence interval. + optional string upperBound = 2; + } + } + } + message ModelCardConsiderations { + // Who are the intended users of the model? + repeated string users = 1; + // What are the intended use cases of the model? + repeated string useCases = 2; + // What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance? + repeated string technicalLimitations = 3; + // What are the known tradeoffs in accuracy/performance of the model? + repeated string performanceTradeoffs = 4; + // What are the ethical (or environmental) risks involved in the application of this model? + repeated EthicalConsiderations ethicalConsiderations = 5; + // How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups? + repeated FairnessAssessments fairnessAssessments = 6; + + message EthicalConsiderations { + // The name of the risk. + optional string name = 1; + // Strategy used to address this risk. + optional string mitigationStrategy = 2; + } + message FairnessAssessments { + // The groups or individuals at risk of being systematically disadvantaged by the model. + optional string groupAtRisk = 1; + // Expected benefits to the identified groups. + optional string benefits = 2; + // Expected harms to the identified groups. + optional string harms = 3; + // With respect to the benefits and harms outlined, please describe any mitigation strategy implemented. + optional string mitigationStrategy = 4; + } + } +} + +enum ModelParameterApproachType { + MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; + MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED = 1; + MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING = 2; + MODEL_PARAMETER_APPROACH_TYPE_SEMI_SUPERVISED = 3; + MODEL_PARAMETER_APPROACH_TYPE_SELF_SUPERVISED = 4; +} + +message ComponentData { + // An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // The general theme or subject matter of the data being specified. + ComponentDataType type = 2; + // The name of the dataset. + optional string name = 3; + // The contents or references to the contents of the data being described. + optional ComponentDataContents contents = 4; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 5; + // A description of any sensitive data in a dataset. + repeated string sensitiveData = 6; + // A collection of graphics that represent various measurements. + optional GraphicsCollection graphics = 7; + // A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc. + optional string description = 8; + // Data Governance + optional DataGovernance governance = 9; + + message ComponentDataContents { + // An optional way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + // Provides the ability to document name-value parameters used for configuration. + repeated Property properties = 3; + } +} + +message DataGovernance { + // Data custodians are responsible for the safe custody, transport, and storage of data. + repeated DataGovernanceResponsibleParty custodians = 1; + // Data stewards are responsible for data content, context, and associated business rules. + repeated DataGovernanceResponsibleParty stewards = 2; + // Data owners are concerned with risk and appropriate access to data. + repeated DataGovernanceResponsibleParty owners = 3; + + message DataGovernanceResponsibleParty { + oneof choice { + OrganizationalEntity organization = 1; + OrganizationalContact contact = 2; + } + } +} + +enum ComponentDataType { + // Any type of code, code snippet, or data-as-code + COMPONENT_DATA_TYPE_SOURCE_CODE = 0; + // Parameters or settings that may be used by other components. + COMPONENT_DATA_TYPE_CONFIGURATION = 1; + // A collection of data. + COMPONENT_DATA_TYPE_DATASET = 2; + // Data that can be used to create new instances of what the definition defines. + COMPONENT_DATA_TYPE_DEFINITION = 3; + // Any other type of data that does not fit into existing definitions. + COMPONENT_DATA_TYPE_OTHER = 4; +} + +message GraphicsCollection { + // A description of this collection of graphics. + optional string description = 1; + // A collection of graphics. + repeated Graphic graphic = 2; + + message Graphic { + // The name of the graphic. + optional string name = 1; + // The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + optional AttachedText image = 2; + } +} + +// Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed. +message Formula { + // BOM unique reference to the resource. + optional string bom_ref = 1; + // Transient components that are used in tasks that constitute one or more of this formula's workflows + repeated Component components = 2; + // Transient services that are used in tasks that constitute one or more of this formula's workflows + repeated Service services = 3; + // List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered. + repeated Workflow workflows = 4; + // Domain-specific formula properties. + repeated Property properties = 5; +} + +// A specialized orchestration task. +message Workflow { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific resource instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The tasks that comprise the workflow. + repeated Task tasks = 7; + // The graph of dependencies between tasks within the workflow. + repeated Dependency taskDependencies = 8; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 9; + // The trigger that initiated the task. + optional Trigger trigger = 10; + // The sequence of steps for the task. + repeated Step steps = 11; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 12; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 13; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for workflow's instance. + repeated Dependency runtimeTopology = 17; +} + +// Describes the inputs, sequence of steps and resources used to accomplish a task and its output. +message Task { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific task instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 7; + // The trigger that initiated the task. + optional Trigger trigger = 8; + // "The sequence of steps for the task. + repeated Step steps = 9; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 10; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 11; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for task's instance. + repeated Dependency runtimeTopology = 17; +} + +// Executes specific commands or tools in order to accomplish its owning task as part of a sequence. +message Step { + // A name for the step. + optional string name = 1; + // A description of the step. + optional string description = 2; + // Ordered list of commands or directives for the step + repeated Command commands = 3; + // Domain-specific step properties. + repeated Property properties = 4; +} + +message Command { + // A text representation of the executed command. + optional string executed = 1; + // Domain-specific command properties. + repeated Property properties = 2; +} + +// A named filesystem or data resource shareable by workflow tasks. +message Workspace { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps. + repeated string aliases = 4; + // A description of the resource instance. + optional string description = 5; + // Domain-specific workspace instance properties. + repeated Property properties = 6; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 7; + // Describes the read-write access control for the workspace relative to the owning resource instance. + optional AccessMode accessMode = 8; + // A path to a location on disk where the workspace will be available to the associated task's steps. + optional string mountPath = 9; + // The name of a domain-specific data type the workspace represents. + optional string managedDataType = 10; + // Identifies the reference to the request for a specific volume type and parameters. + optional string volumeRequest = 11; + // Information about the actual volume instance allocated to the workspace. + optional Volume volume = 12; + + enum AccessMode { + ACCESS_MODE_READ_ONLY = 0; + ACCESS_MODE_READ_WRITE = 1; + ACCESS_MODE_READ_WRITE_ONCE = 2; + ACCESS_MODE_WRITE_ONCE = 3; + ACCESS_MODE_WRITE_ONLY = 4; + } +} + +// An identifiable, logical unit of data storage tied to a physical device. +message Volume { + // The unique identifier for the volume instance within its deployment context. + optional string uid = 1; + // The name of the volume instance + optional string name = 2; + // The volume mode for the volume instance. + optional VolumeMode mode = 3; + // The underlying path created from the actual volume. + optional string path = 4; + // The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form. + optional string sizeAllocated = 5; + // Indicates if the volume persists beyond the life of the resource it is associated with. + optional bool persistent = 6; + // Indicates if the volume is remotely (i.e., network) attached. + optional bool remote = 7; + // Domain-specific volume instance properties. + repeated Property properties = 8; + + enum VolumeMode { + VOLUME_MODE_FILESYSTEM = 0; + VOLUME_MODE_BLOCK = 1; + } +} + +// Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data. +message Trigger { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Additional properties of the trigger. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The source type of event which caused the trigger to fire. + TriggerType type = 7; + // The event data that caused the associated trigger to activate. + optional Event event = 8; + // Conditions + repeated Condition conditions = 9; + // The date and time (timestamp) when the trigger was activated. + optional google.protobuf.Timestamp timeActivated = 10; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 11; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 12; + + enum TriggerType { + TRIGGER_TYPE_MANUAL = 0; + TRIGGER_TYPE_API = 1; + TRIGGER_TYPE_WEBHOOK = 2; + TRIGGER_TYPE_SCHEDULED = 3; + } +} + +// Represents something that happened that may trigger a response. +message Event { + // The unique identifier of the event. + optional string uid = 1; + // A description of the event. + optional string description = 2; + // The date and time (timestamp) when the event was received. + optional google.protobuf.Timestamp timeReceived = 3; + // Encoding of the raw event data. + optional AttachedText data = 4; + // References the component or service that was the source of the event + optional ResourceReferenceChoice source = 5; + // References the component or service that was the target of the event + optional ResourceReferenceChoice target = 6; + // Additional properties of the event. + repeated Property properties = 7; +} + +// Type that represents various input data types and formats. +message InputType { + // A references to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`) + optional ResourceReferenceChoice source = 1; + // A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace) + optional ResourceReferenceChoice target = 2; + // A reference to an independent resource provided as an input to a task by the workflow runtime. + optional ResourceReferenceChoice resource = 3; + // Inputs that have the form of parameters with names and values. + repeated Parameter parameters = 4; + // Inputs that have the form of parameters with names and values. + repeated EnvironmentVars environmentVars = 5; + // Inputs that have the form of data. + optional AttachedText data = 6; + // Additional properties of the input data. + repeated Property properties = 7; +} + +message OutputType { + // Describes the type of data output. + optional OutputTypeType type = 1; + // Component or service that generated or provided the output from the task (e.g., a build tool) + optional ResourceReferenceChoice source = 2; + // Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`) + optional ResourceReferenceChoice target = 3; + // A reference to an independent resource generated as output by the task. + optional ResourceReferenceChoice resource = 4; + // Outputs that have the form of data. + optional AttachedText data = 5; + // Outputs that have the form of environment variables. + repeated EnvironmentVars environmentVars = 6; + // Additional properties of the output data. + repeated Property properties = 7; + + enum OutputTypeType { + OUTPUT_TYPE_ARTIFACT = 0; + OUTPUT_TYPE_ATTESTATION = 1; + OUTPUT_TYPE_LOG = 2; + OUTPUT_TYPE_EVIDENCE = 3; + OUTPUT_TYPE_METRICS = 4; + OUTPUT_TYPE_OTHER = 5; + } +} + +message ResourceReferenceChoice { + oneof choice { + string ref = 1; + ExternalReference externalReference = 2; + } +} + +// A condition that was used to determine a trigger should be activated. +message Condition { + // Describes the set of conditions which cause the trigger to activate. + optional string description = 1; + // The logical expression that was evaluated that determined the trigger should be fired. + optional string expression = 2; + // Domain-specific condition instance properties. + repeated Property properties = 3; +} + +enum TaskType { + TASK_TYPE_COPY = 0; + TASK_TYPE_CLONE = 1; + TASK_TYPE_LINT = 2; + TASK_TYPE_SCAN = 3; + TASK_TYPE_MERGE = 4; + TASK_TYPE_BUILD = 5; + TASK_TYPE_TEST = 6; + TASK_TYPE_DELIVER = 7; + TASK_TYPE_DEPLOY = 8; + TASK_TYPE_RELEASE = 9; + TASK_TYPE_CLEAN = 10; + TASK_TYPE_OTHER = 11; +} + +// A representation of a functional parameter. +message Parameter { + // The name of the parameter. + optional string name = 1; + // The value of the parameter. + optional string value = 2; + // The data type of the parameter. + optional string dataType = 3; +} + +message EnvironmentVars { + oneof choice { + Property property = 1; + string value = 2; + } +} diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json new file mode 100644 index 0000000..d9c4d08 --- /dev/null +++ b/schema/bom-1.5.schema.json @@ -0,0 +1,3799 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "type": "object", + "title": "CycloneDX Software Bill of Materials Standard", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string", + "enum": [ + "http://cyclonedx.org/schema/bom-1.5.schema.json" + ] + }, + "bomFormat": { + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces. This value MUST be \"CycloneDX\".", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification a BOM conforms to (starting at version 1.2).", + "examples": ["1.5"] + }, + "serialNumber": { + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers are RECOMMENDED.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "type": "integer", + "title": "BOM Version", + "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "minimum": 1, + "default": 1, + "examples": [1] + }, + "metadata": { + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "dependencies": { + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships." + }, + "compositions": { + "type": "array", + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "vulnerabilities": { + "type": "array", + "items": {"$ref": "#/definitions/vulnerability"}, + "uniqueItems": true, + "title": "Vulnerabilities", + "description": "Vulnerabilities identified in components or services." + }, + "annotations": { + "type": "array", + "items": {"$ref": "#/definitions/annotations"}, + "uniqueItems": true, + "title": "Annotations", + "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, and may optionally be signed." + }, + "formulation": { + "type": "array", + "items": {"$ref": "#/definitions/formula"}, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": { + "$ref": "#/definitions/property" + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "definitions": { + "refType": { + "description": "Identifier for referable and therefore interlink-able elements.", + "type": "string", + "minLength": 1, + "$comment": "value SHOULD not start with the BOM-Link intro 'urn:cdx:'" + }, + "refLinkType": { + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "allOf": [{"$ref": "#/definitions/refType"}] + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/definitions/bomLinkDocumentType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "metadata": { + "type": "object", + "title": "BOM Metadata Object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "", + "items": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "required": ["phase"], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.\n\n* __design__ = BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.\n* __pre-build__ = BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.\n* __build__ = BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.\n* __post-build__ = BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.\n* __operations__ = BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.\n* __discovery__ = BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.\n* __decommission__ = BOM containing inventory that will be, or has been retired from operations.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ] + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + } + }, + "tools": { + "oneOf": [ + { + "type": "object", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools" + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Creation Tools (legacy)", + "description": "[Deprecated] The tool(s) used in the creation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "authors" :{ + "type": "array", + "title": "Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "title": "Manufacture", + "description": "The organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "$ref": "#/definitions/licenseChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. This will be removed in a future version. Use component or service instead. Information about the automated or manual tool used", + "additionalProperties": false, + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The name of the vendor who created the tool" + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The name of the tool" + }, + "version": { + "type": "string", + "title": "Tool Version", + "description": "The version of the tool" + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity Object", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "URL", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact Object", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component Object", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data" + ], + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "author": { + "type": "string", + "title": "Component Author", + "description": "The person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "type": "string", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", + "examples": ["9.0.14"] + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", + "default": "required" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Component License(s)" + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"] + }, + "cpe": { + "type": "string", + "title": "Component Common Platform Enumeration (CPE)", + "description": "Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe)", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] + }, + "purl": { + "type": "string", + "title": "Component Package URL (purl)", + "description": "Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Specifies metadata and content for [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html)." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "additionalProperties": false, + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "modelCard": { + "$ref": "#/definitions/modelCard", + "title": "Machine Learning Model Card" + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/componentData"}, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", + "default": "text/plain" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ] + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "hash": { + "type": "object", + "title": "Hash Objects", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ], + "title": "Hash Algorithm" + }, + "hash-content": { + "type": "string", + "title": "Hash Content (value)", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License Object", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license ID", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "examples": ["Acme Software License"] + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use of software solely for the purpose of education or research.\n* __appliance__ = A license covering use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access License (CAL) allows client computers to access services provided by server software.\n* __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.\n* __core-points__ = A license where the core of a computer's processor is assigned a specific number of points.\n* __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n* __device__ = A license that covers a defined number of installations on computers and other types of devices.\n* __evaluation__ = A license that grants permission to install and use software for trial purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n* __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.\n* __processor-points__ = A license where each installation consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use the software or service.\n* __user__ = A license that grants access to the software or service by a specified number of users.\n* __other__ = Another license type.\n", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ] + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "licenseChoice": { + "title": "License Choice", + "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)", + "type": "array", + "oneOf": [ + { + "title": "Multiple licenses", + "description": "A list of SPDX licenses and/or named licenses.", + "type": "array", + "items": { + "type": "object", + "required": ["license"], + "additionalProperties": false, + "properties": { + "license": {"$ref": "#/definitions/license"} + } + } + }, + { + "title": "SPDX License Expression", + "description": "A tuple of exactly one SPDX License Expression.", + "type": "array", + "additionalItems": false, + "minItems": 1, + "maxItems": 1, + "items": [{ + "type": "object", + "additionalProperties": false, + "required": ["expression"], + "properties": { + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + } + } + }] + } + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "title": "Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.\n\n* __unofficial__ = A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch)\n* __monkey__ = A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch)\n* __backport__ = A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting)\n* __cherry-pick__ = A patch created by selectively applying commits from other versions or branches of the same software." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Diff", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "title": "Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/definitions/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", + "configuration", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "other" + ] + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component or service. Components or services that do not have their own dependencies MUST be declared as empty elements within the graph. Components or services that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a object being dependency-free. It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + } + } + }, + "service": { + "type": "object", + "title": "Service Object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "type": "string", + "title": "Service Version", + "description": "The service version.", + "examples": ["1.0.0"] + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/serviceData"}, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Component License(s)" + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "serviceData": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "governance": { + "type": "object", + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + }, + "source": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + }, + "dataFlowDirection": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + }, + + "copyright": { + "type": "object", + "title": "Copyright", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text" + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "type": "object", + "description": "Evidence that substantiates the identity of a component.", + "required": [ "field" ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", "name", "version", "purl", "cpe", "swid", "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ "location" ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + } + } + } + }, + "callstack": { + "type": "object", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Methods", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Optional arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Component License(s)" + }, + "copyright": { + "type": "array", + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright" + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ] + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + }, + "localeType": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { + "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "locale": { + "$ref": "#/definitions/localeType", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + }, + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/definitions/attachment" + } + } + }, + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/definitions/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." + }, + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "One or more tags that may aid in search or retrieval of the release note." + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues that have been resolved." + }, + "notes": { + "type": "array", + "items": {"$ref": "#/definitions/note"}, + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "advisory": { + "type": "object", + "title": "Advisory", + "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.", + "required": ["url"], + "additionalProperties": false, + "properties": { + "title": { + "type": "string", + "title": "Title", + "description": "An optional name of the advisory." + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "Location where the advisory can be obtained." + } + } + }, + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.", + "enum": [ + "critical", + "high", + "medium", + "low", + "info", + "none", + "unknown" + ] + }, + "scoreMethod": { + "type": "string", + "title": "Method", + "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)\n* SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions)", + "enum": [ + "CVSSv2", + "CVSSv3", + "CVSSv31", + "CVSSv4", + "OWASP", + "SSVC", + "other" + ] + }, + "impactAnalysisState": { + "type": "string", + "title": "Impact Analysis State", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", + "enum": [ + "resolved", + "resolved_with_pedigree", + "exploitable", + "in_triage", + "false_positive", + "not_affected" + ] + }, + "impactAnalysisJustification": { + "type": "string", + "title": "Impact Analysis Justification", + "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", + "enum": [ + "code_not_present", + "code_not_reachable", + "requires_configuration", + "requires_dependency", + "requires_environment", + "protected_by_compiler", + "protected_at_runtime", + "protected_at_perimeter", + "protected_by_mitigating_control" + ] + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the severity or risk ratings of a vulnerability.", + "additionalProperties": false, + "properties": { + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that calculated the severity or risk rating of the vulnerability." + }, + "score": { + "type": "number", + "title": "Score", + "description": "The numerical score of the rating." + }, + "severity": { + "$ref": "#/definitions/severity", + "description": "Textual representation of the severity that corresponds to the numerical score of the rating." + }, + "method": { + "$ref": "#/definitions/scoreMethod" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability" + }, + "justification": { + "type": "string", + "title": "Justification", + "description": "An optional reason for rating the vulnerability as it was" + } + } + }, + "vulnerabilitySource": { + "type": "object", + "title": "Source", + "description": "The source of vulnerability information. This is often the organization that published the vulnerability.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-39182" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", + "National Vulnerability Database", + "OSS Index", + "VulnDB", + "GitHub Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines a weakness in a component or service that could be exploited or triggered by a threat source.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "references": { + "type": "array", + "title": "References", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", + "items": { + "type": "object", + "required": [ + "id", + "source" + ], + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "An identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + } + } + } + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of vulnerability ratings", + "items": { + "$ref": "#/definitions/rating" + } + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "examples": [399], + "items": { + "$ref": "#/definitions/cwe" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the vulnerability as provided by the source." + }, + "detail": { + "type": "string", + "title": "Details", + "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause." + }, + "recommendation": { + "type": "string", + "title": "Recommendation", + "description": "Recommendations of how the vulnerability can be remediated or mitigated." + }, + "workaround": { + "type": "string", + "title": "Workarounds", + "description": "A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments." + }, + "proofOfConcept": { + "type": "object", + "title": "Proof of Concept", + "description": "Evidence used to reproduce the vulnerability.", + "properties": { + "reproductionSteps": { + "type": "string", + "title": "Steps to Reproduce", + "description": "Precise steps to reproduce the vulnerability." + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "A description of the environment in which reproduction was possible." + }, + "supportingMaterial": { + "type": "array", + "title": "Supporting Material", + "description": "Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.", + "items": { "$ref": "#/definitions/attachment" } + } + } + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "items": { + "$ref": "#/definitions/advisory" + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database." + }, + "published": { + "type": "string", + "format": "date-time", + "title": "Published", + "description": "The date and time (timestamp) when the vulnerability record was first published." + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Updated", + "description": "The date and time (timestamp) when the vulnerability record was last updated." + }, + "rejected": { + "type": "string", + "format": "date-time", + "title": "Rejected", + "description": "The date and time (timestamp) when the vulnerability record was rejected (if applicable)." + }, + "credits": { + "type": "object", + "title": "Credits", + "description": "Individuals or organizations credited with the discovery of the vulnerability.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The organizations credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalEntity" + } + }, + "individuals": { + "type": "array", + "title": "Individuals", + "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalContact" + } + } + } + }, + "tools": { + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools" + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated] The tool(s) used to identify, confirm, or score the vulnerability.", + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "analysis": { + "type": "object", + "title": "Impact Analysis", + "description": "An assessment of the impact and exploitability of the vulnerability.", + "additionalProperties": false, + "properties": { + "state": { + "$ref": "#/definitions/impactAnalysisState" + }, + "justification": { + "$ref": "#/definitions/impactAnalysisJustification" + }, + "response": { + "type": "array", + "title": "Response", + "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.", + "items": { + "type": "string", + "enum": [ + "can_not_fix", + "will_not_fix", + "update", + "rollback", + "workaround_available" + ] + } + }, + "detail": { + "type": "string", + "title": "Detail", + "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability." + }, + "firstIssued": { + "type": "string", + "format": "date-time", + "title": "First Issued", + "description": "The date and time (timestamp) when the analysis was first issued." + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the analysis was last updated." + } + } + }, + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "description": "References a component or service by the objects bom-ref" + }, + "versions": { + "type": "array", + "title": "Versions", + "description": "Zero or more individual versions or range of versions.", + "items": { + "type": "object", + "oneOf": [ + { + "required": ["version"] + }, + { + "required": ["range"] + } + ], + "additionalProperties": false, + "properties": { + "version": { + "description": "A single version of a component or service.", + "$ref": "#/definitions/version" + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "$ref": "#/definitions/range" + }, + "status": { + "description": "The vulnerability status for the version or range of versions.", + "$ref": "#/definitions/affectedStatus", + "default": "affected" + } + } + } + } + } + }, + "title": "Affects", + "description": "The components or services that are affected by the vulnerability." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "affectedStatus": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ] + }, + "version": { + "description": "A single version of a component or service.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "annotations": { + "type": "object", + "title": "Annotations", + "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.", + "required": [ + "subjects", + "annotator", + "timestamp", + "text" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "subjects": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." + }, + "annotator": { + "type": "object", + "title": "Annotator", + "description": "The organization, person, component, or service which created the textual content of the annotation.", + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + }, + { + "required": [ + "component" + ] + }, + { + "required": [ + "service" + ] + } + ], + "additionalProperties": false, + "properties": { + "organization": { + "description": "The organization that created the annotation", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "description": "The person that created the annotation", + "$ref": "#/definitions/organizationalContact" + }, + "component": { + "description": "The tool or component that created the annotation", + "$ref": "#/definitions/component" + }, + "service": { + "description": "The service that created the annotation", + "$ref": "#/definitions/service" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the annotation was created." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the annotation." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "modelCard": { + "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", + "type": "object", + "title": "Model Card", + "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified for other component types.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "modelParameters": { + "type": "object", + "title": "Model Parameters", + "description": "Hyper-parameters for construction of the model.", + "additionalProperties": false, + "properties": { + "approach": { + "type": "object", + "title": "Approach", + "description": "The overall approach to learning used by the model for problem solving.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Learning Type", + "description": "Learning types describing the learning problem or hybrid learning problem.", + "enum": [ + "supervised", + "unsupervised", + "reinforcement-learning", + "semi-supervised", + "self-supervised" + ] + } + } + }, + "task": { + "type": "string", + "title": "Task", + "description": "Directly influences the input and/or output. Examples include classification, regression, clustering, etc." + }, + "architectureFamily": { + "type": "string", + "title": "Architecture Family", + "description": "The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc." + }, + "modelArchitecture": { + "type": "string", + "title": "Model Architecture", + "description": "The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc." + }, + "datasets": { + "type": "array", + "title": "Datasets", + "description": "The datasets used to train and evaluate the model.", + "items" : { + "oneOf" : [ + { + "title": "Inline Component Data", + "$ref": "#/definitions/componentData" + }, + { + "type": "object", + "title": "Data Component Reference", + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "description": "References a data component by the components bom-ref attribute" + } + } + } + ] + } + }, + "inputs": { + "type": "array", + "title": "Inputs", + "description": "The input format(s) of the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + }, + "outputs": { + "type": "array", + "title": "Outputs", + "description": "The output format(s) from the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + } + } + }, + "quantitativeAnalysis": { + "type": "object", + "title": "Quantitative Analysis", + "description": "A quantitative analysis of the model", + "additionalProperties": false, + "properties": { + "performanceMetrics": { + "type": "array", + "title": "Performance Metrics", + "description": "The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.", + "items": { "$ref": "#/definitions/performanceMetric" } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" } + } + }, + "considerations": { + "type": "object", + "title": "Considerations", + "description": "What considerations should be taken into account regarding the model's construction, training, and application?", + "additionalProperties": false, + "properties": { + "users": { + "type": "array", + "title": "Users", + "description": "Who are the intended users of the model?", + "items": { + "type": "string" + } + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "description": "What are the intended use cases of the model?", + "items": { + "type": "string" + } + }, + "technicalLimitations": { + "type": "array", + "title": "Technical Limitations", + "description": "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?", + "items": { + "type": "string" + } + }, + "performanceTradeoffs": { + "type": "array", + "title": "Performance Tradeoffs", + "description": "What are the known tradeoffs in accuracy/performance of the model?", + "items": { + "type": "string" + } + }, + "ethicalConsiderations": { + "type": "array", + "title": "Ethical Considerations", + "description": "What are the ethical (or environmental) risks involved in the application of this model?", + "items": { "$ref": "#/definitions/risk" } + }, + "fairnessAssessments": { + "type": "array", + "title": "Fairness Assessments", + "description": "How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?", + "items": { + "$ref": "#/definitions/fairnessAssessment" + } + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "inputOutputMLParameters": { + "type": "object", + "title": "Input and Output Parameters", + "additionalProperties": false, + "properties": { + "format": { + "description": "The data format for input/output to the model. Example formats include string, image, time-series", + "type": "string" + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.\n\n* __source-code__ = Any type of code, code snippet, or data-as-code.\n* __configuration__ = Parameters or settings that may be used by other components.\n* __dataset__ = A collection of data.\n* __definition__ = Data that can be used to create new instances of what the definition defines.\n* __other__ = Any other type of data that does not fit into existing definitions.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ] + }, + "name": { + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" }, + "description": { + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "type": "object", + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "$ref": "#/definitions/organizationalEntity" + }, + "contact": { + "title": "Individual", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["contact"] + } + ] + }, + "graphicsCollection": { + "type": "object", + "title": "Graphics Collection", + "description": "A collection of graphics that represent various measurements.", + "additionalProperties": false, + "properties": { + "description": { + "description": "A description of this collection of graphics.", + "type": "string" + }, + "collection": { + "description": "A collection of graphics.", + "type": "array", + "items": { "$ref": "#/definitions/graphic" } + } + } + }, + "graphic": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "description": "The name of the graphic.", + "type": "string" + }, + "image": { + "title": "Graphic Image", + "description": "The graphic (vector or raster). Base64 encoding MUST be specified for binary images.", + "$ref": "#/definitions/attachment" + } + } + }, + "performanceMetric": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { + "description": "The type of performance metric.", + "type": "string" + }, + "value": { + "description": "The value of the performance metric.", + "type": "string" + }, + "slice": { + "description": "The name of the slice this metric was computed on. By default, assume this metric is not sliced.", + "type": "string" + }, + "confidenceInterval": { + "description": "The confidence interval of the metric.", + "type": "object", + "additionalProperties": false, + "properties": { + "lowerBound": { + "description": "The lower bound of the confidence interval.", + "type": "string" + }, + "upperBound": { + "description": "The upper bound of the confidence interval.", + "type": "string" + } + } + } + } + }, + "risk": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "description": "The name of the risk.", + "type": "string" + }, + "mitigationStrategy": { + "description": "Strategy used to address this risk.", + "type": "string" + } + } + }, + "fairnessAssessment": { + "type": "object", + "title": "Fairness Assessment", + "description": "Information about the benefits and harms of the model to an identified at risk group.", + "additionalProperties": false, + "properties": { + "groupAtRisk": { + "type": "string", + "description": "The groups or individuals at risk of being systematically disadvantaged by the model." + }, + "benefits": { + "type": "string", + "description": "Expected benefits to the identified groups." + }, + "harms": { + "type": "string", + "description": "Expected harms to the identified groups." + }, + "mitigationStrategy": { + "type": "string", + "description": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + } + }, + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/definitions/workflow" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/workspace" + } + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/definitions/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/definitions/dependency" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/definitions/command" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "command": { + "type": "object", + "additionalProperties": false, + "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": {"type": "string"} + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" + ] + }, + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" + }, + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", + "examples": ["ConfigMap","Secret"], + "type": "string" + }, + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": ["a kubernetes Persistent Volume Claim (PVC) name"], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": ["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"], + "$ref": "#/definitions/volume" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", + "examples": ["10GB", "2Ti", "1Pi"], + "type": "string" + }, + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" + }, + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "type": "object", + "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "type": { + "title": "Type", + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" + ] + }, + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/definitions/event" + }, + "conditions": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", + "type": "string", + "format": "date-time" + }, + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/definitions/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "source": { + "title": "Source", + "description": "A references to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "reference to a configuration file in a repository (i.e., a bom-ref)", + "reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/parameter" + } + }, + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string" + } + ] + } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "outputType": { + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": ["a log file described as an `externalReference` within its target domain."], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string" + } + ] + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/definitions/externalReference" + } + }, + "oneOf": [ + { + "required": [ + "ref" + ] + }, + { + "required": [ + "externalReference" + ] + } + ] + }, + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "taskType": { + "type": "string", + "enum": [ + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" + ] + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" + }, + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + }, + "signature": { + "$ref": "jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } +} diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd new file mode 100644 index 0000000..0651bcd --- /dev/null +++ b/schema/bom-1.5.xsd @@ -0,0 +1,5464 @@ + + + + + + + + + CycloneDX Software Bill of Materials Standard + https://cyclonedx.org/ + Apache License, Version 2.0 + + + + + + Identifier for referable and therefore interlink-able elements. + + + + + + + + + + Descriptor for an element identified by the attribute "bom-ref" in the same BOM document. + In contrast to `bomLinkElementType`. + + + + + + + + + Descriptor for another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + Descriptor for an element in another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + + + + + + The date and time (timestamp) when the BOM was created. + + + + + + The product lifecycle(s) that this BOM represents. + + + + + + + + + + + + A pre-defined phase in the product lifecycle. + + + + + + + + + The name of the lifecycle phase + + + + + + + The description of the lifecycle phase + + + + + + + + + + + + + The tool(s) used in the creation of the BOM. + + + + + + + DEPRECATED. Use tools\components or tools\services instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacturer, but may also be a distributor or repackager. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + BOM produced early in the development lifecycle containing inventory of components and services + that are proposed or planned to be used. The inventory may need to be procured, retrieved, + or resourced prior to use. + + + + + + + BOM consisting of information obtained prior to a build process and may contain source files + and development artifacts and manifests. The inventory may need to be resolved and retrieved + prior to use. + + + + + + + BOM consisting of information obtained during a build process where component inventory is + available for use. The precise versions of resolved components are usually available at this + time as well as the provenance of where the components were retrieved from. + + + + + + + BOM consisting of information obtained after a build process has completed and the resulting + components(s) are available for further analysis. Built components may exist as the result of a + CI/CD process, may have been installed or deployed to a system or device, and may need to be + retrieved or extracted from the system or device. + + + + + + + BOM produced that represents inventory that is running and operational. This may include staging + or production environments and will generally encompass multiple SBOMs describing the applications + and operating system, along with HBOMs describing the hardware that makes up the system. Operations + Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, + and additional dependencies. + + + + + + + BOM consisting of information observed through network discovery providing point-in-time + enumeration of embedded, on-premise, and cloud-native services such as server applications, + connected devices, microservices, and serverless functions. + + + + + + + BOM containing inventory that will be, or has been retired from operations. + + + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Information about the automated or manual tool used + + + + + The name of the vendor who created the tool + + + + + The name of the tool + + + + + The version of the tool + + + + + + + + + + + + Provides the ability to document external references related to the tool. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. + + + + + The phone number of the contact. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacturer, but may also be a distributor or repackager. + + + + + The person(s) or organization(s) that authored the component + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'required' + scope SHOULD be assumed by the consumer of the BOM. + + + + + + + + + + + + + A copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (purl). The purl, if specified, MUST be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating if the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + A list of software and hardware components included in the parent component. This is not a + dependency tree. It provides a way to specify a hierarchical representation of component + assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document evidence collected through various forms of extraction or analysis. + + + + + Specifies optional release notes. + + + + + A model card describes the intended uses of a machine learning model and potential + limitations, including biases and ethical considerations. Model cards typically contain the + training parameters, which datasets were used to train the model, performance metrics, and other + relevant data useful for ML transparency. This object SHOULD be specified for any component of + type `machine-learning-model` and MUST NOT be specified for other component types. + + + + + This object SHOULD be specified for any component of type `data` and MUST NOT be + specified for other component types. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The OPTIONAL mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + Specifies the optional full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + + License identifiers that may be used to manage licenses and + their lifecycle + + + + + + + + + + The individual or organization that grants a license to another + individual or organization + + + + + + + The organization that granted the license + + + + + The individual, not associated with an organization, + that granted the license + + + + + + + + + The individual or organization for which a license was granted to + + + + + + + The organization that was granted the license + + + + + The individual, not associated with an organization, + that was granted the license + + + + + + + + + The individual or organization that purchased the license + + + + + + + The organization that purchased the license + + + + + The individual, not associated with an organization, + that purchased the license + + + + + + + + + The purchase order identifier the purchaser sent to a supplier or + vendor to authorize a purchase + + + + + The type of license(s) that was granted to the licensee + + + + + + + + + + The timestamp indicating when the license was last + renewed. For new purchases, this is often the purchase or acquisition date. + For non-perpetual licenses or subscriptions, this is the timestamp of when the + license was last renewed. + + + + + The timestamp indicating when the current license + expires (if applicable). + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + + + + Specifies the content type of the text. Defaults to text/plain + if not specified. + + + + + + Specifies the optional encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + A runtime environment which interprets or executes software. This may include + runtimes such as those that execute bytecode or low-code/no-code application platforms. + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware SHOULD include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + + + + + + A special type of software that operates or controls a particular type of device. + Refer to https://en.wikipedia.org/wiki/Device_driver + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + A model based on training data that can make predictions or decisions without + being explicitly programmed to do so. + + + + + A collection of discrete values that convey information. + + + + + + + + + + + + + + + + + + + + + + + + + + + A license that grants use of software solely for the purpose + of education or research. + + + + + A license covering use of software embedded in a specific + piece of hardware. + + + + + A Client Access License (CAL) allows client computers to access + services provided by server software. + + + + + A Concurrent User license (aka floating license) limits the + number of licenses for a software application and licenses are shared among + a larger number of users. + + + + + A license where the core of a computer's processor is assigned + a specific number of points. + + + + + A license for which consumption is measured by non-standard + metrics. + + + + + A license that covers a defined number of installations on + computers and other types of devices. + + + + + A license that grants permission to install and use software + for trial purposes. + + + + + A license that grants access to the software to one or more + pre-defined users. + + + + + A license that grants access to the software on one or more + pre-defined computers or devices. + + + + + An Original Equipment Manufacturer license that is delivered + with hardware, cannot be transferred to other hardware, and is valid for the + life of the hardware. + + + + + A license where the software is sold on a one-time basis and + the licensee can use a copy of the software indefinitely. + + + + + A license where each installation consumes points per + processor. + + + + + A license where the licensee pays a fee to use the software + or service. + + + + + A license that grants access to the software or service by a + specified number of users. + + + + + Another license type. + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-materials (SBOM, OBOM, HBOM, SaaSBOM, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + Direct or repository download location + + + + + The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + URL to release notes + + + + + Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT. + + + + + A model card describes the intended uses of a machine learning model, potential + limitations, biases, ethical considerations, training parameters, datasets used to train the + model, performance metrics, and other relevant data useful for ML transparency. + + + + + A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + + + + + Parameters or settings that may be used by other components or services. + + + + + Information used to substantiate a claim. + + + + + Describes how a component or service was manufactured or deployed. + + + + + Human or machine-readable statements containing facts, evidence, or testimony + + + + + An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + + + + + The defined assumptions, goals, and capabilities of an adversary. + + + + + Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + + + + + A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product. + + + + + A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization. + + + + + Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + + + + + SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + + + + + Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + + + + + Report generated by analyzing the call stack of a running application + + + + + Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + + + + + Report containing a formal assessment of an organization, business unit, or team against a maturity model + + + + + Industry, regulatory, or other certification from an accredited (if applicable) certification body + + + + + Report or system in which quality metrics can be obtained + + + + + Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + + + + + Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be + relevant, but are not included with the BOM. They may also establish specific relationships + within or external to the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URI (URL or URN) to the external reference. External references + are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns. + External references may also include formally registered URNs such as CycloneDX BOM-Link to + reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external + references into relationships that can be expressed in a BOM or across BOMs. Refer to: + https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + An optional comment describing the external reference + + + + + + + + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the optional text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + An individual issue that has been resolved. + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + References a component or service by its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Defines the direct dependencies of a component or service. Components or services + that do not have their own dependencies MUST be declared as empty elements within the graph. + Components or services that are not represented in the dependency graph MAY have unknown + dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an + indicator of a object being dependency-free. It is RECOMMENDED to leverage compositions to + indicate unknown dependency graphs. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + The name of the trust zone the service resides in. + + + + + + + + + DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead + + + + + + Specifies the data classification. + + + + + + Specifies the data classification. + + + + + + The URI, URL, or BOM-Link of the components or services the data came in from. + + + + + + + + + + + + + + The URI, URL, or BOM-Link of the components or services the data is sent to. + + + + + + + + + + + + + + + + Name for the defined data. + + + + + + + Short description of the data content and usage. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Provides the ability to document external references related to the service. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + A list of services included or deployed behind the parent service. This is not a dependency + tree. It provides a way to specify a hierarchical representation of service assemblies. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies optional release notes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Evidence that substantiates the identity of a component. + + + + + + The identity field of the component which the evidence describes. + + + + + The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + + + + + The methods used to extract and/or analyze the evidence. + + + + + + + + + The technique used in this method of analysis. + + + + + The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + + + + + The value or contents of the evidence. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + Evidence of individual instances of a component spread across multiple locations. + + + + + + + + + The location or path to where the component was found. + + + + + + + An optional identifier which can be used to reference the occurrence elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + + + + + + Evidence of the components use through the callstack. + + + + + + + + + + + + A package organizes modules into namespaces, providing a unique namespace for each type it contains. + + + + + A module or class that encloses functions/methods and other code. + + + + + A block of code designed to perform a particular task. + + + + + Optional arguments that are passed to the module or function. + + + + + + + + + + The line number the code that is called resides on. + + + + + The column the code that is called resides. + + + + + The full path and filename of the module. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Specifies an aggregate type that describe how complete a relationship is. + + + + + + The bom-ref identifiers of the components or services being described. Assemblies refer to + nested relationships whereby a constituent part may include other constituent parts. References + do not cascade to child parts. References are explicit for the specified constituent part only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the components or services being described. Dependencies refer to a + relationship whereby an independent constituent part requires another independent constituent + part. References do not cascade to transitive dependencies. References are explicit for the + specified dependency only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the vulnerabilities being described. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + An optional identifier which can be used to reference the composition elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + + + + + The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + + + + + The relationship completeness is not specified. + + + + + + + + + Defines a syntax for representing two character language code (ISO-639) followed by an optional two + character country code. The language code MUST be lower case. If the country code is specified, the + country code MUST be upper case. The language code and country code MUST be separated by a minus sign. + Examples: en, en-US, fr, fr-CA + + + + + + + + + + + + The software versioning type. It is RECOMMENDED that the release type use one + of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software + release types is not practical, so standardizing on the recommended values, whenever possible, + is strongly encouraged. + * major = A major release may contain significant changes or may introduce breaking changes. + * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. + * patch = Patch releases are typically unplanned and may resolve defects or important security issues. + * pre-release = A pre-release may include alpha, beta, or release candidates and typically have + limited support. They provide the ability to preview a release prior to its general availability. + * internal = Internal releases are not for public consumption and are intended to be used exclusively + by the project or manufacturer that produced it. + + + + + + The title of the release. + + + + + The URL to an image that may be prominently displayed with the release note. + + + + + The URL to an image that may be used in messaging on social media platforms. + + + + + A short description of the release. + + + + + The date and time (timestamp) when the release note was created. + + + + + + + + One or more alternate names the release may be referred to. This may + include unofficial terms used by development and marketing teams (e.g. code names). + + + + + + + + + + + One or more tags that may aid in search or retrieval of the release note. + + + + + + + + A collection of issues that have been resolved. + + + + + + + + + + + + + Zero or more release notes containing the locale and content. Multiple + note elements may be specified to support release notes in a wide variety of languages. + + + + + + The ISO-639 (or higher) language code and optional ISO-3166 + (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + + + + + Specifies the full content of the release note. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A model card describes the intended uses of a machine learning model and potential limitations, including + biases and ethical considerations. Model cards typically contain the training parameters, which datasets + were used to train the model, performance metrics, and other relevant data useful for ML transparency. + This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified + for other component types. + + + + + + + Hyper-parameters for construction of the model. + + + + + + + + The overall approach to learning used by the model for problem solving. + + + + + + + + Learning types describing the learning problem or hybrid learning problem. + + + + + + + + + + Directly influences the input and/or output. Examples include classification, + regression, clustering, etc. + + + + + + + The model architecture family such as transformer network, convolutional neural + network, residual neural network, LSTM neural network, etc. + + + + + + + The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. + + + + + + + The datasets used to train and evaluate the model. + + + + + + + References a data component by the components bom-ref attribute + + + + + + + + + + + + + The input format(s) of the model + + + + + + + + + + + The data format for input to the model. Example formats include string, image, time-series + + + + + + + + + + + + + The output format(s) from the model + + + + + + + + + + + The data format for output from the model. Example formats include string, image, time-series + + + + + + + + + + + + + + + + A quantitative analysis of the model + + + + + + + + + + + + + + The type of performance metric. + + + + + + + The value of the performance metric. + + + + + + + The name of the slice this metric was computed on. By default, assume + this metric is not sliced. + + + + + + + The confidence interval of the metric. + + + + + + + + The lower bound of the confidence interval. + + + + + + + The upper bound of the confidence interval. + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements + + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + + + + + + + + + + + + + + + + + + + What considerations should be taken into account regarding the model's construction, training, + and application? + + + + + + + + Who are the intended users of the model? + + + + + + + + + + + + What are the intended use cases of the model? + + + + + + + + + + + + What are the known technical limitations of the model? E.g. What kind(s) of data + should the model be expected not to perform well on? What are the factors that might + degrade model performance? + + + + + + + + + + + + What are the known tradeoffs in accuracy/performance of the model? + + + + + + + + + + + + What are the ethical (or environmental) risks involved in the application of this model? + + + + + + + + + + + The name of the risk + + + + + + + Strategy used to address this risk + + + + + + + + + + + + + How does the model affect groups at risk of being systematically disadvantaged? + What are the harms and benefits to the various affected groups? + + + + + + + + + + + The groups or individuals at risk of being systematically disadvantaged by the model. + + + + + + + Expected benefits to the identified groups. + + + + + + + Expected harms to the identified groups. + + + + + + + With respect to the benefits and harms outlined, please + describe any mitigation strategy implemented. + + + + + + + + + + + + + + + + + An optional identifier which can be used to reference the model card elsewhere in the BOM. + Every bom-ref MUST be unique within the BOM. + + + + + + + + + + TODO + + + + + TODO + + + + + TODO + + + + + TODO + + + + + TODO + + + + + + + + + + + The general theme or subject matter of the data being specified. + + + + + + + The name of the dataset. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + An optional way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + Provides the ability to document name-value parameters used for configuration. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data in a dataset. + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of the dataset. Can describe size of dataset, whether it's used for source code, + training, testing, or validation, etc. + + + + + + + + + An optional identifier which can be used to reference the dataset elsewhere in the BOM. + Every bom-ref MUST be unique within the BOM. + + + + + + + + + + + Data custodians are responsible for the safe custody, transport, and storage of data. + + + + + + + + + + + + Data stewards are responsible for data content, context, and associated business rules. + + + + + + + + + + + + Data owners are concerned with risk and appropriate access to data. + + + + + + + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + + + + + + + + + + + + + + + + + Any type of code, code snippet, or data-as-code. + + + + + Parameters or settings that may be used by other components. + + + + + A collection of data. + + + + + Data that can be used to create new instances of what the definition defines. + + + + + Any other type of data that does not fit into existing definitions. + + + + + + + + + References a component or service by its bom-ref attribute + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies an individual property with a name and value. + + + + + + The name of the property. Duplicate names are allowed, each potentially having a different value. + + + + + + + + + + + Defines a weakness in a component or service that could be exploited or triggered by a threat source. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + Zero or more pointers to vulnerabilities that are the equivalent of the + vulnerability specified. Often times, the same vulnerability may exist in multiple sources of + vulnerability intelligence, but have different identifiers. References provide a way to + correlate vulnerabilities across multiple sources of vulnerability intelligence. + + + + + + A pointer to a vulnerability that is the equivalent of the + vulnerability specified. + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + List of vulnerability ratings. + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + A description of the vulnerability as provided by the source. + + + + + If available, an in-depth description of the vulnerability as provided by the + source organization. Details often include information useful in understanding root cause. + + + + + Recommendations of how the vulnerability can be remediated or mitigated. + + + + + A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + + + + + + + Evidence used to reproduce the vulnerability. + + + + + + Precise steps to reproduce the vulnerability. + + + + + A description of the environment in which reproduction was possible. + + + + + Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + + + + + + + + + + + + + + + Published advisories of the vulnerability if provided. + + + + + + + + + + The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + + + + + The date and time (timestamp) when the vulnerability record was first published. + + + + + The date and time (timestamp) when the vulnerability record was last updated. + + + + + The date and time (timestamp) when the vulnerability record was rejected (if applicable). + + + + + Individuals or organizations credited with the discovery of the vulnerability. + + + + + + The organizations credited with vulnerability discovery. + + + + + + + + + + The individuals, not associated with organizations, that are credited with vulnerability discovery. + + + + + + + + + + + + + The tool(s) used to identify, confirm, or score the vulnerability. + + + + + + + DEPRECATED. Use tools\components or tools\services instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + + An assessment of the impact and exploitability of the vulnerability. + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + A response to the vulnerability by the manufacturer, supplier, or + project responsible for the affected component or service. More than one response + is allowed. Responses are strongly encouraged for vulnerabilities where the analysis + state is exploitable. + + + + + + + + + + + Detailed description of the impact including methods used during assessment. + If a vulnerability is not exploitable, this field should include specific details + on why the component or service is not impacted by this vulnerability. + + + + + + + The date and time (timestamp) when the analysis was first issued. + + + + + + + The date and time (timestamp) when the analysis was last updated. + + + + + + + + + The components or services that are affected by the vulnerability. + + + + + + + + + References a component or service by the objects bom-ref. + + + + + + + + Zero or more individual versions or range of versions. + + + + + + + + + + A single version of a component or service. + + + + + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec + + + + + + + The vulnerability status for the version or range of versions. + + + + + + + + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The name of the source. + For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories + + + + + + The url of the vulnerability documentation as provided by the source. + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + + + + + + + + + + The source that calculated the severity or risk rating of the vulnerability. + + + + + The numerical score of the rating. + + + + + Textual representation of the severity that corresponds to the numerical score of the rating. + + + + + The risk scoring methodology/standard used. + + + + + Textual representation of the metric values used to score the vulnerability. + + + + + An optional reason for rating the vulnerability as it was. + + + + + + + + + + An optional name of the advisory. + + + + + Location where the advisory can be obtained. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that created the annotation + + + + + The person that created the annotation + + + + + The tool or component that created the annotation + + + + + The service that created the annotation + + + + + + + + + + + The objects in the BOM identified by their bom-ref's. This is often components or services, but may be any object type supporting bom-refs. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + The organization, individual, component, or service which created the textual content + of the annotation. + + + + + The date and time (timestamp) when the annotation was created. + + + + + The textual content of the annotation. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the annotation elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Textual representation of the severity of the vulnerability adopted by the analysis method. If the + analysis method uses values other than what is provided, the user is expected to translate appropriately. + + + + + + + + + + + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The vulnerability has been remediated. + + + + + + + The vulnerability has been remediated and evidence of the changes are provided in the affected + components pedigree containing verifiable commit history and/or diff(s). + + + + + + + The vulnerability may be directly or indirectly exploitable. + + + + + + + The vulnerability is being investigated. + + + + + + + The vulnerability is not specific to the component or service and was falsely identified or associated. + + + + + + + The component or service is not affected by the vulnerability. Justification should be specified + for all not_affected cases. + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + The code has been removed or tree-shaked. + + + + + + + The vulnerable code is not invoked at runtime. + + + + + + + Exploitability requires a configurable option to be set/unset. + + + + + + + Exploitability requires a dependency that is not present. + + + + + + + Exploitability requires a certain environment which is not present. + + + + + + + Exploitability requires a compiler flag to be set/unset. + + + + + + + Exploits are prevented at runtime. + + + + + + + Attacks are blocked at physical, logical, or network perimeter. + + + + + + + Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + + + + + + + + + + Specifies the severity or risk scoring methodology or standard used. + + + + + + + The rating is based on CVSS v2 standard + https://www.first.org/cvss/v2/ + + + + + + + The rating is based on CVSS v3.0 standard + https://www.first.org/cvss/v3-0/ + + + + + + + The rating is based on CVSS v3.1 standard + https://www.first.org/cvss/v3-1/ + + + + + + + The rating is based on CVSS v4.0 standard + https://www.first.org/cvss/v4-0/ + + + + + + + The rating is based on OWASP Risk Rating + https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + + + + + + + The rating is based on Stakeholder Specific Vulnerability Categorization (all versions) + https://github.com/CERTCC/SSVC + + + + + + + Use this if the risk scoring methodology is not based on any of the options above + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + + + + + + + + + The vulnerability status of a given version or range of versions of a product. The statuses + 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. + The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. + There can be many reasons for an 'unknown' status, including that an investigation has not been + undertaken or that a vendor has not disclosed the status. + + + + + + + + + + + + + Describes how a component or service was manufactured or deployed. This is achieved through the use + of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the + observed formulas describing the steps which transpired in the manufacturing process. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes workflows and resources that captures rules and other aspects of how the associated + BOM component or service was formed. + + + + + + Transient components that are used in tasks that constitute one or more of + this formula's workflows + + + + + Transient services that are used in tasks that constitute one or more of + this formula's workflows + + + + + List of workflows that can be declared to accomplish specific orchestrated goals + and independently triggered. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + An optional identifier which can be used to reference the formula elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + References to component or service resources that are used to realize + the resource instance. + + + + + The tasks that comprise the workflow. + + + + + The graph of dependencies between tasks within the workflow. + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + The trigger that initiated the task. + + + + + + The sequence of steps for the task. + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor + or task commands + + + + + + + + + + Represents resources and data output from a task at runtime by executor + or task commands + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + A graph of the component runtime topology for workflow's instance. + A description of the runtime component and service topology. This can describe a partial or + complete topology used to host and execute the task (e.g., hardware, operating systems, + configurations, etc.) + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + References an object by its bom-ref attribute + + + + + + + + + + Reference to an externally accessible resource. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + + + The trigger that initiated the task. + + + + + + + The sequence of steps for the task. + + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands. + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + + + A graph of the component runtime topology for task's instance. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the task elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A named filesystem or data resource shareable by workflow tasks. + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping + so other tasks can use their own local name in their steps. + + + + + + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Describes the read-write access control for the workspace relative to the owning resource instance. + + + + + + + A path to a location on disk where the workspace will be available to the associated task's steps. + + + + + + + The name of a domain-specific data type the workspace represents. This property is for CI/CD + frameworks that are able to provide access to structured, managed data at a more granular level + than a filesystem. + + + + + + + Identifies the reference to the request for a specific volume type and parameters. + + + + + + + Information about the actual volume instance allocated to the workspace. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + An identifiable, logical unit of data storage tied to a physical device. + + + + + + + The unique identifier for the volume instance within its deployment context. + + + + + + + The name of the volume instance + + + + + + + The mode for the volume instance. + + + + + + + The underlying path created from the actual volume. + + + + + + + The allocated size of the volume accessible to the associated workspace. This should include + the scalar size as well as IEC standard unit in either decimal or binary form. + + + + + + + Indicates if the volume persists beyond the life of the resource it is associated with. + + + + + + + Indicates if the volume is remotely (i.e., network) attached. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + + + + + + + + + + Executes specific commands or tools in order to accomplish its owning task as part of a sequence. + + + + + + + A name for the step. + + + + + + + A description of the step. + + + + + + + Ordered list of commands or directives for the step + + + + + + + + + + + A text representation of the executed command. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + The source type of event which caused the trigger to fire. + + + + + + + The event data that caused the associated trigger to activate. + + + + + + + + + + A condition that was used to determine a trigger should be activated. + + + + + + + + Describes the set of conditions which cause the trigger to activate. + + + + + + + The logical expression that was evaluated that determined the trigger should be fired. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + + + + + + The date and time (timestamp) when the trigger was activated. + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the trigger elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + The unique identifier of the event. + + + + + + + A description of the event. + + + + + + + The date and time (timestamp) when the event was received. + + + + + + + Encoding of the raw event data. + + + + + + + References the component or service that was the source of the event + + + + + + + References the component or service that was the target of the event + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Type that represents various input data types and formats. + + + + + + + + A reference to an independent resource provided as an input to a task by the workflow runtime. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + + + + + + + + + + Inputs that have the form of data. + + + + + + + + A references to the component or service that provided the input to the task + (e.g., reference to a service with data flow value of inbound) + + + + + + + A reference to the component or service that received or stored the input if not the task + itself (e.g., a local, named storage workspace) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + A reference to an independent resource generated as output by the task. + + + + + + + Outputs that have the form of environment variables. + + + + + + + + + + + + + + + + Outputs that have the form of data. + + + + + + + + Describes the type of data output. + + + + + + + Component or service that generated or provided the output from the task (e.g., a build tool) + + + + + + + Component or service that received the output from the task + (e.g., reference to an artifactory service with data flow value of outbound) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + + + + + + + A representation of a functional parameter. + + + + + + + The name of the parameter. + + + + + + + The value of the parameter. + + + + + + + The data type of the parameter. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes how a component or service was manufactured or deployed. This is + achieved through the use of formulas, workflows, tasks, and steps, which declare the precise + steps to reproduce along with the observed formulas describing the steps which transpired + in the manufacturing process. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Whenever an existing BOM is modified, either manually or through automated + processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with + multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. + The default version is '1'. + + + + + Every BOM generated SHOULD have a unique serial number, even if the contents of + the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. + Use of serial numbers are RECOMMENDED. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto new file mode 100644 index 0000000..ddcfc3f --- /dev/null +++ b/schema/bom-1.6.proto @@ -0,0 +1,2381 @@ +syntax = "proto3"; +package cyclonedx.v1_6; // version 1.6.1 +import "google/protobuf/timestamp.proto"; + +// Specifies attributes of the text +message AttachedText { + // Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents. [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml). + optional string content_type = 1; + // Specifies the optional encoding the text is represented in + optional string encoding = 2; + // SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + string value = 3; +} + +message Bom { + // The version of the CycloneDX specification a BOM is written to (starting at version 1.3) + string spec_version = 1; + // The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'. + optional int32 version = 2; + // Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated. + optional string serial_number = 3; + // Provides additional information about a BOM. + optional Metadata metadata = 4; + // Provides the ability to document a list of components. + repeated Component components = 5; + // Provides the ability to document a list of external services. + repeated Service services = 6; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 7; + // Provides the ability to document dependency relationships. + repeated Dependency dependencies = 8; + // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + repeated Composition compositions = 9; + // Vulnerabilities identified in components or services. + repeated Vulnerability vulnerabilities = 10; + // Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders. + repeated Annotation annotations = 11; + // Specifies optional, custom, properties + repeated Property properties = 12; + // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process. + repeated Formula formulation = 13; + // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. + repeated Declarations declarations = 14; + // A collection of reusable objects that are defined and may be used elsewhere in the BOM. + repeated Definition definitions = 15; +} + +enum Classification { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + CLASSIFICATION_NULL = 0; + // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. + CLASSIFICATION_APPLICATION = 1; + // A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries. + CLASSIFICATION_FRAMEWORK = 2; + // A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended. + CLASSIFICATION_LIBRARY = 3; + // A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system + CLASSIFICATION_OPERATING_SYSTEM = 4; + // A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + CLASSIFICATION_DEVICE = 5; + // A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files. + CLASSIFICATION_FILE = 6; + // A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + CLASSIFICATION_CONTAINER = 7; + // A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware + CLASSIFICATION_FIRMWARE = 8; + // A special type of software that operates or controls a particular type of device. Refer to https://en.wikipedia.org/wiki/Device_driver + CLASSIFICATION_DEVICE_DRIVER = 9; + // A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms. + CLASSIFICATION_PLATFORM = 10; + // A model based on training data that can make predictions or decisions without being explicitly programmed to do so. + CLASSIFICATION_MACHINE_LEARNING_MODEL = 11; + // A collection of discrete values that convey information. + CLASSIFICATION_DATA = 12; + // A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + CLASSIFICATION_CRYPTOGRAPHIC_ASSET = 13; +} + +message Commit { + // A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + optional string uid = 1; + // The URL to the commit. This URL will typically point to a commit in a version control system. + optional string url = 2; + // The author who created the changes in the commit + optional IdentifiableAction author = 3; + // The person who committed or pushed the commit + optional IdentifiableAction committer = 4; + // The text description of the contents of the commit + optional string message = 5; +} + +message Component { + // Specifies the type of component. For software components, classify as an application if no more specific appropriate classification is available or cannot be determined for the component. + Classification type = 1; + // The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type. + optional string mime_type = 2; + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 3; + // The organization that supplied the component. The supplier may often be the manufacturer but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 4; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.authors` or `.manufacturer` instead. The person(s) or organization(s) that authored the component + optional string author = 5 [deprecated = true]; + // The person(s) or organization(s) that published the component + optional string publisher = 6; + // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. + optional string group = 7; + // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery + string name = 8; + // The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is recommended to use an empty string to represent components without version information. + string version = 9; + // Specifies a description for the component + optional string description = 10; + // Specifies the scope of the component. If a scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM + optional Scope scope = 11; + // The hashes of the component. + repeated Hash hashes = 12; + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + repeated LicenseChoice licenses = 13; + // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. + optional string copyright = 14; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + optional string cpe = 15; + // Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec + optional string purl = 16; + // Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + optional Swid swid = 17; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original. + optional bool modified = 18; + // Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. + optional Pedigree pedigree = 19; + // Provides the ability to document external references related to the component or to the project the component describes. + repeated ExternalReference external_references = 20; + // Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Component components = 21; + // Specifies optional, custom, properties + repeated Property properties = 22; + // Specifies optional license and copyright evidence. + optional Evidence evidence = 23; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 24; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + optional ModelCard modelCard = 25; + // This object SHOULD be specified for any component of type `data` and must not be specified for other component types. + repeated ComponentData data = 26; + // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + optional CryptoProperties cryptoProperties = 27; + // The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `.authors` instead. + optional OrganizationalEntity manufacturer = 28; + // The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `.manufacturer` instead. + repeated OrganizationalContact authors = 29; + // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 30; + // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + repeated string omniborId = 31; + // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + repeated string swhid = 32; +} + +// Specifies the data flow. +message DataFlow { + // Specifies the flow direction of the data. + DataFlowDirection flow = 1; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + string value = 2; + // Name for the defined data + optional string name = 3; + // Short description of the data content and usage + optional string description = 4; + // The URI, URL, or BOM-Link of the components or services the data came in from + repeated string source = 5; + // The URI, URL, or BOM-Link of the components or services the data is sent to + repeated string destination = 6; + // Data Governance + optional DataGovernance governance = 7; +} + +// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "DATA_FLOW_DIRECTION_" +enum DataFlowDirection { + // Default + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + DATA_FLOW_NULL = 0; + // Data that enters a service. + DATA_FLOW_INBOUND = 1; + // Data that exits a service. + DATA_FLOW_OUTBOUND = 2; + // Data flows in and out of the service. + DATA_FLOW_BI_DIRECTIONAL = 3; + // The directional flow of data is not known. + DATA_FLOW_UNKNOWN = 4; +} + +// Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs. +message Dependency { + // References a component or service by its bom-ref attribute + string ref = 1; + // The bom-ref identifiers of the components or services that are dependencies of this dependency object. + repeated Dependency dependencies = 2; + // The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. + repeated string provides = 3; +} + +// The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff +message Diff { + // Specifies the optional text of the diff + optional AttachedText text = 1; + // Specifies the URL to the diff + optional string url = 2; +} + +// External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. +message ExternalReference { + // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. + ExternalReferenceType type = 1; + // The URL to the external reference + string url = 2; + // An optional comment describing the external reference + optional string comment = 3; + // Optional integrity hashes for the external resource content + repeated Hash hashes = 4; +} + +enum ExternalReferenceType { + // Use this if no other types accurately describe the purpose of the external reference + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `other` is our fallback, doubling `unspecified` + EXTERNAL_REFERENCE_TYPE_OTHER = 0; + // Version Control System + EXTERNAL_REFERENCE_TYPE_VCS = 1; + // Issue, defect tracking system, or an Application Lifecycle Management (ALM) system + EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2; + // Website + EXTERNAL_REFERENCE_TYPE_WEBSITE = 3; + // Security advisories + EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4; + // Bill-of-material document (CycloneDX, SPDX, SWID, etc) + EXTERNAL_REFERENCE_TYPE_BOM = 5; + // Mailing list or discussion group + EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6; + // Social media account + EXTERNAL_REFERENCE_TYPE_SOCIAL = 7; + // Real-time chat platform + EXTERNAL_REFERENCE_TYPE_CHAT = 8; + // Documentation, guides, or how-to instructions + EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9; + // Community or commercial support + EXTERNAL_REFERENCE_TYPE_SUPPORT = 10; + // Direct or repository download location + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11; + // The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness + EXTERNAL_REFERENCE_TYPE_LICENSE = 12; + // Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; + // URL to an automated build system + EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; + // Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT. + EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT = 15; + // Human or machine-readable statements containing facts, evidence, or testimony + EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16; + // An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + EXTERNAL_REFERENCE_TYPE_THREAT_MODEL = 17; + // The defined assumptions, goals, and capabilities of an adversary. + EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL = 18; + // Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT = 19; + // The location where a component was published. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 20; + // A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product + EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 21; + // A Vulnerability Exploitability eXchange (VEX) asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally, the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization + EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 22; + // Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 23; + // SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 24; + // Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 25; + // Report generated by analyzing the call stack of a running application + EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 26; + // Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 27; + // Report containing a formal assessment of an organization, business unit, or team against a maturity model + EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 28; + // Industry, regulatory, or other certification from an accredited (if applicable) certification body + EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 29; + // Report or system in which quality metrics can be obtained + EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 30; + // Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32; + // Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + EXTERNAL_REFERENCE_TYPE_POAM = 33; + // A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + EXTERNAL_REFERENCE_TYPE_LOG = 34; + // Parameters or settings that may be used by other components or services. + EXTERNAL_REFERENCE_TYPE_CONFIGURATION = 35; + // Information used to substantiate a claim. + EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; + // Describes how a component or service was manufactured or deployed. + EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; + // The location where the source code distributable can be obtained. This is often an archive format such as zip or tar.gz. The source-distribution type complements the use of the version control (vcs) type. + EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38; + // An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name. + EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39; + // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40; + // Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41; + // Reference to release notes + EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES = 42; +} + +enum HashAlg { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + HASH_ALG_NULL = 0; + HASH_ALG_MD_5 = 1; + HASH_ALG_SHA_1 = 2; + HASH_ALG_SHA_256 = 3; + HASH_ALG_SHA_384 = 4; + HASH_ALG_SHA_512 = 5; + HASH_ALG_SHA_3_256 = 6; + HASH_ALG_SHA_3_384 = 7; + HASH_ALG_SHA_3_512 = 8; + HASH_ALG_BLAKE_2_B_256 = 9; + HASH_ALG_BLAKE_2_B_384 = 10; + HASH_ALG_BLAKE_2_B_512 = 11; + HASH_ALG_BLAKE_3 = 12; +} + +// Specifies the file hash of the component +message Hash { + // Specifies the algorithm used to create the hash + HashAlg alg = 1; + // SimpleContent value of element + string value = 2; +} + +message IdentifiableAction { + // The timestamp in which the action occurred + optional google.protobuf.Timestamp timestamp = 1; + // The name of the individual who performed the action + optional string name = 2; + // The email address of the individual who performed the action + optional string email = 3; +} + +enum IssueClassification { + // Default + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + ISSUE_CLASSIFICATION_NULL = 0; + // A fault, flaw, or bug in software + ISSUE_CLASSIFICATION_DEFECT = 1; + // A new feature or behavior in software + ISSUE_CLASSIFICATION_ENHANCEMENT = 2; + // A special type of defect which impacts security + ISSUE_CLASSIFICATION_SECURITY = 3; +} + +// An individual issue that has been resolved. +message Issue { + // Specifies the type of issue + IssueClassification type = 1; + // The identifier of the issue assigned by the source of the issue + optional string id = 2; + // The name of the issue + optional string name = 3; + // A description of the issue + optional string description = 4; + // The source of the issue where it is documented + optional Source source = 5; + // A collection of URL's for reference. Multiple URLs are allowed. Example: "https://example.com" + repeated string references = 6; +} + +// The source of the issue where it is documented. +message Source { + // The name of the source. For example, "National Vulnerability Database", "NVD", and "Apache" + optional string name = 1; + // The url of the issue documentation as provided by the source + optional string url = 2; +} + +message LicenseChoice { + oneof choice { + // A license + License license = 1; + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements + string expression = 2; + } + // This field must only be used when "expression" is chosen as the License object has its own acknowledgement. + optional LicenseAcknowledgementEnumeration acknowledgement = 3; + // This field must only be used when "expression" is chosen as the License object has its own bom_ref. + optional string bom_ref = 4; +} + +// Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license. +message License { + oneof license { + // A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. + string id = 1; + // The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. + string name = 2; + } + // Specifies the optional full text of the attachment + optional AttachedText text = 3; + // The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness. + optional string url = 4; + // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 5; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + optional Licensing licensing = 6; + // Specifies optional, custom, properties + repeated Property properties = 7; + // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. + optional LicenseAcknowledgementEnumeration acknowledgement = 8; +} + +// Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. +enum LicenseAcknowledgementEnumeration { + // The license acknowledgement is not specified. + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_UNSPECIFIED = 0; + // Declared licenses represent the initial intentions of authors regarding the licensing terms of their code. + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED = 1; + // Concluded licenses are verified and confirmed. + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED = 2; +} + +message Licensing { + // License identifiers that may be used to manage licenses and their lifecycle + repeated string altIds = 1; + // The individual or organization that grants a license to another individual or organization + optional OrganizationalEntityOrContact licensor = 2; + // The individual or organization for which a license was granted to + optional OrganizationalEntityOrContact licensee = 3; + // The individual or organization that purchased the license + optional OrganizationalEntityOrContact purchaser = 4; + // The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase + optional string purchaseOrder = 5; + // The type of license(s) that was granted to the licensee + repeated LicensingTypeEnum licenseTypes = 6; + // The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed. + optional google.protobuf.Timestamp lastRenewal = 7; + // The timestamp indicating when the current license expires (if applicable). + optional google.protobuf.Timestamp expiration = 8; +} + +// EITHER an organization OR an individual +message OrganizationalEntityOrContact { + oneof choice { + // Organization + OrganizationalEntity organization = 1; + // Individual + OrganizationalContact individual = 2; + } +} + +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "LICENSING_TYPE_ENUM_" +enum LicensingTypeEnum { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + LICENSING_TYPE_NULL = 0; + // A license that grants use of software solely for the purpose of education or research. + LICENSING_TYPE_ACADEMIC = 1; + // A license covering use of software embedded in a specific piece of hardware. + LICENSING_TYPE_APPLIANCE = 2; + // A Client Access License (CAL) allows client computers to access services provided by server software. + LICENSING_TYPE_CLIENT_ACCESS = 3; + // A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. + LICENSING_TYPE_CONCURRENT_USER = 4; + // A license where the core of a computer's processor is assigned a specific number of points. + LICENSING_TYPE_CORE_POINTS = 5; + // A license for which consumption is measured by non-standard metrics. + LICENSING_TYPE_CUSTOM_METRIC = 6; + // A license that covers a defined number of installations on computers and other types of devices. + LICENSING_TYPE_DEVICE = 7; + // A license that grants permission to install and use software for trial purposes. + LICENSING_TYPE_EVALUATION = 8; + // A license that grants access to the software to one or more pre-defined users. + LICENSING_TYPE_NAMED_USER = 9; + // A license that grants access to the software on one or more pre-defined computers or devices. + LICENSING_TYPE_NODE_LOCKED = 10; + // An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. + LICENSING_TYPE_OEM = 11; + // A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. + LICENSING_TYPE_PERPETUAL = 12; + // A license where each installation consumes points per processor. + LICENSING_TYPE_PROCESSOR_POINTS = 13; + // A license where the licensee pays a fee to use the software or service. + LICENSING_TYPE_SUBSCRIPTION = 14; + // A license that grants access to the software or service by a specified number of users. + LICENSING_TYPE_USER = 15; + // Another license type. + LICENSING_TYPE_OTHER = 16; +} + +message Metadata { + // The date and time (timestamp) when the document was created. + optional google.protobuf.Timestamp timestamp = 1; + // The tool(s) used in the creation of the BOM. + optional Tool tools = 2; + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '.manufacturer' instead. + repeated OrganizationalContact authors = 3; + // The component that the BOM describes. + optional Component component = 4; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use the `.component.manufacturer` instead. The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5 [deprecated = true]; + // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 6; + // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes. + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + repeated LicenseChoice licenses = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; + // Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle. + repeated Lifecycles lifecycles = 9; + // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. + optional OrganizationalEntity manufacturer = 10; +} + +message Lifecycles { + oneof choice { + // A pre-defined phase in the product lifecycle. + LifecyclePhase phase = 1; + // The name of the lifecycle phase + string name = 2; + } + // The description of the lifecycle phase + optional string description = 3; +} + +enum LifecyclePhase { + // BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + LIFECYCLE_PHASE_DESIGN = 0; + // BOM consists of information obtained prior to a build process and may contain source files, development artifacts, and manifests. The inventory may need to be resolved and retrieved prior to use. + LIFECYCLE_PHASE_PRE_BUILD = 1; + // BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from. + LIFECYCLE_PHASE_BUILD = 2; + // BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device. + LIFECYCLE_PHASE_POST_BUILD = 3; + // BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies. + LIFECYCLE_PHASE_OPERATIONS = 4; + // BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions. + LIFECYCLE_PHASE_DISCOVERY = 5; + // BOM containing inventory that will be, or has been retired from operations. + LIFECYCLE_PHASE_DECOMMISSION = 6; +} + +message OrganizationalContact { + // The name of the contact + optional string name = 1; + // The email address of the contact. + optional string email = 2; + // The phone number of the contact. + optional string phone = 3; + // An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; +} + +message OrganizationalEntity { + // The name of the organization + optional string name = 1; + // The URL of the organization. Multiple URLs are allowed. + repeated string url = 2; + // A contact person at the organization. Multiple contacts are allowed. + repeated OrganizationalContact contact = 3; + // An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; + // The physical address (location) of the organization + optional PostalAddressType address = 5; +} + +enum PatchClassification { + // Default + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + PATCH_CLASSIFICATION_NULL = 0; + // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + PATCH_CLASSIFICATION_UNOFFICIAL = 1; + // A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch + PATCH_CLASSIFICATION_MONKEY = 2; + // A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + PATCH_CLASSIFICATION_BACKPORT = 3; + // A patch created by selectively applying commits from other versions or branches of the same software. + PATCH_CLASSIFICATION_CHERRY_PICK = 4; +} + +// Specifies an individual patch +message Patch { + // Specifies the purpose for the patch, including the resolution of defects, security issues, or new behavior or functionality + PatchClassification type = 1; + // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff + optional Diff diff = 2; + // A collection of issues the patch resolves + repeated Issue resolves = 3; +} + +// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known. +message Pedigree { + // Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains an ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from. + repeated Component ancestors = 1; + // Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component. + repeated Component descendants = 2; + // Variants describe relations where the relationship between the components is not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other or if they share a common ancestor. + repeated Component variants = 3; + // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. + repeated Commit commits = 4; + // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits. + repeated Patch patches = 5; + // Notes, observations, and other non-structured commentary describing the component's pedigree. + optional string notes = 6; +} + +enum Scope { + // Default + SCOPE_UNSPECIFIED = 0; + // The component is required for runtime + SCOPE_REQUIRED = 1; + // The component is optional at runtime. Optional components are components that are not capable of being called due to them not being installed or otherwise accessible by any means. Components that are installed but, due to configuration or other restrictions, are prohibited from being called must be scoped as 'required'. + SCOPE_OPTIONAL = 2; + // Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime. + SCOPE_EXCLUDED = 3; +} + +message Service { + // An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The organization that provides the service. + optional OrganizationalEntity provider = 2; + // The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided. + optional string group = 3; + // The name of the service. This will often be a shortened, single name of the service. + string name = 4; + // The service version. + optional string version = 5; + // Specifies a description for the service. + optional string description = 6; + // The endpoint URIs of the service. Multiple endpoints are allowed. Example: "https://example.com/api/v1/ticker" + repeated string endpoints = 7; + // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. + optional bool authenticated = 8; + // A boolean value indicating if the use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. + optional bool x_trust_boundary = 9; + // Specifies information about the data including the directional flow of data and the data classification. + repeated DataFlow data = 10; + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + repeated LicenseChoice licenses = 11; + // Provides the ability to document external references related to the service. + repeated ExternalReference external_references = 12; + // Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Service services = 13; + // Specifies optional, custom, properties + repeated Property properties = 14; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 15; + // The name of the trust zone the service resides in. + optional string trustZone = 16; + // Textual strings that aid in the discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 17; +} + +// Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. +message Swid { + // Maps to the tagId of a SoftwareIdentity. + string tag_id = 1; + // Maps to the name of a SoftwareIdentity. + string name = 2; + // Maps to the version of a SoftwareIdentity. Defaults to '0.0' if not specified. + optional string version = 3; + // Maps to the tagVersion of a SoftwareIdentity. Defaults to '0' if not specified. + optional int32 tag_version = 4; + // Maps to the patch of a SoftwareIdentity. Defaults to 'false' if not specified. + optional bool patch = 5; + // Specifies the full content of the SWID tag. + optional AttachedText text = 6; + // The URL to the SWID file. + optional string url = 7; +} + +// Specifies a tool (manual or automated). +message Tool { + // DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM. + optional string vendor = 1 [deprecated = true]; + // DEPRECATED - DO NOT USE - The name of the tool used to create the BOM. + optional string name = 2 [deprecated = true]; + // DEPRECATED - DO NOT USE - The version of the tool used to create the BOM. + optional string version = 3 [deprecated = true]; + // DEPRECATED - DO NOT USE + repeated Hash hashes = 4 [deprecated = true]; + // DEPRECATED - DO NOT USE - Provides the ability to document external references related to the tool. + repeated ExternalReference external_references = 5 [deprecated = true]; + // A list of software and hardware components used as tools + repeated Component components = 6; + // A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services. + repeated Service services = 7; +} + +// Specifies a property +message Property { + // Name (or key) + string name = 1; + // Value + optional string value = 2; +} + +enum Aggregate { + // The relationship completeness is not specified. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `not specified` is our fallback, doubling `unspecified` + AGGREGATE_NOT_SPECIFIED = 0; + // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + AGGREGATE_COMPLETE = 1; + // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + AGGREGATE_INCOMPLETE = 2; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; + // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + AGGREGATE_UNKNOWN = 5; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9; +} + +message Composition { + // Indicates the aggregate completeness + Aggregate aggregate = 1; + // The assemblies the aggregate completeness applies to + repeated string assemblies = 2; + // The dependencies the aggregate completeness applies to + repeated string dependencies = 3; + // The bom-ref identifiers of the vulnerabilities being described. + repeated string vulnerabilities = 4; + // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref must be unique within the BOM. + optional string bom_ref = 5; +} + +message EvidenceCopyright { + // Copyright text + string text = 1; +} + +// Provides the ability to document evidence collected through various forms of extraction or analysis. +message Evidence { + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + repeated LicenseChoice licenses = 1; + // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + repeated EvidenceCopyright copyright = 2; + // Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified. + repeated EvidenceIdentity identity = 3; + // Evidence of individual instances of a component spread across multiple locations. + repeated EvidenceOccurrences occurrences = 4; + // Evidence of the components use through the callstack. + optional Callstack callstack = 5; +} + +message Callstack { + // Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + repeated Frames frames = 1; + + message Frames { + // A package organizes modules into namespaces, providing a unique namespace for each type it contains. + optional string package = 1; + // A module or class that encloses functions/methods and other code. + string module = 2; + // A block of code designed to perform a particular task. + optional string function = 3; + // Optional arguments that are passed to the module or function. + repeated string parameters = 4; + // The line number the code that is called resides on. + optional int32 line = 5; + // The column the code that is called resides. + optional int32 column = 6; + // The full path and filename of the module. + optional string fullFilename = 7; + } +} + +message EvidenceIdentity { + // The identity field of the component which the evidence describes. + EvidenceFieldType field = 1; + // The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + optional float confidence = 2; + // The methods used to extract and/or analyze the evidence. + repeated EvidenceMethods methods = 3; + // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation. + repeated string tools = 4; + // The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + optional string concludedValue = 5; +} + +message EvidenceMethods { + // The technique used in this method of analysis. + EvidenceTechnique technique = 1; + // The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + float confidence = 2; + // The value or contents of the evidence. + optional string value = 3; +} + +message EvidenceOccurrences { + // An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref must be unique within the BOM. + optional string bom_ref = 1; + // The location or path to where the component was found. + string location = 2; + // The line number where the component was found. + optional int32 line = 3; + // The offset where the component was found. + optional int32 offset = 4; + // The symbol name that was found associated with the component. + optional string symbol = 5; + // Any additional context of the detected component (e.g. a code snippet). + optional string additionalContext = 6; +} + +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "EVIDENCE_FIELD_TYPE_" +enum EvidenceFieldType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + EVIDENCE_FIELD_NULL = 0; + EVIDENCE_FIELD_GROUP = 1; + EVIDENCE_FIELD_NAME = 2; + EVIDENCE_FIELD_VERSION = 3; + EVIDENCE_FIELD_PURL = 4; + EVIDENCE_FIELD_CPE = 5; + EVIDENCE_FIELD_SWID = 6; + EVIDENCE_FIELD_HASH = 7; + EVIDENCE_FIELD_OMNIBOR_ID = 8; + EVIDENCE_FIELD_SWHID = 9; +} + +enum EvidenceTechnique { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema + EVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS = 0; + EVIDENCE_TECHNIQUE_BINARY_ANALYSIS = 1; + EVIDENCE_TECHNIQUE_MANIFEST_ANALYSIS = 2; + EVIDENCE_TECHNIQUE_AST_FINGERPRINT = 3; + EVIDENCE_TECHNIQUE_HASH_COMPARISON = 4; + EVIDENCE_TECHNIQUE_INSTRUMENTATION = 5; + EVIDENCE_TECHNIQUE_DYNAMIC_ANALYSIS = 6; + EVIDENCE_TECHNIQUE_FILENAME = 7; + EVIDENCE_TECHNIQUE_ATTESTATION = 8; + EVIDENCE_TECHNIQUE_OTHER = 9; +} + +// A note containing the locale and content. +message Note { + // The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + optional string locale = 1; + // Specifies the full content of the release note. + optional AttachedText text = 2; +} + +message ReleaseNotes { + // The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. + string type = 1; + // The title of the release. + optional string title = 2; + // The URL to an image that may be prominently displayed with the release note. + optional string featuredImage = 3; + // The URL to an image that may be used in messaging on social media platforms. + optional string socialImage = 4; + // A short description of the release. + optional string description = 5; + // The date and time (timestamp) when the release note was created. + optional google.protobuf.Timestamp timestamp = 6; + // Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names). + repeated string aliases = 7; + // Textual strings that aid in the discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 8; + // A collection of issues that have been resolved. + repeated Issue resolves = 9; + // Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages. + repeated Note notes = 10; + // Specifies optional, custom, properties + repeated Property properties = 11; +} + +// Defines a weakness in a component or service that could be exploited or triggered by a threat source. +message Vulnerability { + // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier that uniquely identifies the vulnerability. + optional string id = 2; + // The source that published the vulnerability. + optional Source source = 3; + // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. + repeated VulnerabilityReference references = 4; + // List of vulnerability ratings + repeated VulnerabilityRating ratings = 5; + // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) + repeated int32 cwes = 6; + // A description of the vulnerability as provided by the source. + optional string description = 7; + // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding the root cause. + optional string detail = 8; + // Recommendations of how the vulnerability can be remediated or mitigated. + optional string recommendation = 9; + // Published advisories of the vulnerability if provided. + repeated Advisory advisories = 10; + // The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + optional google.protobuf.Timestamp created = 11; + // The date and time (timestamp) when the vulnerability record was first published. + optional google.protobuf.Timestamp published = 12; + // The date and time (timestamp) when the vulnerability record was last updated. + optional google.protobuf.Timestamp updated = 13; + // Individuals or organizations credited with the discovery of the vulnerability. + optional VulnerabilityCredits credits = 14; + // The tool(s) used to identify, confirm, or score the vulnerability. + optional Tool tools = 15; + // An assessment of the impact and exploitability of the vulnerability. + optional VulnerabilityAnalysis analysis = 16; + // affects + repeated VulnerabilityAffects affects = 17; + // Specifies optional, custom, properties + repeated Property properties = 18; + // The date and time (timestamp) when the vulnerability record was rejected (if applicable). + optional google.protobuf.Timestamp rejected = 19; + // Evidence used to reproduce the vulnerability. + optional ProofOfConcept proofOfConcept = 20; + // A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + optional string workaround = 21; +} + +message ProofOfConcept { + // Precise steps to reproduce the vulnerability. + optional string reproductionSteps = 1; + // A description of the environment in which reproduction was possible. + optional string environment = 2; + // Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + repeated AttachedText supportingMaterial = 3; +} + +message VulnerabilityReference { + // An identifier that uniquely identifies the vulnerability. + string id = 1; + // The source that published the vulnerability. + Source source = 2; +} + +message VulnerabilityRating { + // The source that calculated the severity or risk rating of the vulnerability. + optional Source source = 1; + // The numerical score of the rating. + optional double score = 2; + // Textual representation of the severity that corresponds to the numerical score of the rating. + optional Severity severity = 3; + // Specifies the severity or risk scoring methodology or standard used. + optional ScoreMethod method = 4; + // Textual representation of the metric values used to score the vulnerability. + optional string vector = 5; + // An optional reason for rating the vulnerability as it was. + optional string justification = 6; +} + +// Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately. +enum Severity { + // The severity is not known + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` + SEVERITY_UNKNOWN = 0; + // Critical severity + SEVERITY_CRITICAL = 1; + // High severity + SEVERITY_HIGH = 2; + // Medium severity + SEVERITY_MEDIUM = 3; + // Low severity + SEVERITY_LOW = 4; + // Informational warning. + SEVERITY_INFO = 5; + // None + SEVERITY_NONE = 6; +} + +enum ScoreMethod { + // An undefined score method + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + SCORE_METHOD_NULL = 0; + // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ + SCORE_METHOD_CVSSV2 = 1; + // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/ + SCORE_METHOD_CVSSV3 = 2; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/ + SCORE_METHOD_CVSSV31 = 3; + // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + SCORE_METHOD_OWASP = 4; + // Other scoring method + SCORE_METHOD_OTHER = 5; + // Common Vulnerability Scoring System v4.0 - https://www.first.org/cvss/v4-0/ + SCORE_METHOD_CVSSV4 = 6; + // Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC + SCORE_METHOD_SSVC = 7; +} + +// Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system. +message Advisory { + // An optional name of the advisory. + optional string title = 1; + // Location where the advisory can be obtained. + string url = 2; +} + +message VulnerabilityCredits { + // The organizations credited with vulnerability discovery. + repeated OrganizationalEntity organizations = 1; + // The individuals not associated with organizations that are credited with vulnerability discovery. + repeated OrganizationalContact individuals = 2; +} + +message VulnerabilityAnalysis { + // Declares the current state of an occurrence of a vulnerability after automated or manual analysis. + optional ImpactAnalysisState state = 1; + // The rationale of why the impact analysis state was asserted. + optional ImpactAnalysisJustification justification = 2; + // A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable. + repeated VulnerabilityResponse response = 3; + // Detailed description of the impact, including methods used during the assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability. + optional string detail = 4; + // The date and time (timestamp) when the analysis was first issued. + optional google.protobuf.Timestamp firstIssued = 5; + // The date and time (timestamp) when the analysis was last updated. + optional google.protobuf.Timestamp lastUpdated = 6; +} + +enum ImpactAnalysisState { + // An undefined impact analysis state + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + IMPACT_ANALYSIS_STATE_NULL = 0; + // The vulnerability has been remediated. + IMPACT_ANALYSIS_STATE_RESOLVED = 1; + // The vulnerability has been remediated, and evidence of the changes is provided in the affected components pedigree containing verifiable commit history and/or diff(s). + IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2; + // The vulnerability may be directly or indirectly exploitable. + IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3; + // The vulnerability is being investigated. + IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4; + // The vulnerability is not specific to the component or service and was falsely identified or associated. + IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5; + // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases. + IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6; +} + +enum ImpactAnalysisJustification { + // An undefined impact analysis justification + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; + // The code has been removed or tree-shaked. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; + // The vulnerable code is not invoked at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2; + // Exploitability requires a configurable option to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3; + // Exploitability requires a dependency that is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4; + // Exploitability requires a certain environment which is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5; + // Exploitability requires a compiler flag to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6; + // Exploits are prevented at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7; + // Attacks are blocked at physical, logical, or network perimeter. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8; + // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9; +} + +enum VulnerabilityResponse { + // unspecified value + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + VULNERABILITY_RESPONSE_NULL = 0; + // Can not fix + VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + // Will not fix + VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + // Update to a different revision or release + VULNERABILITY_RESPONSE_UPDATE = 3; + // Revert to a previous revision or release + VULNERABILITY_RESPONSE_ROLLBACK = 4; + // There is a workaround available + VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; +} + +message VulnerabilityAffects { + // References a component or service by the objects bom-ref + string ref = 1; + // Zero or more individual versions or range of versions. + repeated VulnerabilityAffectedVersions versions = 2; +} + +message VulnerabilityAffectedVersions { + oneof choice { + // A single version of a component or service. + string version = 1; + // A version range specified in Package URL Version Range syntax (vers), which is defined at https://github.com/package-url/vers-spec + string range = 2; + } + // The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified. + optional VulnerabilityAffectedStatus status = 3; +} + +// The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. +enum VulnerabilityAffectedStatus { + // It is unknown (or unspecified) whether the given version is affected. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` + VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + // The version is affected by the vulnerability. + VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + // The version is not affected by the vulnerability. + VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; +} + +message AnnotatorChoice { + oneof choice { + // The organization that created the annotation + OrganizationalEntity organization = 1; + // The person that created the annotation + OrganizationalContact individual = 2; + // The tool or component that created the annotation + Component component = 3; + // The service that created the annotation + Service service = 4; + } +} + +message Annotation { + // An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref must be unique within the BOM. + optional string bom_ref = 1; + // The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. + repeated string subjects = 2; + // The organization, person, component, or service which created the textual content of the annotation. + AnnotatorChoice annotator = 3; + // The date and time (timestamp) when the annotation was created. + google.protobuf.Timestamp timestamp = 4; + // The textual content of the annotation. + string text = 5; +} + +/** + * A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types. + * + * Comment: + * Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json. + */ +message ModelCard { + // An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref must be unique within the BOM. + optional string bom_ref = 1; + // Hyper-parameters for construction of the model. + optional ModelParameters modelParameters = 2; + // A quantitative analysis of the model + optional QuantitativeAnalysis quantitativeAnalysis = 3; + // What considerations should be taken into account regarding the model's construction, training, and application? + optional ModelCardConsiderations considerations = 4; + + message ModelParameters { + // The overall approach to learning used by the model for problem-solving. + optional Approach approach = 1; + // Directly influences the input and/or output. Examples include classification, regression, clustering, etc. + optional string task = 2; + // The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc. + optional string architectureFamily = 3; + //The specific architecture of the model, such as GPT-1, ResNet-50, YOLOv3, etc. + optional string modelArchitecture = 4; + // The datasets used to train and evaluate the model. + repeated Datasets datasets = 5; + // The input format(s) of the model + repeated MachineLearningInputOutputParameters inputs = 6; + // The output format(s) from the model + repeated MachineLearningInputOutputParameters outputs = 7; + + message Approach { + // Learning types describing the learning problem or hybrid learning problem. + optional ModelParameterApproachType type = 1; + } + + message Datasets { + oneof choice { + // Inline Data Information + ComponentData dataset = 1; + // References a data component by the components bom-ref attribute + string ref = 2; + } + } + + message MachineLearningInputOutputParameters { + // The data format for input/output to the model. Example formats include string, image, time-series + optional string format = 1; + } + } + message QuantitativeAnalysis { + // The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc. + repeated PerformanceMetrics performanceMetrics = 1; + // A collection of graphics that represent various measurements. + optional GraphicsCollection graphics = 2; + + message PerformanceMetrics { + // The type of performance metric. + optional string type = 1; + // The value of the performance metric. + optional string value = 2; + // The name of the slice this metric was computed on. By default, assume this metric is not sliced. + optional string slice = 3; + // The confidence interval of the metric. + optional ConfidenceInterval confidenceInterval = 4; + + message ConfidenceInterval { + // The lower bound of the confidence interval. + optional string lowerBound = 1; + // The upper bound of the confidence interval. + optional string upperBound = 2; + } + } + } + message ModelCardConsiderations { + // Who are the intended users of the model? + repeated string users = 1; + // What are the intended use cases of the model? + repeated string useCases = 2; + // What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance? + repeated string technicalLimitations = 3; + // What are the known tradeoffs in accuracy/performance of the model? + repeated string performanceTradeoffs = 4; + // What are the ethical risks involved in the application of this model? + repeated EthicalConsiderations ethicalConsiderations = 5; + // How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups? + repeated FairnessAssessments fairnessAssessments = 6; + // What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle? + optional EnvironmentalConsiderations environmentalConsiderations = 7; + + message EthicalConsiderations { + // The name of the risk. + optional string name = 1; + // Strategy used to address this risk. + optional string mitigationStrategy = 2; + } + message FairnessAssessments { + // The groups or individuals at risk of being systematically disadvantaged by the model. + optional string groupAtRisk = 1; + // Expected benefits to the identified groups. + optional string benefits = 2; + // Expected harms to the identified groups. + optional string harms = 3; + // With respect to the benefits and harms outlined, please describe any mitigation strategy implemented. + optional string mitigationStrategy = 4; + } + message EnvironmentalConsiderations { + // Describes energy consumption information incurred for one or more component lifecycle activities. + repeated EnergyConsumption energyConsumptions = 1; + // Specifies optional, custom properties for environment considerations + repeated Property properties = 2; + } + // Describes energy consumption information incurred for the specified lifecycle activity. + message EnergyConsumption { + // An activity that is part of a machine learning model development or operational lifecycle. + enum ActivityType { + // Default + ACTIVITY_TYPE_UNSPECIFIED = 0; + // a lifecycle activity type whose description does not match currently defined values (the default type). + ACTIVITY_TYPE_OTHER = 1; + // model design including problem framing, goal definition and algorithm selection. + ACTIVITY_TYPE_DESIGN = 2; + // model data acquisition including search, selection and transfer. + ACTIVITY_TYPE_DATA_COLLECTION = 3; + // model data preparation including data cleaning, labeling and conversion. + ACTIVITY_TYPE_DATA_PREPARATION = 4; + // model building, training and generalized tuning. + ACTIVITY_TYPE_TRAINING = 5; + // refining a trained model to produce desired outputs for a given problem space. + ACTIVITY_TYPE_FINE_TUNING = 6; + // model validation including model output evaluation and testing. + ACTIVITY_TYPE_VALIDATION = 7; + // explicit model deployment to a target hosting infrastructure. + ACTIVITY_TYPE_DEPLOYMENT = 8; + // generating an output response from a hosted model from a set of inputs. + ACTIVITY_TYPE_INFERENCE = 9; + } + + // The type of activity that is part of a machine learning model development or operational lifecycle. + ActivityType activity = 1; + // The providers of the energy consumed by the associated model development lifecycle activity. + repeated EnergyProviderType energyProviders = 2; + // The total energy cost associated with the model lifecycle activity. + EnergyMeasureType activityEnergyCost = 3; + // The CO2 cost or debit equivalent to the total energy cost. + optional CO2MeasureType co2CostEquivalent = 4; + // The CO2 offset or credit for the CO2 equivalent cost. + optional CO2MeasureType co2CostOffset = 5; + // Specifies optional, custom properties for environment considerations + repeated Property properties = 6; + } + } +} + + +// Describes the physical provider of energy used for model development or operations. +message EnergyProviderType { + enum EnergySourceType { + // Default + ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; + // energy source: unknown. The energy source is unknown. + ENERGY_SOURCE_TYPE_UNKNOWN = 1; + // energy source: other. An energy source that is not listed. + ENERGY_SOURCE_TYPE_OTHER = 2; + // energy source: coal. Energy produced by types of coal. + ENERGY_SOURCE_TYPE_COAL = 3; + // energy source: oil. Petroleum products (primarily crude oil and its derivative fuel oils). + ENERGY_SOURCE_TYPE_OIL = 4; + // energy source: natural-gas. Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. + ENERGY_SOURCE_TYPE_NATURAL_GAS = 5; + // energy source: nuclear. Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + ENERGY_SOURCE_TYPE_NUCLEAR = 6; + // energy source: wind. Energy produced from moving air. + ENERGY_SOURCE_TYPE_WIND = 7; + // energy source: solar. Energy produced from the sun (i.e., solar radiation). + ENERGY_SOURCE_TYPE_SOLAR = 8; + // energy source: geothermal. Energy produced from heat within the earth. + ENERGY_SOURCE_TYPE_GEOTHERMAL = 9; + // energy source: hydropower. Energy produced from flowing water. + ENERGY_SOURCE_TYPE_HYDROPOWER = 10; + // energy source: biofuel. Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). + ENERGY_SOURCE_TYPE_BIOFUEL = 11; + } + + // BOM unique reference to the energy provider. + optional string bom_ref = 1; + // A description of the energy provider. + string description = 2; + // The organization of the energy provider. + OrganizationalEntity organization = 3; + // The energy source for the energy provider. + EnergySourceType energySource = 4; + // The energy provided by the energy source for an associated activity. + EnergyMeasureType energyProvided = 5; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 6; +} + +// A measure of energy. +message EnergyMeasureType { + enum EnergyMeasureUnitType { + //Default + ENERGY_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h) (the default unit). + ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 1; + } + + // Quantity of energy. + float value = 1; + // Unit of energy. + EnergyMeasureUnitType unit = 2; +} + + +// A measure of carbon dioxide (CO2). +message CO2MeasureType { + enum CO2MeasureUnitType { + // Default + CO2_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // Tonnes (t) of carbon dioxide (CO2) equivalent (eq) (the default unit). + CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 1; + } + + // Quantity of carbon dioxide (CO2). + float value = 1; + // Unit of carbon dioxide (CO2). + CO2MeasureUnitType unit = 2; +} + + +// An address used to identify a contactable location. +message PostalAddressType { + // An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM. + optional string bom_ref = 1; + // The country name or the two-letter ISO 3166-1 country code. + optional string country = 2; + // The region or state in the country. For example, Texas. + optional string region = 3; + // The locality or city within the country. For example, Austin. + optional string locality = 4; + // The post office box number. For example, 901. + optional string postOfficeBoxNumber = 5; + // The postal code. For example, 78758. + optional string postalCodeue = 6; + // The street address. For example, 100 Main Street. + optional string streetAddress = 7; +} + +enum ModelParameterApproachType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema + // Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples. + MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; + // Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data. + MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED = 1; + // Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error. + MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING = 2; + // Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques. + MODEL_PARAMETER_APPROACH_TYPE_SEMI_SUPERVISED = 3; + // Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data. + MODEL_PARAMETER_APPROACH_TYPE_SELF_SUPERVISED = 4; +} + +message ComponentData { + // An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref must be unique within the BOM. + optional string bom_ref = 1; + // The general theme or subject matter of the data being specified. + ComponentDataType type = 2; + // The name of the dataset. + optional string name = 3; + // The contents or references to the contents of the data being described. + optional ComponentDataContents contents = 4; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 5; + // A description of any sensitive data in a dataset. + repeated string sensitiveData = 6; + // A collection of graphics that represent various measurements. + optional GraphicsCollection graphics = 7; + // A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc. + optional string description = 8; + // Data Governance + optional DataGovernance governance = 9; + + message ComponentDataContents { + // An optional way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + // Provides the ability to document name-value parameters used for configuration. + repeated Property properties = 3; + } +} + +// Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle. +message DataGovernance { + // Data custodians are responsible for the safe custody, transport, and storage of data. + repeated DataGovernanceResponsibleParty custodians = 1; + // Data stewards are responsible for data content, context, and associated business rules. + repeated DataGovernanceResponsibleParty stewards = 2; + // Data owners are concerned with risk and appropriate access to data. + repeated DataGovernanceResponsibleParty owners = 3; + + message DataGovernanceResponsibleParty { + oneof choice { + // The organization that is responsible for specific data governance role(s). + OrganizationalEntity organization = 1; + // The individual that is responsible for specific data governance role(s). + OrganizationalContact contact = 2; + } + } +} + +enum ComponentDataType { + // Any type of code, code snippet, or data-as-code + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema + COMPONENT_DATA_TYPE_SOURCE_CODE = 0; + // Parameters or settings that may be used by other components. + COMPONENT_DATA_TYPE_CONFIGURATION = 1; + // A collection of data. + COMPONENT_DATA_TYPE_DATASET = 2; + // Data that can be used to create new instances of what the definition defines. + COMPONENT_DATA_TYPE_DEFINITION = 3; + // Any other type of data that does not fit into existing definitions. + COMPONENT_DATA_TYPE_OTHER = 4; +} + +// A collection of graphics that represent various measurements. +message GraphicsCollection { + // A description of this collection of graphics. + optional string description = 1; + // A collection of graphics. + repeated Graphic graphic = 2; + + message Graphic { + // The name of the graphic. + optional string name = 1; + // The graphic (vector or raster). Base64 encoding must be specified for binary images. + optional AttachedText image = 2; + } +} + +// Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed. +message Formula { + // BOM unique reference to the resource. + optional string bom_ref = 1; + // Transient components that are used in tasks that constitute one or more of this formula's workflows + repeated Component components = 2; + // Transient services that are used in tasks that constitute one or more of this formula's workflows + repeated Service services = 3; + // List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered. + repeated Workflow workflows = 4; + // Domain-specific formula properties. + repeated Property properties = 5; +} + +// A specialized orchestration task. +message Workflow { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific resource instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The tasks that comprise the workflow. + repeated Task tasks = 7; + // The graph of dependencies between tasks within the workflow. + repeated Dependency taskDependencies = 8; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 9; + // The trigger that initiated the task. + optional Trigger trigger = 10; + // The sequence of steps for the task. + repeated Step steps = 11; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 12; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 13; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for workflow's instance. + repeated Dependency runtimeTopology = 17; +} + +// Describes the inputs, sequence of steps and resources used to accomplish a task and its output. +message Task { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific task instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 7; + // The trigger that initiated the task. + optional Trigger trigger = 8; + // "The sequence of steps for the task. + repeated Step steps = 9; + // Represents resources and data brought into a task at runtime by an executor or task commands + repeated InputType inputs = 10; + // Represents resources and data output from a task at runtime by an executor or task commands + repeated OutputType outputs = 11; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for task's instance. + repeated Dependency runtimeTopology = 17; +} + +// Executes specific commands or tools in order to accomplish its owning task as part of a sequence. +message Step { + // A name for the step. + optional string name = 1; + // A description of the step. + optional string description = 2; + // Ordered list of commands or directives for the step + repeated Command commands = 3; + // Domain-specific step properties. + repeated Property properties = 4; +} + +message Command { + // A text representation of the executed command. + optional string executed = 1; + // Domain-specific command properties. + repeated Property properties = 2; +} + +// A named filesystem or data resource shareable by workflow tasks. +message Workspace { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps. + repeated string aliases = 4; + // A description of the resource instance. + optional string description = 5; + // Domain-specific workspace instance properties. + repeated Property properties = 6; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 7; + // Describes the read-write access control for the workspace relative to the owning resource instance. + optional AccessMode accessMode = 8; + // A path to a location on disk where the workspace will be available for the associated task's steps. + optional string mountPath = 9; + // The name of a domain-specific data type the workspace represents. + optional string managedDataType = 10; + // Identifies the reference to the request for a specific volume type and parameters. + optional string volumeRequest = 11; + // Information about the actual volume instance allocated to the workspace. + optional Volume volume = 12; + + enum AccessMode { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + ACCESS_MODE_READ_ONLY = 0; + ACCESS_MODE_READ_WRITE = 1; + ACCESS_MODE_READ_WRITE_ONCE = 2; + ACCESS_MODE_WRITE_ONCE = 3; + ACCESS_MODE_WRITE_ONLY = 4; + } +} + +// An identifiable, logical unit of data storage tied to a physical device. +message Volume { + // The unique identifier for the volume instance within its deployment context. + optional string uid = 1; + // The name of the volume instance + optional string name = 2; + // The volume mode for the volume instance. + optional VolumeMode mode = 3; + // The underlying path created from the actual volume. + optional string path = 4; + // The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as the IEC standard unit in either decimal or binary form. + optional string sizeAllocated = 5; + // Indicates if the volume persists beyond the life of the resource it is associated with. + optional bool persistent = 6; + // Indicates if the volume is remotely (i.e., network) attached. + optional bool remote = 7; + // Domain-specific volume instance properties. + repeated Property properties = 8; + + enum VolumeMode { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + VOLUME_MODE_FILESYSTEM = 0; + VOLUME_MODE_BLOCK = 1; + } +} + +// Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data. +message Trigger { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Additional properties of the trigger. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The source type of event which caused the trigger to fire. + TriggerType type = 7; + // The event data that caused the associated trigger to activate. + optional Event event = 8; + // A list of conditions used to determine if a trigger should be activated. + repeated Condition conditions = 9; + // The date and time (timestamp) when the trigger was activated. + optional google.protobuf.Timestamp timeActivated = 10; + // Represents resources and data brought into a task at runtime by an executor or task commands + repeated InputType inputs = 11; + // Represents resources and data output from a task at runtime by an executor or task commands + repeated OutputType outputs = 12; + + enum TriggerType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + TRIGGER_TYPE_MANUAL = 0; + TRIGGER_TYPE_API = 1; + TRIGGER_TYPE_WEBHOOK = 2; + TRIGGER_TYPE_SCHEDULED = 3; + } +} + +// Represents something that happened that may trigger a response. +message Event { + // The unique identifier of the event. + optional string uid = 1; + // A description of the event. + optional string description = 2; + // The date and time (timestamp) when the event was received. + optional google.protobuf.Timestamp timeReceived = 3; + // Encoding of the raw event data. + optional AttachedText data = 4; + // References the component or service that was the source of the event + optional ResourceReferenceChoice source = 5; + // References the component or service that was the target of the event + optional ResourceReferenceChoice target = 6; + // Additional properties of the event. + repeated Property properties = 7; +} + +// Type that represents various input data types and formats. +message InputType { + // A references to the component or service that provided the input to the task (e.g., reference to a service with a data flow value of `inbound`) + optional ResourceReferenceChoice source = 1; + // A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace) + optional ResourceReferenceChoice target = 2; + // A reference to an independent resource provided as an input to a task by the workflow runtime. + optional ResourceReferenceChoice resource = 3; + // Inputs that have the form of parameters with names and values. + repeated Parameter parameters = 4; + // Inputs that have the form of parameters with names and values. + repeated EnvironmentVars environmentVars = 5; + // Inputs that have the form of data. + optional AttachedText data = 6; + // Additional properties of the input data. + repeated Property properties = 7; +} + +// Type that represents various output data types and formats. +message OutputType { + // Describes the type of data output. + optional OutputTypeType type = 1; + // Component or service that generated or provided the output from the task (e.g., a build tool) + optional ResourceReferenceChoice source = 2; + // Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`) + optional ResourceReferenceChoice target = 3; + // A reference to an independent resource generated as output by the task. + optional ResourceReferenceChoice resource = 4; + // Outputs that have the form of data. + optional AttachedText data = 5; + // Outputs that have the form of environment variables. + repeated EnvironmentVars environmentVars = 6; + // Additional properties of the output data. + repeated Property properties = 7; + + // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "OUTPUT_TYPE_TYPE_" + enum OutputTypeType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + OUTPUT_TYPE_ARTIFACT = 0; + OUTPUT_TYPE_ATTESTATION = 1; + OUTPUT_TYPE_LOG = 2; + OUTPUT_TYPE_EVIDENCE = 3; + OUTPUT_TYPE_METRICS = 4; + OUTPUT_TYPE_OTHER = 5; + } +} + +// Type that permits a choice to reference a resource using an iternal bom-ref identifier or an external reference. +message ResourceReferenceChoice { + oneof choice { + // References an object by its bom-ref attribute + string ref = 1; + // Reference to an externally accessible resource + ExternalReference externalReference = 2; + } +} + +// A condition that was used to determine a trigger should be activated. +message Condition { + // Describes the set of conditions which cause the trigger to activate. + optional string description = 1; + // The logical expression that was evaluated that determined the trigger should be fired. + optional string expression = 2; + // Domain-specific condition instance properties. + repeated Property properties = 3; +} + +enum TaskType { + // A task that copies software or data used to accomplish other tasks in the workflow. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + TASK_TYPE_COPY = 0; + // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. + TASK_TYPE_CLONE = 1; + // A task that checks source code for programmatic and stylistic errors. + TASK_TYPE_LINT = 2; + // A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. + TASK_TYPE_SCAN = 3; + // A task that merges changes or fixes into source code prior to a build step in the workflow. + TASK_TYPE_MERGE = 4; + // A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. + TASK_TYPE_BUILD = 5; + // A task that verifies the functionality of a component or service. + TASK_TYPE_TEST = 6; + // A task that delivers a built artifact to one or more target repositories or storage systems. + TASK_TYPE_DELIVER = 7; + // A task that deploys a built artifact for execution on one or more target systems. + TASK_TYPE_DEPLOY = 8; + // A task that releases a built, versioned artifact to a target repository or distribution system. + TASK_TYPE_RELEASE = 9; + // A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. + TASK_TYPE_CLEAN = 10; + // A workflow task that does not match current task type definitions. + TASK_TYPE_OTHER = 11; +} + +// A representation of a functional parameter. +message Parameter { + // The name of the parameter. + optional string name = 1; + // The value of the parameter. + optional string value = 2; + // The data type of the parameter. + optional string dataType = 3; +} + +message EnvironmentVars { + oneof choice { + // Name-value pair + Property property = 1; + // Value + string value = 2; + } +} + +// The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. +message Declarations { + message Assessor { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + optional bool thirdParty = 2; + // The entity issuing the assessment. + optional OrganizationalEntity organization = 3; + } + + // Attestation + message Attestation { + // Map + message AttestationMap { + + // Conformance + message AttestationConformance { + // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + optional double score = 1; + // The rationale for the conformance score. + optional string rationale = 2; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. + repeated string mitigationStrategies = 3; + } + + // Confidence + message AttestationConfidence { + // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + optional double score = 1; + // The rationale for the confidence score. + optional string rationale = 2; + } + + // The `bom-ref` to the requirement being attested to. + optional string requirement = 1; + // The list of `bom-ref` to the claims being attested to. + repeated string claims = 2; + // The list of `bom-ref` to the counter claims being attested to. + repeated string counterClaims = 3; + // The conformance of the claim meeting a requirement. + optional AttestationConformance conformance = 4; + // The confidence of the claim meeting the requirement. + optional AttestationConfidence confidence = 5; + } + + // The short description explaining the main points of the attestation. + optional string summary = 1; + // The `bom-ref` to the assessor asserting the attestation. + optional string assessor = 2; + // The grouping of requirements to claims and the attestors' declared conformance and confidence thereof. + repeated AttestationMap map = 3; + } + + message Claim { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to. + optional string target = 2; + // The specific statement or assertion about the target. + optional string predicate = 3; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated. + repeated string mitigationStrategies = 4; + // The written explanation of why the evidence provided substantiates the claim. + optional string reasoning = 5; + // The list of `bom-ref` to evidence that supports this claim. + repeated string evidence = 6; + // The list of `bom-ref` to counterEvidence that supports this claim. + repeated string counterEvidence = 7; + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + + message Evidence { + message Data { + message Contents { + // An optional way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + } + + // The name of the data. + optional string name = 1; + // The contents or references to the contents of the data being described. + optional Contents contents = 2; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 3; + // A description of any sensitive data included. + repeated string sensitiveData = 4; + // Data Governance + optional DataGovernance governance = 5; + } + + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. + optional string propertyName = 2; + // The written description of what this evidence is and how it was created. + optional string description = 3; + // The output or analysis that supports claims. + repeated Data data = 4; + // The date and time (timestamp) when the evidence was created. + optional google.protobuf.Timestamp created = 5; + // The optional date and time (timestamp) when the evidence is no longer valid. + optional google.protobuf.Timestamp expires = 6; + // The author of the evidence. + optional OrganizationalContact author = 7; + // The reviewer of the evidence. + optional OrganizationalContact reviewer = 8; + } + + message Targets { + // The list of organizations which claims are made against. + repeated OrganizationalEntity organizations = 1; + // The list of components which claims are made against. + repeated Component components = 2; + // The list of services which claims are made against. + repeated Service services = 3; + } + + message Affirmation { + message Signatory { + // The signatory's name. + optional string name = 1; + // The signatory's role within an organization. + optional string role = 2; + // The signatory's organization. + optional OrganizationalEntity organization = 3; + // An External reference provides a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + optional ExternalReference externalReference = 4; + } + + // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. Example: "I certify, to the best of my knowledge, that all information is correct." + optional string statement = 1; + // The list of signatories authorized on behalf of an organization to assert validity of this document. + repeated Signatory signatories = 2; + } + + // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + repeated Assessor assessors = 1; + // The list of attestations asserted by an assessor that maps requirements to claims. + repeated Attestation attestations = 2; + // The list of claims. + repeated Claim claims = 3; + // The list of evidence + repeated Evidence evidence = 4; + // The list of targets which claims are made against. + optional Targets targets = 5; + // A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + optional Affirmation affirmation = 6; +} + +message Definition { + // A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + message Standard { + message Requirement { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + optional string identifier = 2; + // The title of the requirement. + optional string title = 3; + // The textual content of the requirement. + optional string text = 4; + // The supplemental text that provides additional guidance or context to the requirement but is not directly part of the requirement. + repeated string descriptions = 5; + // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. The use of CRE promotes clear and unambiguous communication among stakeholders. + repeated string openCre = 6; + // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + optional string parent = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 9; + } + + message Level { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier used in the standard to identify a specific level. + optional string identifier = 2; + // The title of the level. + optional string title = 3; + // The description of the level. + optional string description = 4; + // The list of requirement `bom-ref`s that comprise the level. + repeated string requirements = 5; + } + + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The name of the standard. This will often be a shortened, single name of the standard. + optional string name = 2; + // The version of the standard. + optional string version = 3; + // The description of the standard. + optional string description = 4; + // The owner of the standard, often the entity responsible for its release. + optional string owner = 5; + // The list of requirements comprising the standard. + repeated Requirement requirements = 6; + // The list of levels associated with the standard. Some standards have different levels of compliance. + repeated Level levels = 7; + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + + // The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + repeated Standard standards = 1; +} + +// "Cryptographic Properties +message CryptoProperties { + // Asset Type + enum CryptoAssetType { + // ProtoBuff's default value + CRYPTO_ASSET_TYPE_UNSPECIFIED = 0; + // Mathematical function commonly used for data encryption, authentication, and digital signatures. + CRYPTO_ASSET_TYPE_ALGORITHM = 1; + // An electronic document that is used to provide the identity or validate a public key. + CRYPTO_ASSET_TYPE_CERTIFICATE = 2; + // A set of rules and guidelines that govern the behavior and communication with each other. + CRYPTO_ASSET_TYPE_PROTOCOL = 3; + // Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens. + CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 4; + } + + // Algorithm Propertie + message AlgorithmProperties { + // Primitive + enum CryptoPrimitive { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_PRIMITIVE_UNSPECIFIED = 0; + // The primitive is not known + CRYPTO_PRIMITIVE_UNKNOWN = 1; + // Another primitive type - none of the following + CRYPTO_PRIMITIVE_OTHER = 2; + // Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important. + CRYPTO_PRIMITIVE_DRBG = 3; + // In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message. + CRYPTO_PRIMITIVE_MAC = 4; + // A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission. + CRYPTO_PRIMITIVE_BLOCK_CIPHER = 5; + // A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). + CRYPTO_PRIMITIVE_STREAM_CIPHER = 6; + // In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication. + CRYPTO_PRIMITIVE_SIGNATURE = 7; + // A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing. + CRYPTO_PRIMITIVE_HASH = 8; + // Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography. + CRYPTO_PRIMITIVE_PKE = 9; + // An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF. + CRYPTO_PRIMITIVE_XOF = 10; + // A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input. + CRYPTO_PRIMITIVE_KDF = 11; + // In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome. + CRYPTO_PRIMITIVE_KEY_AGREE = 12; + // A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key. + CRYPTO_PRIMITIVE_KEM = 13; + // Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols. + CRYPTO_PRIMITIVE_AE = 14; + // A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive. + CRYPTO_PRIMITIVE_COMBINER = 15; + } + + // Execution Environment + enum CryptoExecutionEnvironment { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_EXECUTION_ENVIRONMENT_UNSPECIFIED = 0; + // The execution environment is not known + CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 1; + // Another implementation environment - none of the following + CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 2; + // A software implementation running in plain unencrypted RAM. + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 3; + // A software implementation running in encrypted RAM. + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 4; + // A software implementation running in a trusted execution environment. + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 5; + // A hardware implementation. + CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 6; + } + + // Implementation platform + enum CryptoImplementationPlatform { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_IMPLEMENTATION_PLATFORM_UNSPECIFIED = 0; + // the platform is not known + CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 1; + // none of the following + CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 2; + CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 3; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 4; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 5; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 6; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 7; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 8; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 9; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 10; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 11; + CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 12; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 13; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 14; + } + + // Mode + enum CryptoAlgorithmMode { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_MODE_UNSPECIFIED = 0; + // The mode of operation is not known + CRYPTO_ALGORITHM_MODE_UNKNOWN = 1; + // Another mode of operation - none of the following + CRYPTO_ALGORITHM_MODE_OTHER = 2; + // Cipher block chaining + CRYPTO_ALGORITHM_MODE_CBC = 3; + // Electronic codebook + CRYPTO_ALGORITHM_MODE_ECB = 4; + // Counter with cipher block chaining message authentication code + CRYPTO_ALGORITHM_MODE_CCM = 5; + // Galois/counter + CRYPTO_ALGORITHM_MODE_GCM = 6; + // Cipher feedback + CRYPTO_ALGORITHM_MODE_CFB = 7; + // Output feedback + CRYPTO_ALGORITHM_MODE_OFB = 8; + // Counter + CRYPTO_ALGORITHM_MODE_CTR = 9; + } + + // Padding + enum CryptoAlgorithmPadding { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_PADDING_UNSPECIFIED = 0; + // The padding scheme is not known + CRYPTO_ALGORITHM_PADDING_UNKNOWN = 1; + // Another padding scheme - none of the following + CRYPTO_ALGORITHM_PADDING_OTHER = 2; + // Public Key Cryptography Standard: Password-Based Cryptography + CRYPTO_ALGORITHM_PADDING_PKCS5 = 3; + // Public Key Cryptography Standard: Cryptographic Message Syntax + CRYPTO_ALGORITHM_PADDING_PKCS7 = 4; + // Public Key Cryptography Standard: RSA Cryptography v1.5 + CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 5; + // Optimal asymmetric encryption padding + CRYPTO_ALGORITHM_PADDING_OAEP = 6; + // Raw + CRYPTO_ALGORITHM_PADDING_RAW = 7; + } + + // Cryptographic functions + enum CryptoAlgorithmFunction { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_FUNCTION_UNSPECIFIED = 0; + // meaning "there is some, but it is unclear which one" + CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 1; + // none of the following + CRYPTO_ALGORITHM_FUNCTION_OTHER = 2; + CRYPTO_ALGORITHM_FUNCTION_GENERATE = 3; + CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 4; + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 5; + CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 6; + CRYPTO_ALGORITHM_FUNCTION_DIGEST = 7; + CRYPTO_ALGORITHM_FUNCTION_TAG = 8; + CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 9; + CRYPTO_ALGORITHM_FUNCTION_SIGN = 10; + CRYPTO_ALGORITHM_FUNCTION_VERIFY = 11; + CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 12; + CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 13; + } + + // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). + optional CryptoPrimitive primitive = 1; + // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + optional string parameterSetIdentifier = 2; + // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). + optional string curve = 3; + // The target and execution environment in which the algorithm is implemented in. + optional CryptoExecutionEnvironment executionEnvironment = 4; + // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. + optional CryptoImplementationPlatform implementationPlatform = 5; + // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). + repeated string certificationLevel = 6; + // The mode of operation in which the cryptographic algorithm (block cipher) is used. + optional CryptoAlgorithmMode mode = 7; + // The padding scheme that is used for the cryptographic algorithm. + optional CryptoAlgorithmPadding padding = 8; + // The cryptographic functions implemented by the cryptographic algorithm. + repeated CryptoAlgorithmFunction cryptoFunctions = 9; + // The classical security level that a cryptographic algorithm provides (in bits). + optional int32 classicalSecurityLevel = 10; + // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. + optional int32 nistQuantumSecurityLevel = 11; + } // end of AlgorithmProperties + + // Certificate Properties + message CertificateProperties { + // The subject name for the certificate + optional string subjectName = 1; + // The issuer name for the certificate + optional string issuerName = 2; + // The date and time according to ISO-8601 standard from which the certificate is valid + optional google.protobuf.Timestamp notValidBefore = 3; + // The date and time according to ISO-8601 standard from which the certificate is not valid anymore + optional google.protobuf.Timestamp notValidAfter = 4; + // The bom-ref to signature algorithm used by the certificate + optional string signatureAlgorithmRef = 5; + // The bom-ref to the public key of the subject + optional string subjectPublicKeyRef = 6; + // The format of the certificate. Examples include X.509, PEM, DER, and CVC. + optional string certificateFormat = 7; + // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + optional string certificateExtension = 8; + } // end of CertificateProperties + + // Related Cryptographic Material Properties + message RelatedCryptoMaterialProperties { + + // relatedCryptoMaterialType + enum CryptoRelatedType { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_RELATED_TYPE_UNSPECIFIED = 0; + // The type of cryptographic asset is not known. + CRYPTO_RELATED_TYPE_UNKNOWN = 1; + // Another type of cryptographic asset - none of the following + CRYPTO_RELATED_TYPE_OTHER = 2; + CRYPTO_RELATED_TYPE_PRIVATE_KEY = 3; + CRYPTO_RELATED_TYPE_PUBLIC_KEY = 4; + CRYPTO_RELATED_TYPE_SECRET_KEY = 5; + CRYPTO_RELATED_TYPE_KEY = 6; + CRYPTO_RELATED_TYPE_CIPHERTEXT = 7; + CRYPTO_RELATED_TYPE_SIGNATURE = 8; + CRYPTO_RELATED_TYPE_DIGEST = 9; + CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 10; + CRYPTO_RELATED_TYPE_NONCE = 11; + CRYPTO_RELATED_TYPE_SEED = 12; + CRYPTO_RELATED_TYPE_SALT = 13; + CRYPTO_RELATED_TYPE_SHARED_SECRET = 14; + CRYPTO_RELATED_TYPE_TAG = 15; + CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 16; + CRYPTO_RELATED_TYPE_PASSWORD = 17; + CRYPTO_RELATED_TYPE_CREDENTIAL = 18; + CRYPTO_RELATED_TYPE_TOKEN = 19; + } + + // State + enum CryptoRelatedState { + // Default + CRYPTO_RELATED_STATE_UNSPECIFIED = 0; + CRYPTO_RELATED_STATE_PRE_ACTIVATION = 1; + CRYPTO_RELATED_STATE_ACTIVE = 2; + CRYPTO_RELATED_STATE_SUSPENDED = 3; + CRYPTO_RELATED_STATE_DEACTIVATED = 4; + CRYPTO_RELATED_STATE_COMPROMISED = 5; + CRYPTO_RELATED_STATE_DESTROYED = 6; + } + + // Secured By + message CryptoRelatedSecuredBy { + // Specifies the mechanism by which the cryptographic asset is secured. Examples include HSM, TPM, SGX, Software, and None + optional string mechanism = 1; + // The bom-ref to the algorithm. + optional string algorithmRef = 2; + } + + // The type for the related cryptographic material + optional CryptoRelatedType type = 1; + // The optional unique identifier for the related cryptographic material. + optional string id = 2; + // The key state as defined by NIST SP 800-57. + optional CryptoRelatedState state = 3; + // The bom-ref to the algorithm used to generate the related cryptographic material. + optional string algorithmRef = 4; + // The date and time (timestamp) when the related cryptographic material was created. + optional google.protobuf.Timestamp creationDate = 5; + // The date and time (timestamp) when the related cryptographic material was activated. + optional google.protobuf.Timestamp activationDate = 6; + // The date and time (timestamp) when the related cryptographic material was updated. + optional google.protobuf.Timestamp updateDate = 7; + // The date and time (timestamp) when the related cryptographic material expires. + optional google.protobuf.Timestamp expirationDate = 8; + // The associated value of the cryptographic material. + optional string value = 9; + // The size of the cryptographic asset (in bits). + optional int64 size = 10; + // The format of the related cryptographic material (e.g. P8, PEM, DER). + optional string format = 11; + // The mechanism by which the cryptographic asset is secured. + optional CryptoRelatedSecuredBy securedBy = 12; + } // end of RelatedCryptoMaterialProperties + + // Protocol Properties + message ProtocolProperties { + enum CryptoProtocolType { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_PROTOCOL_TYPE_UNSPECIFIED = 0; + // The protocol type is not known + CRYPTO_PROTOCOL_TYPE_UNKNOWN = 1; + // Another protocol type - none of the following + CRYPTO_PROTOCOL_TYPE_OTHER = 2; + // Transport Layer Security + CRYPTO_PROTOCOL_TYPE_TLS = 3; + // Secure Shell + CRYPTO_PROTOCOL_TYPE_SSH = 4; + // Internet Protocol Security + CRYPTO_PROTOCOL_TYPE_IPSEC = 5; + // Internet Key Exchange + CRYPTO_PROTOCOL_TYPE_IKE = 6; + // Secure Socket Tunneling Protocol + CRYPTO_PROTOCOL_TYPE_SSTP = 7; + // Wi-Fi Protected Access + CRYPTO_PROTOCOL_TYPE_WPA = 8; + } + + // Object representing a cipher suite + message CryptoProtocolCipherSuite { + // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + optional string name = 1; + // A list of algorithms related to the cipher suite. Use the bom-ref to the algorithm cryptographic asset. + repeated string algorithms = 2; + // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E + repeated string identifiers = 3; + } + + // IKEv2 Transform Types + message Ikev2TransformTypes { + // Transform Type 1: encryption algorithms + repeated string encr = 1; + // Transform Type 2: pseudorandom functions + repeated string prf = 2; + // Transform Type 3: integrity algorithms + repeated string integ = 3; + // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + repeated string ke = 4; + // Specifies if an Extended Sequence Number (ESN) is used. + optional bool esn = 5; + // IKEv2 Authentication method + repeated string auth = 6; + } + + // The concrete protocol type. + optional CryptoProtocolType type = 1; + // The version of the protocol. Examples include 1.0, 1.2, and 1.99. + optional string version = 2; + // A list of cipher suites related to the protocol. + repeated CryptoProtocolCipherSuite cipherSuites = 3; + // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties. + optional Ikev2TransformTypes ikev2TransformTypes = 4; + // The bom-ref(s) to protocol-related cryptographic assets + repeated string cryptoRef = 5; + } // end of ProtocolProperties + + // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. + CryptoAssetType assetType = 1; + // Additional properties specific to a cryptographic algorithm. + optional AlgorithmProperties algorithmProperties = 2; + // Properties for cryptographic assets of asset type 'certificate' + optional CertificateProperties certificateProperties = 3; + // Properties for cryptographic assets of asset type: `related-crypto-material` + optional RelatedCryptoMaterialProperties relatedCryptoMaterialProperties = 4; + // Properties specific to cryptographic assets of type: `protocol`. + optional ProtocolProperties protocolProperties = 5; + // The object identifier (OID) of the cryptographic asset. + optional string oid = 6; +} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json new file mode 100644 index 0000000..8bc9d3d --- /dev/null +++ b/schema/bom-1.6.schema.json @@ -0,0 +1,5699 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "type": "object", + "title": "CycloneDX Bill of Materials Standard", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "bomFormat": { + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value must be \"CycloneDX\".", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification the BOM conforms to.", + "examples": ["1.6"] + }, + "serialNumber": { + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "type": "integer", + "title": "BOM Version", + "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "minimum": 1, + "default": 1, + "examples": [1] + }, + "metadata": { + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "dependencies": { + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships including provided & implemented components." + }, + "compositions": { + "type": "array", + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "vulnerabilities": { + "type": "array", + "items": {"$ref": "#/definitions/vulnerability"}, + "uniqueItems": true, + "title": "Vulnerabilities", + "description": "Vulnerabilities identified in components or services." + }, + "annotations": { + "type": "array", + "items": {"$ref": "#/definitions/annotations"}, + "uniqueItems": true, + "title": "Annotations", + "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed." + }, + "formulation": { + "type": "array", + "items": {"$ref": "#/definitions/formula"}, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." + }, + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "title": "Attestation", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/definitions/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "title": "Map", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/definitions/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterClaims": { + "type": "array", + "title": "Counter Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "title": "Claim", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "target": { + "$ref": "#/definitions/refLinkType", + "title": "Target", + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "title": "Evidence", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Property Name", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "title": "Data", + "additionalProperties": false, + "properties": { + "name": { + "title": "Data Name", + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The optional date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/definitions/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/definitions/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": {"$ref": "#/definitions/component"} + }, + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": {"$ref": "#/definitions/service"} + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "additionalProperties": false, + "properties": { + "statement": { + "type": "string", + "title": "Statement", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ "I certify, to the best of my knowledge, that all information is correct." ] + }, + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "title": "Signatory", + "additionalProperties": false, + "oneOf": [ + { + "required": ["signature"] + }, + { + "required": ["externalReference", "organization"] + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/definitions/externalReference", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/definitions/standard" + } + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "definitions": { + "refType": { + "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "type": "string", + "minLength": 1, + "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + }, + "refLinkType": { + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "$ref": "#/definitions/refType" + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "title": "BOM-Link", + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/definitions/bomLinkDocumentType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "metadata": { + "type": "object", + "title": "BOM Metadata", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "title": "Pre-Defined Phase", + "required": ["phase"], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + { + "title": "Custom Phase", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + } + }, + "tools": { + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated] The tool(s) used in the creation, enrichment, and validation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "manufacturer": { + "title": "BOM Manufacturer", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors": { + "type": "array", + "title": "BOM Authors", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "deprecated": true, + "title": "Component Manufacture (legacy)", + "description": "[Deprecated] This will be removed in a future version. Use the `@.component.manufacturer` instead.\nThe organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "$ref": "#/definitions/licenseChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "[Deprecated] This will be removed in a future version. Use component or service instead. Information about the automated or manual tool used", + "additionalProperties": false, + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The name of the vendor who created the tool" + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The name of the tool" + }, + "version": { + "$ref": "#/definitions/version", + "title": "Tool Version", + "description": "The version of the tool" + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "address": { + "$ref": "#/definitions/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data", + "cryptographic-asset" + ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information.", + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + }, + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors" :{ + "type": "array", + "title": "Component Authors", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "author": { + "deprecated": true, + "type": "string", + "title": "Component Author (legacy)", + "description": "[Deprecated] This will be removed in a future version. Use `@.authors` or `@.manufacturer` instead.\nThe person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "$ref": "#/definitions/version", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced." + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "meta:enum": { + "required": "The component is required for runtime", + "optional": "The component is optional at runtime. Optional components are components that are not capable of being called due to them not being installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.", + "excluded": "Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime." + }, + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", + "default": "required" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "description": "The hashes of the component.", + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Component License(s)" + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"] + }, + "cpe": { + "type": "string", + "title": "Common Platform Enumeration (CPE)", + "description": "Asserts the identity of the component using CPE. The CPE must conform to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] + }, + "purl": { + "type": "string", + "title": "Package URL (purl)", + "description": "Asserts the identity of the component using package-url (purl). The purl, if specified, must be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] + }, + "omniborId": { + "type": "array", + "title": "OmniBOR Artifact Identifier (gitoid)", + "description": "Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "items": { "type": "string" }, + "examples": [ + "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ] + }, + "swhid": { + "type": "array", + "title": "Software Heritage Identifier", + "description": "Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "items": { "type": "string" }, + "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"] + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Asserts the identity of the component using [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "[Deprecated] This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "additionalProperties": false, + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components is not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "modelCard": { + "$ref": "#/definitions/modelCard", + "title": "AI/ML Model Card" + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/componentData"}, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." + }, + "cryptoProperties": { + "$ref": "#/definitions/cryptoProperties", + "title": "Cryptographic Properties" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", + "default": "text/plain", + "examples": [ + "text/plain", + "application/json", + "image/png" + ] + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ], + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + } + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "hash": { + "type": "object", + "title": "Hash", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "title": "Hash Algorithm", + "description": "The algorithm that generated the hash value.", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ] + }, + "hash-content": { + "type": "string", + "title": "Hash Value", + "description": "The value of the hash.", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "examples": ["Acme Software License"] + }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, + "licenseChoice": { + "title": "License Choice", + "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)", + "type": "array", + "oneOf": [ + { + "title": "Multiple licenses", + "description": "A list of SPDX licenses and/or named licenses.", + "type": "array", + "items": { + "type": "object", + "title": "License", + "required": ["license"], + "additionalProperties": false, + "properties": { + "license": {"$ref": "#/definitions/license"} + } + } + }, + { + "title": "SPDX License Expression", + "description": "A tuple of exactly one SPDX License Expression.", + "type": "array", + "additionalItems": false, + "minItems": 1, + "maxItems": 1, + "items": [{ + "type": "object", + "additionalProperties": false, + "required": ["expression"], + "properties": { + "expression": { + "type": "string", + "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + } + } + }] + } + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/definitions/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "source-distribution", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", + "configuration", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "electronic-signature", + "digital-signature", + "rfc-9116", + "other" + ], + "meta:enum": { + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes how a component or service was manufactured or deployed.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", + "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", + "other": "Use this if no other types accurately describe the purpose of the external reference." + } + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + } + } + }, + "service": { + "type": "object", + "title": "Service", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "$ref": "#/definitions/version", + "title": "Service Version", + "description": "The service version." + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/serviceData"}, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Service License(s)" + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "serviceData": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + }, + "source": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + }, + "dataFlowDirection": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "meta:enum": { + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "bi-directional": "Data flows in and out of the service.", + "unknown": "The directional flow of data is not known." + }, + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service." + }, + "copyright": { + "type": "object", + "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text", + "description": "The textual content of the copyright." + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "oneOf" : [ + { + "type": "array", + "title": "Array of Identity Objects", + "items": { "$ref": "#/definitions/componentIdentityEvidence" } + }, + { + "title": "A Single Identity Object", + "description": "[Deprecated]", + "$ref": "#/definitions/componentIdentityEvidence", + "deprecated": true + } + ] + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ "location" ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + }, + "line": { + "type": "integer", + "minimum": 0, + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "minimum": 0, + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." + } + } + } + }, + "callstack": { + "type": "object", + "title": "Call Stack", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Optional arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "License Evidence" + }, + "copyright": { + "type": "array", + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright Evidence", + "description": "Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection." + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describes how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + }, + "additionalProperties": false + }, + "localeType": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { + "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "locale": { + "$ref": "#/definitions/localeType", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + }, + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/definitions/attachment" + } + } + }, + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/definitions/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." + }, + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues that have been resolved." + }, + "notes": { + "type": "array", + "items": {"$ref": "#/definitions/note"}, + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "advisory": { + "type": "object", + "title": "Advisory", + "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.", + "required": ["url"], + "additionalProperties": false, + "properties": { + "title": { + "type": "string", + "title": "Title", + "description": "An optional name of the advisory." + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "Location where the advisory can be obtained." + } + } + }, + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.", + "enum": [ + "critical", + "high", + "medium", + "low", + "info", + "none", + "unknown" + ], + "meta:enum": { + "critical": "Critical severity", + "high": "High severity", + "medium": "Medium severity", + "low": "Low severity", + "info": "Informational warning.", + "none": "None", + "unknown": "The severity is not known" + } + }, + "scoreMethod": { + "type": "string", + "title": "Method", + "description": "Specifies the severity or risk scoring methodology or standard used.", + "enum": [ + "CVSSv2", + "CVSSv3", + "CVSSv31", + "CVSSv4", + "OWASP", + "SSVC", + "other" + ], + "meta:enum": { + "CVSSv2": "Common Vulnerability Scoring System v2.0", + "CVSSv3": "Common Vulnerability Scoring System v3.0", + "CVSSv31": "Common Vulnerability Scoring System v3.1", + "CVSSv4": "Common Vulnerability Scoring System v4.0", + "OWASP": "OWASP Risk Rating Methodology", + "SSVC": "Stakeholder Specific Vulnerability Categorization", + "other": "Another severity or risk scoring methodology" + } + }, + "impactAnalysisState": { + "type": "string", + "title": "Impact Analysis State", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.", + "enum": [ + "resolved", + "resolved_with_pedigree", + "exploitable", + "in_triage", + "false_positive", + "not_affected" + ], + "meta:enum": { + "resolved": "The vulnerability has been remediated.", + "resolved_with_pedigree": "The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).", + "exploitable": "The vulnerability may be directly or indirectly exploitable.", + "in_triage": "The vulnerability is being investigated.", + "false_positive": "The vulnerability is not specific to the component or service and was falsely identified or associated.", + "not_affected": "The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases." + } + }, + "impactAnalysisJustification": { + "type": "string", + "title": "Impact Analysis Justification", + "description": "The rationale of why the impact analysis state was asserted.", + "enum": [ + "code_not_present", + "code_not_reachable", + "requires_configuration", + "requires_dependency", + "requires_environment", + "protected_by_compiler", + "protected_at_runtime", + "protected_at_perimeter", + "protected_by_mitigating_control" + ], + "meta:enum": { + "code_not_present": "The code has been removed or tree-shaked.", + "code_not_reachable": "The vulnerable code is not invoked at runtime.", + "requires_configuration": "Exploitability requires a configurable option to be set/unset.", + "requires_dependency": "Exploitability requires a dependency that is not present.", + "requires_environment": "Exploitability requires a certain environment which is not present.", + "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", + "protected_at_runtime": "Exploits are prevented at runtime.", + "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", + "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + } + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the severity or risk ratings of a vulnerability.", + "additionalProperties": false, + "properties": { + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that calculated the severity or risk rating of the vulnerability." + }, + "score": { + "type": "number", + "title": "Score", + "description": "The numerical score of the rating." + }, + "severity": { + "$ref": "#/definitions/severity", + "description": "Textual representation of the severity that corresponds to the numerical score of the rating." + }, + "method": { + "$ref": "#/definitions/scoreMethod" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability" + }, + "justification": { + "type": "string", + "title": "Justification", + "description": "An optional reason for rating the vulnerability as it was" + } + } + }, + "vulnerabilitySource": { + "type": "object", + "title": "Source", + "description": "The source of vulnerability information. This is often the organization that published the vulnerability.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-39182" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", + "National Vulnerability Database", + "OSS Index", + "VulnDB", + "GitHub Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines a weakness in a component or service that could be exploited or triggered by a threat source.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "references": { + "type": "array", + "title": "References", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", + "items": { + "type": "object", + "required": [ + "id", + "source" + ], + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "An identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + } + } + } + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of vulnerability ratings", + "items": { + "$ref": "#/definitions/rating" + } + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", + "examples": [399], + "items": { + "$ref": "#/definitions/cwe" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the vulnerability as provided by the source." + }, + "detail": { + "type": "string", + "title": "Details", + "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause." + }, + "recommendation": { + "type": "string", + "title": "Recommendation", + "description": "Recommendations of how the vulnerability can be remediated or mitigated." + }, + "workaround": { + "type": "string", + "title": "Workarounds", + "description": "A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments." + }, + "proofOfConcept": { + "type": "object", + "title": "Proof of Concept", + "description": "Evidence used to reproduce the vulnerability.", + "properties": { + "reproductionSteps": { + "type": "string", + "title": "Steps to Reproduce", + "description": "Precise steps to reproduce the vulnerability." + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "A description of the environment in which reproduction was possible." + }, + "supportingMaterial": { + "type": "array", + "title": "Supporting Material", + "description": "Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.", + "items": { "$ref": "#/definitions/attachment" } + } + } + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "items": { + "$ref": "#/definitions/advisory" + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database." + }, + "published": { + "type": "string", + "format": "date-time", + "title": "Published", + "description": "The date and time (timestamp) when the vulnerability record was first published." + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Updated", + "description": "The date and time (timestamp) when the vulnerability record was last updated." + }, + "rejected": { + "type": "string", + "format": "date-time", + "title": "Rejected", + "description": "The date and time (timestamp) when the vulnerability record was rejected (if applicable)." + }, + "credits": { + "type": "object", + "title": "Credits", + "description": "Individuals or organizations credited with the discovery of the vulnerability.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The organizations credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalEntity" + } + }, + "individuals": { + "type": "array", + "title": "Individuals", + "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalContact" + } + } + } + }, + "tools": { + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated] The tool(s) used to identify, confirm, or score the vulnerability.", + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "analysis": { + "type": "object", + "title": "Impact Analysis", + "description": "An assessment of the impact and exploitability of the vulnerability.", + "additionalProperties": false, + "properties": { + "state": { + "$ref": "#/definitions/impactAnalysisState" + }, + "justification": { + "$ref": "#/definitions/impactAnalysisJustification" + }, + "response": { + "type": "array", + "title": "Response", + "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.", + "items": { + "type": "string", + "enum": [ + "can_not_fix", + "will_not_fix", + "update", + "rollback", + "workaround_available" + ], + "meta:enum": { + "can_not_fix": "Can not fix", + "will_not_fix": "Will not fix", + "update": "Update to a different revision or release", + "rollback": "Revert to a previous revision or release", + "workaround_available": "There is a workaround available" + } + } + }, + "detail": { + "type": "string", + "title": "Detail", + "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability." + }, + "firstIssued": { + "type": "string", + "format": "date-time", + "title": "First Issued", + "description": "The date and time (timestamp) when the analysis was first issued." + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the analysis was last updated." + } + } + }, + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "description": "References a component or service by the objects bom-ref" + }, + "versions": { + "type": "array", + "title": "Versions", + "description": "Zero or more individual versions or range of versions.", + "items": { + "type": "object", + "oneOf": [ + { + "required": ["version"] + }, + { + "required": ["range"] + } + ], + "additionalProperties": false, + "properties": { + "version": { + "title": "Version", + "description": "A single version of a component or service.", + "$ref": "#/definitions/version" + }, + "range": { + "title": "Version Range", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "$ref": "#/definitions/versionRange" + }, + "status": { + "title": "Status", + "description": "The vulnerability status for the version or range of versions.", + "$ref": "#/definitions/affectedStatus", + "default": "affected" + } + } + } + } + } + }, + "title": "Affects", + "description": "The components or services that are affected by the vulnerability." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "affectedStatus": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ], + "meta:enum": { + "affected": "The version is affected by the vulnerability.", + "unaffected": "The version is not affected by the vulnerability.", + "unknown": "It is unknown (or unspecified) whether the given version is affected." + } + }, + "version": { + "description": "A single disjunctive version identifier, for a component or service.", + "type": "string", + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] + }, + "versionRange": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 4096, + "examples": [ + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "range": { + "deprecated": true, + "description": "Deprecated definition. use definition `versionRange` instead.", + "$ref": "#/definitions/versionRange" + }, + "annotations": { + "type": "object", + "title": "Annotations", + "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.", + "required": [ + "subjects", + "annotator", + "timestamp", + "text" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "subjects": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Subjects", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." + }, + "annotator": { + "type": "object", + "title": "Annotator", + "description": "The organization, person, component, or service which created the textual content of the annotation.", + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + }, + { + "required": [ + "component" + ] + }, + { + "required": [ + "service" + ] + } + ], + "additionalProperties": false, + "properties": { + "organization": { + "description": "The organization that created the annotation", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "description": "The person that created the annotation", + "$ref": "#/definitions/organizationalContact" + }, + "component": { + "description": "The tool or component that created the annotation", + "$ref": "#/definitions/component" + }, + "service": { + "description": "The service that created the annotation", + "$ref": "#/definitions/service" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the annotation was created." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the annotation." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "modelCard": { + "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", + "type": "object", + "title": "Model Card", + "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "modelParameters": { + "type": "object", + "title": "Model Parameters", + "description": "Hyper-parameters for construction of the model.", + "additionalProperties": false, + "properties": { + "approach": { + "type": "object", + "title": "Approach", + "description": "The overall approach to learning used by the model for problem solving.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Learning Type", + "description": "Learning types describing the learning problem or hybrid learning problem.", + "enum": [ + "supervised", + "unsupervised", + "reinforcement-learning", + "semi-supervised", + "self-supervised" + ], + "meta:enum": { + "supervised": "Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.", + "unsupervised": "Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.", + "reinforcement-learning": "Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.", + "semi-supervised": "Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.", + "self-supervised": "Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data." + } + } + } + }, + "task": { + "type": "string", + "title": "Task", + "description": "Directly influences the input and/or output. Examples include classification, regression, clustering, etc." + }, + "architectureFamily": { + "type": "string", + "title": "Architecture Family", + "description": "The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc." + }, + "modelArchitecture": { + "type": "string", + "title": "Model Architecture", + "description": "The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc." + }, + "datasets": { + "type": "array", + "title": "Datasets", + "description": "The datasets used to train and evaluate the model.", + "items" : { + "oneOf" : [ + { + "title": "Inline Data Information", + "$ref": "#/definitions/componentData" + }, + { + "type": "object", + "title": "Data Reference", + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "type": "string", + "description": "References a data component by the components bom-ref attribute" + } + } + } + ] + } + }, + "inputs": { + "type": "array", + "title": "Inputs", + "description": "The input format(s) of the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + }, + "outputs": { + "type": "array", + "title": "Outputs", + "description": "The output format(s) from the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + } + } + }, + "quantitativeAnalysis": { + "type": "object", + "title": "Quantitative Analysis", + "description": "A quantitative analysis of the model", + "additionalProperties": false, + "properties": { + "performanceMetrics": { + "type": "array", + "title": "Performance Metrics", + "description": "The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.", + "items": { "$ref": "#/definitions/performanceMetric" } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" } + } + }, + "considerations": { + "type": "object", + "title": "Considerations", + "description": "What considerations should be taken into account regarding the model's construction, training, and application?", + "additionalProperties": false, + "properties": { + "users": { + "type": "array", + "title": "Users", + "description": "Who are the intended users of the model?", + "items": { + "type": "string" + } + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "description": "What are the intended use cases of the model?", + "items": { + "type": "string" + } + }, + "technicalLimitations": { + "type": "array", + "title": "Technical Limitations", + "description": "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?", + "items": { + "type": "string" + } + }, + "performanceTradeoffs": { + "type": "array", + "title": "Performance Tradeoffs", + "description": "What are the known tradeoffs in accuracy/performance of the model?", + "items": { + "type": "string" + } + }, + "ethicalConsiderations": { + "type": "array", + "title": "Ethical Considerations", + "description": "What are the ethical risks involved in the application of this model?", + "items": { "$ref": "#/definitions/risk" } + }, + "environmentalConsiderations":{ + "$ref": "#/definitions/environmentalConsiderations", + "title": "Environmental Considerations", + "description": "What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?" + }, + "fairnessAssessments": { + "type": "array", + "title": "Fairness Assessments", + "description": "How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?", + "items": { + "$ref": "#/definitions/fairnessAssessment" + } + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "inputOutputMLParameters": { + "type": "object", + "title": "Input and Output Parameters", + "additionalProperties": false, + "properties": { + "format": { + "title": "Input/Output Format", + "description": "The data format for input/output to the model.", + "type": "string", + "examples": [ "string", "image", "time-series"] + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } + }, + "name": { + "title": "Dataset Name", + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" }, + "description": { + "title": "Dataset Description", + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", + "$ref": "#/definitions/organizationalEntity" + }, + "contact": { + "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["contact"] + } + ] + }, + "graphicsCollection": { + "type": "object", + "title": "Graphics Collection", + "description": "A collection of graphics that represent various measurements.", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "A description of this collection of graphics.", + "type": "string" + }, + "collection": { + "title": "Collection", + "description": "A collection of graphics.", + "type": "array", + "items": { "$ref": "#/definitions/graphic" } + } + } + }, + "graphic": { + "type": "object", + "title": "Graphic", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the graphic.", + "type": "string" + }, + "image": { + "title": "Graphic Image", + "description": "The graphic (vector or raster). Base64 encoding must be specified for binary images.", + "$ref": "#/definitions/attachment" + } + } + }, + "performanceMetric": { + "type": "object", + "title": "Performance Metric", + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "The type of performance metric.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the performance metric.", + "type": "string" + }, + "slice": { + "title": "Slice", + "description": "The name of the slice this metric was computed on. By default, assume this metric is not sliced.", + "type": "string" + }, + "confidenceInterval": { + "title": "Confidence Interval", + "description": "The confidence interval of the metric.", + "type": "object", + "additionalProperties": false, + "properties": { + "lowerBound": { + "title": "Lower Bound", + "description": "The lower bound of the confidence interval.", + "type": "string" + }, + "upperBound": { + "title": "Upper Bound", + "description": "The upper bound of the confidence interval.", + "type": "string" + } + } + } + } + }, + "risk": { + "type": "object", + "title": "Risk", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the risk.", + "type": "string" + }, + "mitigationStrategy": { + "title": "Mitigation Strategy", + "description": "Strategy used to address this risk.", + "type": "string" + } + } + }, + "fairnessAssessment": { + "type": "object", + "title": "Fairness Assessment", + "description": "Information about the benefits and harms of the model to an identified at risk group.", + "additionalProperties": false, + "properties": { + "groupAtRisk": { + "type": "string", + "title": "Group at Risk", + "description": "The groups or individuals at risk of being systematically disadvantaged by the model." + }, + "benefits": { + "type": "string", + "title": "Benefits", + "description": "Expected benefits to the identified groups." + }, + "harms": { + "type": "string", + "title": "Harms", + "description": "Expected harms to the identified groups." + }, + "mitigationStrategy": { + "type": "string", + "title": "Mitigation Strategy", + "description": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + } + }, + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "environmentalConsiderations": { + "type": "object", + "title": "Environmental Considerations", + "description": "Describes various environmental impact metrics.", + "additionalProperties": false, + "properties": { + "energyConsumptions": { + "title": "Energy Consumptions", + "description": "Describes energy consumption information incurred for one or more component lifecycle activities.", + "type": "array", + "items": { + "$ref": "#/definitions/energyConsumption" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "energyConsumption": { + "title": "Energy consumption", + "description": "Describes energy consumption information incurred for the specified lifecycle activity.", + "type": "object", + "required": [ + "activity", + "energyProviders", + "activityEnergyCost" + ], + "additionalProperties": false, + "properties": { + "activity": { + "type": "string", + "title": "Activity", + "description": "The type of activity that is part of a machine learning model development or operational lifecycle.", + "enum": [ + "design", + "data-collection", + "data-preparation", + "training", + "fine-tuning", + "validation", + "deployment", + "inference", + "other" + ], + "meta:enum": { + "design": "A model design including problem framing, goal definition and algorithm selection.", + "data-collection": "Model data acquisition including search, selection and transfer.", + "data-preparation": "Model data preparation including data cleaning, labeling and conversion.", + "training": "Model building, training and generalized tuning.", + "fine-tuning": "Refining a trained model to produce desired outputs for a given problem space.", + "validation": "Model validation including model output evaluation and testing.", + "deployment": "Explicit model deployment to a target hosting infrastructure.", + "inference": "Generating an output response from a hosted model from a set of inputs.", + "other": "A lifecycle activity type whose description does not match currently defined values." + } + }, + "energyProviders": { + "title": "Energy Providers", + "description": "The provider(s) of the energy consumed by the associated model development lifecycle activity.", + "type": "array", + "items": { "$ref": "#/definitions/energyProvider" } + }, + "activityEnergyCost": { + "title": "Activity Energy Cost", + "description": "The total energy cost associated with the model lifecycle activity.", + "$ref": "#/definitions/energyMeasure" + }, + "co2CostEquivalent": { + "title": "CO2 Equivalent Cost", + "description": "The CO2 cost (debit) equivalent to the total energy cost.", + "$ref": "#/definitions/co2Measure" + }, + "co2CostOffset": { + "title": "CO2 Cost Offset", + "description": "The CO2 offset (credit) for the CO2 equivalent cost.", + "$ref": "#/definitions/co2Measure" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "energyMeasure": { + "type": "object", + "title": "Energy Measure", + "description": "A measure of energy.", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, + "properties": { + "value": { + "type": "number", + "title": "Value", + "description": "Quantity of energy." + }, + "unit": { + "type": "string", + "enum": [ "kWh" ], + "title": "Unit", + "description": "Unit of energy.", + "meta:enum": { + "kWh": "Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)." + } + } + } + }, + "co2Measure": { + "type": "object", + "title": "CO2 Measure", + "description": "A measure of carbon dioxide (CO2).", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, + "properties": { + "value": { + "type": "number", + "title": "Value", + "description": "Quantity of carbon dioxide (CO2)." + }, + "unit": { + "type": "string", + "enum": [ "tCO2eq" ], + "title": "Unit", + "description": "Unit of carbon dioxide (CO2).", + "meta:enum": { + "tCO2eq": "Tonnes (t) of carbon dioxide (CO2) equivalent (eq)." + } + } + } + }, + "energyProvider": { + "type": "object", + "title": "Energy Provider", + "description": "Describes the physical provider of energy used for model development or operations.", + "required": [ + "organization", + "energySource", + "energyProvided" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the energy provider." + }, + "organization": { + "type": "object", + "title": "Organization", + "description": "The organization that provides energy.", + "$ref": "#/definitions/organizationalEntity" + }, + "energySource": { + "type": "string", + "enum": [ + "coal", + "oil", + "natural-gas", + "nuclear", + "wind", + "solar", + "geothermal", + "hydropower", + "biofuel", + "unknown", + "other" + ], + "meta:enum": { + "coal": "Energy produced by types of coal.", + "oil": "Petroleum products (primarily crude oil and its derivative fuel oils).", + "natural-gas": "Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.", + "nuclear": "Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).", + "wind": "Energy produced from moving air.", + "solar": "Energy produced from the sun (i.e., solar radiation).", + "geothermal": "Energy produced from heat within the earth.", + "hydropower": "Energy produced from flowing water.", + "biofuel": "Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).", + "unknown": "The energy source is unknown.", + "other": "An energy source that is not listed." + }, + "title": "Energy Source", + "description": "The energy source for the energy provider." + }, + "energyProvided": { + "$ref": "#/definitions/energyMeasure", + "title": "Energy Provided", + "description": "The energy provided by the energy source for an associated activity." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "postalAddress": { + "type": "object", + "title": "Postal address", + "description": "An address used to identify a contactable location.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "country": { + "type": "string", + "title": "Country", + "description": "The country name or the two-letter ISO 3166-1 country code." + }, + "region": { + "type": "string", + "title": "Region", + "description": "The region or state in the country.", + "examples": [ "Texas" ] + }, + "locality": { + "type": "string", + "title": "Locality", + "description": "The locality or city within the country.", + "examples": [ "Austin" ] + }, + "postOfficeBoxNumber": { + "type": "string", + "title": "Post Office Box Number", + "description": "The post office box number.", + "examples": [ "901" ] + }, + "postalCode": { + "type": "string", + "title": "Postal Code", + "description": "The postal code.", + "examples": [ "78758" ] + }, + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ "100 Main Street" ] + } + } + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/definitions/workflow" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/workspace" + } + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/definitions/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/definitions/dependency" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/definitions/command" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "command": { + "type": "object", + "additionalProperties": false, + "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": {"type": "string"} + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" + ] + }, + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" + }, + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", + "examples": ["ConfigMap","Secret"], + "type": "string" + }, + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": ["a kubernetes Persistent Volume Claim (PVC) name"], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": ["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"], + "$ref": "#/definitions/volume" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", + "examples": ["10GB", "2Ti", "1Pi"], + "type": "string" + }, + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" + }, + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "type": "object", + "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "type": { + "title": "Type", + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" + ] + }, + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/definitions/event" + }, + "conditions": { + "type": "array", + "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", + "type": "string", + "format": "date-time" + }, + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/definitions/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "source": { + "title": "Source", + "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "a reference to a configuration file in a repository (i.e., a bom-ref)", + "a reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/parameter" + } + }, + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string" + } + ] + } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "outputType": { + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": ["a log file described as an `externalReference` within its target domain."], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string" + } + ] + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/definitions/externalReference" + } + }, + "oneOf": [ + { + "required": [ + "ref" + ] + }, + { + "required": [ + "externalReference" + ] + } + ] + }, + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "taskType": { + "type": "string", + "enum": [ + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" + ], + "meta:enum": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" + }, + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + }, + "componentIdentityEvidence": { + "type": "object", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component.", + "required": [ "field" ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", "name", "version", "purl", "cpe", "omniborId", "swhid", "swid", "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "standard": { + "type": "object", + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard. This will often be a shortened, single name of the standard." + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the standard." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "type": "object", + "title": "Requirement", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." + }, + "descriptions": { + "type": "array", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "items": { "type": "string" } + }, + "openCre": { + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ "CRE:764-507" ] + } + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "type": "object", + "title": "Level", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "signature": { + "$ref": "jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "enum": [ + "drbg", + "mac", + "block-cipher", + "stream-cipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "key-agree", + "kem", + "ae", + "combiner", + "other", + "unknown" + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } + }, + "parameterSetIdentifier": { + "type": "string", + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + }, + "curve": { + "type": "string", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." + }, + "executionEnvironment": { + "type": "string", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.", + "enum": [ + "software-plain-ram", + "software-encrypted-ram", + "software-tee", + "hardware", + "other", + "unknown" + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } + }, + "implementationPlatform": { + "type": "string", + "title": "Implementation platform", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "armv9-a", + "armv9-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "array", + "title": "Certification Level", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } + } + }, + "mode": { + "type": "string", + "title": "Mode", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } + }, + "padding": { + "type": "string", + "title": "Padding", + "description": "The padding scheme that is used for the cryptographic algorithm.", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } + }, + "cryptoFunctions": { + "type": "array", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'", + "additionalProperties": false, + "properties": { + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the certificate" + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the certificate" + }, + "notValidBefore": { + "type": "string", + "format": "date-time", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid" + }, + "notValidAfter": { + "type": "string", + "format": "date-time", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" + }, + "signatureAlgorithmRef": { + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to signature algorithm used by the certificate" + }, + "subjectPublicKeyRef": { + "$ref": "#/definitions/refType", + "title": "Key reference", + "description": "The bom-ref to the public key of the subject" + }, + "certificateFormat": { + "type": "string", + "title": "Certificate Format", + "description": "The format of the certificate", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "digest": "The output of the hash function.", + "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", + "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", + "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", + "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", + "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", + "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", + "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", + "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", + "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", + "token": "An object encapsulating a security identity.", + "other": "Another type of cryptographic asset.", + "unknown": "The type of cryptographic asset is not known." + } + }, + "id": { + "type": "string", + "title": "ID", + "description": "The optional unique identifier for the related cryptographic material." + }, + "state": { + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm used to generate the related cryptographic material." + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." + }, + "size": { + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." + }, + "format": { + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + } + } + }, + "protocolProperties": { + "type": "object", + "title": "Protocol Properties", + "description": "Properties specific to cryptographic assets of type: `protocol`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The concrete protocol type.", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "other", + "unknown" + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } + }, + "version": { + "type": "string", + "title": "Protocol Version", + "description": "The version of the protocol.", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher Suites", + "description": "A list of cipher suites related to the protocol.", + "items": { + "$ref": "#/definitions/cipherSuite", + "title": "Cipher Suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", + "additionalProperties": false, + "properties": { + "encr": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Encryption Algorithm (ENCR)", + "description": "Transform Type 1: encryption algorithms" + }, + "prf": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Pseudorandom Function (PRF)", + "description": "Transform Type 2: pseudorandom functions" + }, + "integ": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Integrity Algorithm (INTEG)", + "description": "Transform Type 3: integrity algorithms" + }, + "ke": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Key Exchange Method (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Numbers (ESN)", + "description": "Specifies if an Extended Sequence Number (ESN) is used." + }, + "auth": { + "$ref": "#/definitions/cryptoRefArray", + "title": "IKEv2 Authentication method", + "description": "IKEv2 Authentication method" + } + } + }, + "cryptoRefArray": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Cryptographic References", + "description": "A list of protocol-related cryptographic assets" + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "The object identifier (OID) of the cryptographic asset." + } + } + }, + "cipherSuite": { + "type": "object", + "title": "Cipher Suite", + "description": "Object representing a cipher suite", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Common Name", + "description": "A common name for the cipher suite.", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "identifiers": { + "type": "array", + "title": "Cipher Suite Identifiers", + "description": "A list of common identifiers for the cipher suite.", + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier", + "examples": [ + "0xC0", + "0x9E" + ] + } + } + } + }, + "cryptoRefArray" : { + "type": "array", + "items": { + "$ref": "#/definitions/refType" + } + }, + "securedBy": { + "type": "object", + "title": "Secured By", + "description": "Specifies the mechanism by which the cryptographic asset is secured by", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "Mechanism", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." + } + } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] + } + } +} diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd new file mode 100644 index 0000000..847c526 --- /dev/null +++ b/schema/bom-1.6.xsd @@ -0,0 +1,8432 @@ + + + + + + + + + CycloneDX Bill of Materials Standard + https://cyclonedx.org/ + Apache License, Version 2.0 + + + + + + Identifier for referable and therefore interlink-able elements. + + + + + + + + + + Descriptor for an element identified by the attribute "bom-ref" in the same BOM document. + In contrast to `bomLinkElementType`. + + + + + + + + + + + + + + + + + =2.0.0|<5.0.0" + - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" + - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1" + - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ]]> + + + + + + + + + + + + Descriptor for another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + Descriptor for an element in another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + + + + + + The date and time (timestamp) when the BOM was created. + + + + + + Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle. + + + + + + + + + + + + A pre-defined phase in the product lifecycle. + + + + + + + + + The name of the lifecycle phase + + + + + + + The description of the lifecycle phase + + + + + + + + + + + + + The tool(s) used in the creation of the BOM. + + + + + + + DEPRECATED. Use tools\components or tools\services instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + The person(s) who created the BOM. + Authors are common in BOMs created through manual processes. BOMs created through automated means may have './manufacturer' instead. + + + + + + + + + + + The component that the BOM describes. + + + + + + The organization that created the BOM. + Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have './authors' instead. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `./component/manufacturer` instead. + The organization that manufactured the component that the BOM describes. + + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacturer, but may also be a distributor or repackager. + + + + + + The license information for the BOM document. + This may be different from the license(s) of the component(s) that the BOM describes. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + BOM produced early in the development lifecycle containing inventory of components and services + that are proposed or planned to be used. The inventory may need to be procured, retrieved, + or resourced prior to use. + + + + + + + BOM consisting of information obtained prior to a build process and may contain source files + and development artifacts and manifests. The inventory may need to be resolved and retrieved + prior to use. + + + + + + + BOM consisting of information obtained during a build process where component inventory is + available for use. The precise versions of resolved components are usually available at this + time as well as the provenance of where the components were retrieved from. + + + + + + + BOM consisting of information obtained after a build process has completed and the resulting + components(s) are available for further analysis. Built components may exist as the result of a + CI/CD process, may have been installed or deployed to a system or device, and may need to be + retrieved or extracted from the system or device. + + + + + + + BOM produced that represents inventory that is running and operational. This may include staging + or production environments and will generally encompass multiple SBOMs describing the applications + and operating system, along with HBOMs describing the hardware that makes up the system. Operations + Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, + and additional dependencies. + + + + + + + BOM consisting of information observed through network discovery providing point-in-time + enumeration of embedded, on-premise, and cloud-native services such as server applications, + connected devices, microservices, and serverless functions. + + + + + + + BOM containing inventory that will be, or has been retired from operations. + + + + + + + + + + + The name of the organization + + + + + The physical address (location) of the organization. + + + + + + The URL of the organization. Multiple URLs are allowed. + Example: https://example.com + + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Information about the automated or manual tool used + + + + + The name of the vendor who created the tool + + + + + The name of the tool + + + + + The version of the tool + + + + + + + + + + + + Provides the ability to document external references related to the tool. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. + + + + + The phone number of the contact. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacturer, but may also be a distributor or repackager. + + + + + + The organization that created the component. + Manufacturer is common in components created through automated processes. Components created through manual means may have './authors' instead. + + + + + + + The person(s) who created the component. + Authors are common in components created through manual processes. Components created through automated means may have `./manufacturer` instead. + + + + + + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./authors` or `./manufacturer` instead. + The person(s) or organization(s) that authored the component. + + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'required' + scope SHOULD be assumed by the consumer of the BOM. + + + + + The hashes of the component. + + + + + + + + + + + A copyright notice informing users of the underlying claims to copyright ownership in a published work. + + + + + + Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (purl). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform + to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + + + + + + + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must + be valid and conform to the specification defined at: + https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating if the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + A list of software and hardware components included in the parent component. This is not a + dependency tree. It provides a way to specify a hierarchical representation of component + assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document evidence collected through various forms of extraction or analysis. + + + + + Specifies optional release notes. + + + + + A model card describes the intended uses of a machine learning model and potential + limitations, including biases and ethical considerations. Model cards typically contain the + training parameters, which datasets were used to train the model, performance metrics, and other + relevant data useful for ML transparency. This object SHOULD be specified for any component of + type `machine-learning-model` and must not be specified for other component types. + + + + + This object SHOULD be specified for any component of type `data` and must not be + specified for other component types. + + + + + + Cryptographic assets have properties that uniquely define them and that make them actionable + for further reasoning. As an example, it makes a difference if one knows the algorithm family + (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the + security level and the algorithm primitive (authenticated encryption) is only defined by the + definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 + vs. HMAC-SHA1 also makes a difference. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The optional mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the details and attributes related to a software license. + It can either include a valid SPDX license identifier or a named license, along with additional + properties such as license acknowledgment, comprehensive commercial licensing information, and + the full text of the license. + + + + + + A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. + + + + + The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. + + + + + + Specifies the optional full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + + License identifiers that may be used to manage licenses and + their lifecycle + + + + + + + + + + The individual or organization that grants a license to another + individual or organization + + + + + + + The organization that granted the license + + + + + The individual, not associated with an organization, + that granted the license + + + + + + + + + The individual or organization for which a license was granted to + + + + + + + The organization that was granted the license + + + + + The individual, not associated with an organization, + that was granted the license + + + + + + + + + The individual or organization that purchased the license + + + + + + + The organization that purchased the license + + + + + The individual, not associated with an organization, + that purchased the license + + + + + + + + + The purchase order identifier the purchaser sent to a supplier or + vendor to authorize a purchase + + + + + The type of license(s) that was granted to the licensee + + + + + + + + + + The timestamp indicating when the license was last + renewed. For new purchases, this is often the purchase or acquisition date. + For non-perpetual licenses or subscriptions, this is the timestamp of when the + license was last renewed. + + + + + The timestamp indicating when the current license + expires (if applicable). + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + Declared licenses and concluded licenses represent two different stages in the + licensing process within software development. Declared licenses refer to the + initial intention of the software authors regarding the licensing terms under + which their code is released. On the other hand, concluded licenses are the + result of a comprehensive analysis of the project's codebase to identify and + confirm the actual licenses of the components used, which may differ from the + initially declared licenses. While declared licenses provide an upfront indication + of the licensing intentions, concluded licenses offer a more thorough understanding + of the actual licensing within a project, facilitating proper compliance and risk + management. Observed licenses are defined in `evidence.licenses`. Observed licenses + form the evidence necessary to substantiate a concluded license. + + + + + + + + + + The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + + + + + Specifies the format and nature of the data being attached, helping systems correctly + interpret and process the content. Common content type examples include `application/json` + for JSON data and `text/plain` for plan text documents. + RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive + list of registered content types, refer to the IANA media types registry at + https://www.iana.org/assignments/media-types/media-types.xhtml. + + + + + + + Specifies the optional encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + A runtime environment which interprets or executes software. This may include + runtimes such as those that execute bytecode or low-code/no-code application platforms. + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware SHOULD include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + + + + + + A special type of software that operates or controls a particular type of device. + Refer to https://en.wikipedia.org/wiki/Device_driver + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + A model based on training data that can make predictions or decisions without + being explicitly programmed to do so. + + + + + A collection of discrete values that convey information. + + + + + A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + + + + + + + + + + + + + + + + + + + + + + + + + + + A license that grants use of software solely for the purpose + of education or research. + + + + + A license covering use of software embedded in a specific + piece of hardware. + + + + + A Client Access License (CAL) allows client computers to access + services provided by server software. + + + + + A Concurrent User license (aka floating license) limits the + number of licenses for a software application and licenses are shared among + a larger number of users. + + + + + A license where the core of a computer's processor is assigned + a specific number of points. + + + + + A license for which consumption is measured by non-standard + metrics. + + + + + A license that covers a defined number of installations on + computers and other types of devices. + + + + + A license that grants permission to install and use software + for trial purposes. + + + + + A license that grants access to the software to one or more + pre-defined users. + + + + + A license that grants access to the software on one or more + pre-defined computers or devices. + + + + + An Original Equipment Manufacturer license that is delivered + with hardware, cannot be transferred to other hardware, and is valid for the + life of the hardware. + + + + + A license where the software is sold on a one-time basis and + the licensee can use a copy of the software indefinitely. + + + + + A license where each installation consumes points per + processor. + + + + + A license where the licensee pays a fee to use the software + or service. + + + + + A license that grants access to the software or service by a + specified number of users. + + + + + Another license type. + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-materials (SBOM, OBOM, HBOM, SaaSBOM, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type. + + + + + Direct or repository download location + + + + + The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness. + Example: https://www.apache.org/licenses/LICENSE-2.0.txt + + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + URL to release notes + + + + + Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT. + + + + + A model card describes the intended uses of a machine learning model, potential + limitations, biases, ethical considerations, training parameters, datasets used to train the + model, performance metrics, and other relevant data useful for ML transparency. + + + + + A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + + + + + Parameters or settings that may be used by other components or services. + + + + + Information used to substantiate a claim. + + + + + Describes how a component or service was manufactured or deployed. + + + + + Human or machine-readable statements containing facts, evidence, or testimony + + + + + An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + + + + + The defined assumptions, goals, and capabilities of an adversary. + + + + + Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + + + + + A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product. + + + + + A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization. + + + + + Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + + + + + SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + + + + + Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + + + + + Report generated by analyzing the call stack of a running application + + + + + Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + + + + + Report containing a formal assessment of an organization, business unit, or team against a maturity model + + + + + Industry, regulatory, or other certification from an accredited (if applicable) certification body + + + + + Report or system in which quality metrics can be obtained + + + + + Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + + + + + Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + + + An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + + + + + A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + + + + + Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be + relevant, but are not included with the BOM. They may also establish specific relationships + within or external to the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URI (URL or URN) to the external reference. External references + are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns. + External references may also include formally registered URNs such as CycloneDX BOM-Link to + reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external + references into relationships that can be expressed in a BOM or across BOMs. Refer to: + https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + An optional comment describing the external reference + + + + + + + + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the optional text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + An individual issue that has been resolved. + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + A collection of URL's for reference. Multiple URLs are allowed. + Example: "https://example.com" + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complementary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The component or service that is a dependency of this dependency object. + + + + + + The component or service that define a given specification or standard, which is provided or implemented by this dependency object. + For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use. + + + + + + References a component or service by its bom-ref attribute + + + + + + + + References a component or service by its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Defines the direct dependencies of a component or service. Components or services + that do not have their own dependencies must be declared as empty elements within the graph. + Components or services that are not represented in the dependency graph may have unknown + dependencies. It is recommended that implementations assume this to be opaque and not an + indicator of a object being dependency-free. It is recommended to leverage compositions to + indicate unknown dependency graphs. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + The endpoint URIs of the service. Multiple endpoints are allowed. + Example: "https://example.com/api/v1/ticker" + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + The name of the trust zone the service resides in. + + + + + Specifies information about the data including the directional flow of data and the data classification. + + + + + + + DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead + + + + + + Specifies the data classification. + + + + + + Specifies the data classification. + + + + + + The URI, URL, or BOM-Link of the components or services the data came in from. + + + + + + + + + + + + + + The URI, URL, or BOM-Link of the components or services the data is sent to. + + + + + + + + + + + + + + + + Name for the defined data. + + + + + + + Short description of the data content and usage. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Provides the ability to document external references related to the service. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + A list of services included or deployed behind the parent service. This is not a dependency + tree. It provides a way to specify a hierarchical representation of service assemblies. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies optional release notes. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + Data that enters a service. + + + + + + Data that exits a service. + + + + + Data flows in and out of the service. + + + + + The directional flow of data is not known. + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + Declared licenses and concluded licenses represent two different stages in the + licensing process within software development. Declared licenses refer to the + initial intention of the software authors regarding the licensing terms under + which their code is released. On the other hand, concluded licenses are the + result of a comprehensive analysis of the project's codebase to identify and + confirm the actual licenses of the components used, which may differ from the + initially declared licenses. While declared licenses provide an upfront indication + of the licensing intentions, concluded licenses offer a more thorough understanding + of the actual licensing within a project, facilitating proper compliance and risk + management. Observed licenses are defined in `evidence.licenses`. Observed licenses + form the evidence necessary to substantiate a concluded license. + + + + + + + + + + + + + + + + Declared licenses represent the initial intentions of authors regarding + the licensing terms of their code. + + + + + + + Concluded licenses are verified and confirmed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Examines the source code without executing it. + + + + + + + Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal. + + + + + + + Examines a package management system such as those used for building software or installing software. + + + + + + + Examines the Abstract Syntax Tree (AST) of source code or a compiled binary. + + + + + + + Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software. + + + + + + + Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application. + + + + + + + Evaluates a running application. + + + + + + + Evaluates file name of a component against a set of known file names of identified software. + + + + + + + A testimony to the accuracy of the identify of a component made by an individual or entity. + + + + + + + Any other technique. + + + + + + + + + + + Evidence that substantiates the identity of a component. The identify may be an + object or an array of identity objects. Support for specifying identity as a single object was + introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is recommended that all + implementations are aware of "unbounded". + + + + + + The identity field of the component which the evidence describes. + + + + + The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + + + + + The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + + + + + The methods used to extract and/or analyze the evidence. + + + + + + + + + The technique used in this method of analysis. + + + + + The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + + + + + The value or contents of the evidence. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + Evidence of individual instances of a component spread across multiple locations. + + + + + + + + + The location or path to where the component was found. + + + + + The line number where the component was found. + + + + + The offset where the component was found. + + + + + The symbol name that was found associated with the component. + + + + + Any additional context of the detected component (e.g. a code snippet). + + + + + + + + An optional identifier which can be used to reference the occurrence elsewhere + in the BOM. Every bom-ref must be unique within the BOM. + + + + + + + + + + + Evidence of the components use through the callstack. + + + + + + + + + + Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + + + + + + + A package organizes modules into namespaces, providing a unique namespace for each type it contains. + + + + + A module or class that encloses functions/methods and other code. + + + + + A block of code designed to perform a particular task. + + + + + Optional arguments that are passed to the module or function. + + + + + + + + + + The line number the code that is called resides on. + + + + + The column the code that is called resides. + + + + + The full path and filename of the module. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + + + Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Specifies an aggregate type that describes how complete a relationship is. + + + + + + The bom-ref identifiers of the components or services being described. Assemblies refer to + nested relationships whereby a constituent part may include other constituent parts. References + do not cascade to child parts. References are explicit for the specified constituent part only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the components or services being described. Dependencies refer to a + relationship whereby an independent constituent part requires another independent constituent + part. References do not cascade to transitive dependencies. References are explicit for the + specified dependency only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the vulnerabilities being described. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + An optional identifier which can be used to reference the composition elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + + + + + The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + + + + + The relationship completeness is not specified. + + + + + + + + + Defines a syntax for representing two character language code (ISO-639) followed by an optional two + character country code. The language code must be lower case. If the country code is specified, the + country code must be upper case. The language code and country code must be separated by a minus sign. + Examples: en, en-US, fr, fr-CA + + + + + + + + + + + + The software versioning type. It is recommended that the release type use one + of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software + release types is not practical, so standardizing on the recommended values, whenever possible, + is strongly encouraged. + * major = A major release may contain significant changes or may introduce breaking changes. + * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. + * patch = Patch releases are typically unplanned and may resolve defects or important security issues. + * pre-release = A pre-release may include alpha, beta, or release candidates and typically have + limited support. They provide the ability to preview a release prior to its general availability. + * internal = Internal releases are not for public consumption and are intended to be used exclusively + by the project or manufacturer that produced it. + + + + + + The title of the release. + + + + + The URL to an image that may be prominently displayed with the release note. + + + + + The URL to an image that may be used in messaging on social media platforms. + + + + + A short description of the release. + + + + + The date and time (timestamp) when the release note was created. + + + + + + + + One or more alternate names the release may be referred to. This may + include unofficial terms used by development and marketing teams (e.g. code names). + + + + + + + + + A collection of issues that have been resolved. + + + + + + + + + + + + + Zero or more release notes containing the locale and content. Multiple + note elements may be specified to support release notes in a wide variety of languages. + + + + + + The ISO-639 (or higher) language code and optional ISO-3166 + (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + + + + + Specifies the full content of the release note. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A model card describes the intended uses of a machine learning model and potential limitations, including + biases and ethical considerations. Model cards typically contain the training parameters, which datasets + were used to train the model, performance metrics, and other relevant data useful for ML transparency. + This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified + for other component types. + + + + + + + Hyper-parameters for construction of the model. + + + + + + + + The overall approach to learning used by the model for problem solving. + + + + + + + + Learning types describing the learning problem or hybrid learning problem. + + + + + + + + + + Directly influences the input and/or output. Examples include classification, + regression, clustering, etc. + + + + + + + The model architecture family such as transformer network, convolutional neural + network, residual neural network, LSTM neural network, etc. + + + + + + + The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. + + + + + + + The datasets used to train and evaluate the model. + + + + + + + References a data component by the components bom-ref attribute + + + + + + + + Inline Data Information + + + + + + + + + The input format(s) of the model + + + + + + + + + + + The data format for input to the model. Example formats include string, image, time-series + + + + + + + + + + + + + The output format(s) from the model + + + + + + + + + + + The data format for output from the model. Example formats include string, image, time-series + + + + + + + + + + + + + + + + A quantitative analysis of the model + + + + + + + + + + + + + + The type of performance metric. + + + + + + + The value of the performance metric. + + + + + + + The name of the slice this metric was computed on. By default, assume + this metric is not sliced. + + + + + + + The confidence interval of the metric. + + + + + + + + The lower bound of the confidence interval. + + + + + + + The upper bound of the confidence interval. + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements + + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding must be specified for binary images. + + + + + + + + + + + + + + + + + + + What considerations should be taken into account regarding the model's construction, training, + and application? + + + + + + + + Who are the intended users of the model? + + + + + + + + + + + + What are the intended use cases of the model? + + + + + + + + + + + + What are the known technical limitations of the model? E.g. What kind(s) of data + should the model be expected not to perform well on? What are the factors that might + degrade model performance? + + + + + + + + + + + + What are the known tradeoffs in accuracy/performance of the model? + + + + + + + + + + + + What are the ethical risks involved in the application of this model? + + + + + + + + + + + The name of the risk + + + + + + + Strategy used to address this risk + + + + + + + + + + + + + What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle? + + + + + + + How does the model affect groups at risk of being systematically disadvantaged? + What are the harms and benefits to the various affected groups? + + + + + + + + + + + The groups or individuals at risk of being systematically disadvantaged by the model. + + + + + + + Expected benefits to the identified groups. + + + + + + + Expected harms to the identified groups. + + + + + + + With respect to the benefits and harms outlined, please + describe any mitigation strategy implemented. + + + + + + + + + + + + + + + + + An optional identifier which can be used to reference the model card elsewhere in the BOM. + Every bom-ref must be unique within the BOM. + + + + + + + + + Describes various environmental impact metrics. + + + + + + + Describes energy consumption information incurred for one or more component lifecycle activities. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes energy consumption information incurred for the specified lifecycle activity. + + + + + + + The type of activity that is part of a machine learning model development or operational lifecycle. + + + + + + + + model design including problem framing, goal definition and algorithm selection. + + + + + + + model data acquisition including search, selection and transfer. + + + + + + + model data preparation including data cleaning, labeling and conversion. + + + + + + + model building, training and generalized tuning. + + + + + + + refining a trained model to produce desired outputs for a given problem space. + + + + + + + model validation including model output evaluation and testing. + + + + + + + explicit model deployment to a target hosting infrastructure. + + + + + + + generating an output response from a hosted model from a set of inputs. + + + + + + + a lifecycle activity type whose description does not match currently defined values. + + + + + + + + + + The provider(s) of the energy consumed by the associated model development lifecycle activity. + + + + + + + The total energy cost associated with the model lifecycle activity. + + + + + + + The CO2 cost (debit) equivalent to the total energy cost. + + + + + + + The CO2 offset (credit) for the CO2 equivalent cost. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + A measure of energy. + + + + + + + Quantity of energy. + + + + + + + Unit of energy. + + + + + + + + kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h). + + + + + + + + + + + + + A measure of carbon dioxide (CO2). + + + + + + + Quantity of carbon dioxide (CO2). + + + + + + + Unit of carbon dioxide (CO2). + + + + + + + + Tonnes (t) of carbon dioxide (CO2) equivalent (eq). + + + + + + + + + + + + + Describes the physical provider of energy used for model development or operations. + + + + + + + A description of the energy provider. + + + + + + + The organization of the energy provider. + + + + + + + The energy source for the energy provider. + + + + + + + + Energy produced by types of coal. + + + + + + + Petroleum products (primarily crude oil and its derivative fuel oils). + + + + + + + Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. + + + + + + + Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + + + + + + + Energy produced from moving air. + + + + + + + Energy produced from the sun (i.e., solar radiation). + + + + + + + Energy produced from heat within the earth. + + + + + + + Energy produced from flowing water. + + + + + + + Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). + + + + + + + The energy source is unknown. + + + + + + + An energy source that is not listed. + + + + + + + + + + The energy provided by the energy source for an associated activity. + + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An optional identifier which can be used to reference the energy provider elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + An address used to identify a contactable location. + + + + + + + The country name or the two-letter ISO 3166-1 country code. + + + + + + + The region or state in the country. For example, Texas. + + + + + + + The locality or city within the country. For example, Austin. + + + + + + + The post office box number. For example, 901. + + + + + + + The postal code. For example, 78758. + + + + + + + The street address. For example, 100 Main Street. + + + + + + + + An optional identifier which can be used to reference the address elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + + Supervised machine learning involves training an algorithm on labeled + data to predict or classify new data based on the patterns learned from + the labeled examples. + + + + + + + Unsupervised machine learning involves training algorithms on unlabeled + data to discover patterns, structures, or relationships without explicit + guidance, allowing the model to identify inherent structures or clusters + within the data. + + + + + + + Reinforcement learning is a type of machine learning where an agent learns + to make decisions by interacting with an environment to maximize cumulative + rewards, through trial and error. + + + + + + + Semi-supervised machine learning utilizes a combination of labeled and + unlabeled data during training to improve model performance, leveraging + the benefits of both supervised and unsupervised learning techniques. + + + + + + + Self-supervised machine learning involves training models to predict parts + of the input data from other parts of the same data, without requiring + external labels, enabling learning from large amounts of unlabeled data. + + + + + + + + + + + + The general theme or subject matter of the data being specified. + + + + + + + The name of the dataset. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + An optional way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + Provides the ability to document name-value parameters used for configuration. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data in a dataset. + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of the dataset. Can describe size of dataset, whether it's used for source code, + training, testing, or validation, etc. + + + + + + + + + An optional identifier which can be used to reference the dataset elsewhere in the BOM. + Every bom-ref must be unique within the BOM. + + + + + + + + + + + Data custodians are responsible for the safe custody, transport, and storage of data. + + + + + + + + + + + + Data stewards are responsible for data content, context, and associated business rules. + + + + + + + + + + + + Data owners are concerned with risk and appropriate access to data. + + + + + + + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding must be specified for binary images. + + + + + + + + + + + + + + + + + Any type of code, code snippet, or data-as-code. + + + + + Parameters or settings that may be used by other components. + + + + + A collection of data. + + + + + Data that can be used to create new instances of what the definition defines. + + + + + Any other type of data that does not fit into existing definitions. + + + + + + + + + References a component or service by its bom-ref attribute + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies an individual property with a name and value. + + + + + + The name of the property. Duplicate names are allowed, each potentially having a different value. + + + + + + + + + + + Defines a weakness in a component or service that could be exploited or triggered by a threat source. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + Zero or more pointers to vulnerabilities that are the equivalent of the + vulnerability specified. Often times, the same vulnerability may exist in multiple sources of + vulnerability intelligence, but have different identifiers. References provide a way to + correlate vulnerabilities across multiple sources of vulnerability intelligence. + + + + + + A pointer to a vulnerability that is the equivalent of the + vulnerability specified. + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + List of vulnerability ratings. + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + A description of the vulnerability as provided by the source. + + + + + If available, an in-depth description of the vulnerability as provided by the + source organization. Details often include information useful in understanding root cause. + + + + + Recommendations of how the vulnerability can be remediated or mitigated. + + + + + A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + + + + + + + Evidence used to reproduce the vulnerability. + + + + + + Precise steps to reproduce the vulnerability. + + + + + A description of the environment in which reproduction was possible. + + + + + Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + + + + + + + + + + + + + + + Published advisories of the vulnerability if provided. + + + + + + + + + + The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + + + + + The date and time (timestamp) when the vulnerability record was first published. + + + + + The date and time (timestamp) when the vulnerability record was last updated. + + + + + The date and time (timestamp) when the vulnerability record was rejected (if applicable). + + + + + Individuals or organizations credited with the discovery of the vulnerability. + + + + + + The organizations credited with vulnerability discovery. + + + + + + + + + + The individuals, not associated with organizations, that are credited with vulnerability discovery. + + + + + + + + + + + + + The tool(s) used to identify, confirm, or score the vulnerability. + + + + + + + DEPRECATED. Use tools\components or tools\services instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + + An assessment of the impact and exploitability of the vulnerability. + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + A response to the vulnerability by the manufacturer, supplier, or + project responsible for the affected component or service. More than one response + is allowed. Responses are strongly encouraged for vulnerabilities where the analysis + state is exploitable. + + + + + + + + + + + Detailed description of the impact including methods used during assessment. + If a vulnerability is not exploitable, this field should include specific details + on why the component or service is not impacted by this vulnerability. + + + + + + + The date and time (timestamp) when the analysis was first issued. + + + + + + + The date and time (timestamp) when the analysis was last updated. + + + + + + + + + The components or services that are affected by the vulnerability. + + + + + + + + + References a component or service by the objects bom-ref. + + + + + + + + Zero or more individual versions or range of versions. + + + + + + + + + + A single version of a component or service. + + + + + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec + + + + + + + The vulnerability status for the version or range of versions. + + + + + + + + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The name of the source. + For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories + + + + + + The url of the vulnerability documentation as provided by the source. + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + + + + + + + + + + The source that calculated the severity or risk rating of the vulnerability. + + + + + The numerical score of the rating. + + + + + Textual representation of the severity that corresponds to the numerical score of the rating. + + + + + The risk scoring methodology/standard used. + + + + + Textual representation of the metric values used to score the vulnerability. + + + + + An optional reason for rating the vulnerability as it was. + + + + + + + + + + An optional name of the advisory. + + + + + Location where the advisory can be obtained. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that created the annotation + + + + + The person that created the annotation + + + + + The tool or component that created the annotation + + + + + The service that created the annotation + + + + + + + + + + + The objects in the BOM identified by their bom-ref's. This is often components or services, but may be any object type supporting bom-refs. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + The organization, individual, component, or service which created the textual content + of the annotation. + + + + + The date and time (timestamp) when the annotation was created. + + + + + The textual content of the annotation. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the annotation elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Textual representation of the severity of the vulnerability adopted by the analysis method. If the + analysis method uses values other than what is provided, the user is expected to translate appropriately. + + + + + + Critical severity + + + + + High severity + + + + + Medium severity + + + + + Low severity + + + + + Informational warning. + + + + + None + + + + + The severity is not known + + + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The vulnerability has been remediated. + + + + + + + The vulnerability has been remediated and evidence of the changes are provided in the affected + components pedigree containing verifiable commit history and/or diff(s). + + + + + + + The vulnerability may be directly or indirectly exploitable. + + + + + + + The vulnerability is being investigated. + + + + + + + The vulnerability is not specific to the component or service and was falsely identified or associated. + + + + + + + The component or service is not affected by the vulnerability. Justification should be specified + for all not_affected cases. + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + The code has been removed or tree-shaked. + + + + + + + The vulnerable code is not invoked at runtime. + + + + + + + Exploitability requires a configurable option to be set/unset. + + + + + + + Exploitability requires a dependency that is not present. + + + + + + + Exploitability requires a certain environment which is not present. + + + + + + + Exploitability requires a compiler flag to be set/unset. + + + + + + + Exploits are prevented at runtime. + + + + + + + Attacks are blocked at physical, logical, or network perimeter. + + + + + + + Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + + + + + + + + + + Specifies the severity or risk scoring methodology or standard used. + + + + + + + Common Vulnerability Scoring System v2.0 standard as defined at https://www.first.org/cvss/v2/ + + + + + + + Common Vulnerability Scoring System v3.0 standard as defined at https://www.first.org/cvss/v3-0/ + + + + + + + Common Vulnerability Scoring System v3.1 standard as defined at https://www.first.org/cvss/v3-1/ + + + + + + + Common Vulnerability Scoring System v4.0 standard as defined at https://www.first.org/cvss/v4-0/ + + + + + + + OWASP Risk Rating as defined at https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + + + + + + + Stakeholder Specific Vulnerability Categorization as defined at https://github.com/CERTCC/SSVC + + + + + + + Another severity or risk scoring methodology + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + Can not fix + + + + + Will not fix + + + + + Update to a different revision or release + + + + + Revert to a previous revision or release + + + + + There is a workaround available + + + + + + + + + The vulnerability status of a given version or range of versions of a product. The statuses + 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. + The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. + There can be many reasons for an 'unknown' status, including that an investigation has not been + undertaken or that a vendor has not disclosed the status. + + + + + + The version is affected by the vulnerability. + + + + + The version is not affected by the vulnerability. + + + + + It is unknown (or unspecified) whether the given version is affected. + + + + + + + + + Describes how a component or service was manufactured or deployed. This is achieved through the use + of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the + observed formulas describing the steps which transpired in the manufacturing process. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes workflows and resources that captures rules and other aspects of how the associated + BOM component or service was formed. + + + + + + Transient components that are used in tasks that constitute one or more of + this formula's workflows + + + + + Transient services that are used in tasks that constitute one or more of + this formula's workflows + + + + + List of workflows that can be declared to accomplish specific orchestrated goals + and independently triggered. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + An optional identifier which can be used to reference the formula elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + References to component or service resources that are used to realize + the resource instance. + + + + + The tasks that comprise the workflow. + + + + + The graph of dependencies between tasks within the workflow. + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + The trigger that initiated the task. + + + + + + The sequence of steps for the task. + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor + or task commands + + + + + + + + + + Represents resources and data output from a task at runtime by executor + or task commands + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + A graph of the component runtime topology for workflow's instance. + A description of the runtime component and service topology. This can describe a partial or + complete topology used to host and execute the task (e.g., hardware, operating systems, + configurations, etc.) + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + References an object by its bom-ref attribute + + + + + + + + + + Reference to an externally accessible resource. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + + + The trigger that initiated the task. + + + + + + + The sequence of steps for the task. + + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands. + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + + + A graph of the component runtime topology for task's instance. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the task elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A task that copies software or data used to accomplish other tasks in the workflow. + + + + + A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. + + + + + A task that checks source code for programmatic and stylistic errors. + + + + + A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. + + + + + A task that merges changes or fixes into source code prior to a build step in the workflow. + + + + + A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. + + + + + A task that verifies the functionality of a component or service. + + + + + A task that delivers a built artifact to one or more target repositories or storage systems. + + + + + A task that deploys a built artifact for execution on one or more target systems. + + + + + A task that releases a built, versioned artifact to a target repository or distribution system. + + + + + A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. + + + + + A workflow task that does not match current task type definitions. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A named filesystem or data resource shareable by workflow tasks. + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping + so other tasks can use their own local name in their steps. + + + + + + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Describes the read-write access control for the workspace relative to the owning resource instance. + + + + + + + A path to a location on disk where the workspace will be available to the associated task's steps. + + + + + + + The name of a domain-specific data type the workspace represents. This property is for CI/CD + frameworks that are able to provide access to structured, managed data at a more granular level + than a filesystem. + + + + + + + Identifies the reference to the request for a specific volume type and parameters. + + + + + + + Information about the actual volume instance allocated to the workspace. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + An identifiable, logical unit of data storage tied to a physical device. + + + + + + + The unique identifier for the volume instance within its deployment context. + + + + + + + The name of the volume instance + + + + + + + The mode for the volume instance. + + + + + + + The underlying path created from the actual volume. + + + + + + + The allocated size of the volume accessible to the associated workspace. This should include + the scalar size as well as IEC standard unit in either decimal or binary form. + + + + + + + Indicates if the volume persists beyond the life of the resource it is associated with. + + + + + + + Indicates if the volume is remotely (i.e., network) attached. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + + + + + Executes specific commands or tools in order to accomplish its owning task as part of a sequence. + + + + + + + A name for the step. + + + + + + + A description of the step. + + + + + + + Ordered list of commands or directives for the step + + + + + + + + + + + A text representation of the executed command. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + The source type of event which caused the trigger to fire. + + + + + + + The event data that caused the associated trigger to activate. + + + + + + A list of conditions used to determine if a trigger should be activated. + + + + + + + A condition that was used to determine a trigger should be activated. + + + + + + + + Describes the set of conditions which cause the trigger to activate. + + + + + + + The logical expression that was evaluated that determined the trigger should be fired. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + The date and time (timestamp) when the trigger was activated. + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the trigger elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + The unique identifier of the event. + + + + + + + A description of the event. + + + + + + + The date and time (timestamp) when the event was received. + + + + + + + Encoding of the raw event data. + + + + + + + References the component or service that was the source of the event + + + + + + + References the component or service that was the target of the event + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Type that represents various input data types and formats. + + + + + + + + A reference to an independent resource provided as an input to a task by the workflow runtime. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + + + + + + + + + + Inputs that have the form of data. + + + + + + + + A references to the component or service that provided the input to the task + (e.g., reference to a service with data flow value of inbound) + + + + + + + A reference to the component or service that received or stored the input if not the task + itself (e.g., a local, named storage workspace) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + A reference to an independent resource generated as output by the task. + + + + + + + Outputs that have the form of environment variables. + + + + + + + + + + + + + + + + Outputs that have the form of data. + + + + + + + + Describes the type of data output. + + + + + + + Component or service that generated or provided the output from the task (e.g., a build tool) + + + + + + + Component or service that received the output from the task + (e.g., reference to an artifactory service with data flow value of outbound) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + + + + + + + A representation of a functional parameter. + + + + + + + The name of the parameter. + + + + + + + The value of the parameter. + + + + + + + The data type of the parameter. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Cryptographic assets have properties that uniquely define them and that make them actionable for + further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) + or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the + algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. + The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + + + + + + + Cryptographic assets occur in several forms. Algorithms and protocols are most commonly + implemented in specialized cryptographic libraries. They may however also be 'hardcoded' + in software components. Certificates and related cryptographic material like keys, tokens, + secrets or passwords are other cryptographic assets to be modelled. + + + + + + + + Mathematical function commonly used for data encryption, authentication, and + digital signatures. + + + + + + + An electronic document that is used to provide the identity or validate a public key. + + + + + + + A set of rules and guidelines that govern the behavior and communication with each other. + + + + + + + Other cryptographic assets that are related to algorithms, certificate, and protocols + such as keys and tokens. + + + + + + + + + + Additional properties specific to a cryptographic algorithm. + + + + + + + + Cryptographic building blocks used in higher-level cryptographic systems and + protocols. Primitives represent different cryptographic routines: deterministic + random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message + authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), + streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), + public-key encryption schemes (pke, e.g. RSA), extended output functions + (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement + algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated + encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms + (combiner, e.g. SP800-56Cr2). + + + + + + + + Deterministic Random Bit Generator (DRBG) is a type of pseudorandom + number generator designed to produce a sequence of bits from an initial + seed value. DRBGs are commonly used in cryptographic applications where + reproducibility of random values is important. + + + + + + + In cryptography, a Message Authentication Code (MAC) is information + used for authenticating and integrity-checking a message. + + + + + + + A block cipher is a symmetric key algorithm that operates on fixed-size + blocks of data. It encrypts or decrypts the data in block units, + providing confidentiality. Block ciphers are widely used in various + cryptographic modes and protocols for secure data transmission. + + + + + + + A stream cipher is a symmetric key cipher where plaintext digits are + combined with a pseudorandom cipher digit stream (keystream). + + + + + + + In cryptography, a signature is a digital representation of a message + or data that proves its origin, identity, and integrity. Digital + signatures are generated using cryptographic algorithms and are widely + used for authentication and verification in secure communication. + + + + + + + A hash function is a mathematical algorithm that takes an input + (or 'message') and produces a fixed-size string of characters, which is + typically a hash value. Hash functions are commonly used in various + cryptographic applications, including data integrity verification and + password hashing. + + + + + + + Public Key Encryption (PKE) is a type of encryption that uses a pair of + public and private keys for secure communication. The public key is used + for encryption, while the private key is used for decryption. PKE is a + fundamental component of public-key cryptography. + + + + + + + An XOF is an extendable output function that can take arbitrary input + and creates a stream of output, up to a limit determined by the size of + the internal state of the hash function that underlies the XOF. + + + + + + + A Key Derivation Function (KDF) derives key material from another source + of entropy while preserving the entropy of the input. + + + + + + + In cryptography, a key-agreement is a protocol whereby two or more + parties agree on a cryptographic key in such a way that both influence + the outcome. + + + + + + + A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for + transporting random keying material to a recipient using the recipient's + public key. + + + + + + + Authenticated Encryption (AE) is a cryptographic process that provides + both confidentiality and data integrity. It ensures that the encrypted + data has not been tampered with and comes from a legitimate source. + AE is commonly used in secure communication protocols. + + + + + + + A combiner aggregates many candidates for a cryptographic primitive and + generates a new candidate for the same primitive. + + + + + + + Another primitive type. + + + + + + + The primitive is not known. + + + + + + + + + + An identifier for the parameter set of the cryptographic algorithm. Examples: in + AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the + digest length, '128' in SHAKE128 identifies its maximum security level in bits, and + 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + + + + + + + The specific underlying Elliptic Curve (EC) definition employed which is an indicator + of the level of security strength, performance and complexity. Absent an + authoritative source of curve names, CycloneDX recommends use of curve names as + defined at https://neuromancer.sk/std/, the source from which can be found at + https://github.com/J08nY/std-curves. + + + + + + + The target and execution environment in which the algorithm is implemented in. + + + + + + + + A software implementation running in plain unencrypted RAM. + + + + + + + A software implementation running in encrypted RAM. + + + + + + A software implementation running in a trusted execution environment. + + + + + + A hardware implementation. + + + + + + Another implementation environment. + + + + + + The execution environment is not known. + + + + + + + + + + The target platform for which the algorithm is implemented. The implementation can + be 'generic', running on any platform or for a specific platform. + + + + + + + + + + + + + + + + + + + + + + + + + The certification that the implementation of the cryptographic algorithm has + received, if any. Certifications include revisions and levels of FIPS 140 or + Common Criteria of different Extended Assurance Levels (CC-EAL). + + + + + + + + No certification obtained + + + + + + + FIPS 140-1 Level 1 + + + + + + + FIPS 140-1 Level 2 + + + + + + + FIPS 140-1 Level 3 + + + + + + + FIPS 140-1 Level 4 + + + + + + + FIPS 140-2 Level 1 + + + + + + + FIPS 140-2 Level 2 + + + + + + + FIPS 140-2 Level 3 + + + + + + + FIPS 140-2 Level 4 + + + + + + + FIPS 140-3 Level 1 + + + + + + + FIPS 140-3 Level 2 + + + + + + + FIPS 140-3 Level 3 + + + + + + + FIPS 140-3 Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 1 + + + + + + + Common Criteria - Evaluation Assurance Level 1 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 2 + + + + + + + Common Criteria - Evaluation Assurance Level 2 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 3 + + + + + + + Common Criteria - Evaluation Assurance Level 3 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 4 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 5 + + + + + + + Common Criteria - Evaluation Assurance Level 5 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 6 + + + + + + + Common Criteria - Evaluation Assurance Level 6 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 7 + + + + + + + Common Criteria - Evaluation Assurance Level 7 (Augmented) + + + + + + + Another certification + + + + + + + The certification level is not known + + + + + + + + + + The mode of operation in which the cryptographic algorithm (block cipher) is used. + + + + + + + + Cipher block chaining + + + + + + + Electronic codebook + + + + + + + Counter with cipher block chaining message authentication code + + + + + + + Galois/counter + + + + + + + Cipher feedback + + + + + + + Output feedback + + + + + + + Counter + + + + + + + Another mode of operation + + + + + + + The mode of operation is not known + + + + + + + + + + The padding scheme that is used for the cryptographic algorithm. + + + + + + + + Password-Based Cryptography Specification #5 + + + + + + + Public Key Cryptography Standard: Cryptographic Message Syntax + + + + + + + Public Key Cryptography Standard: RSA Cryptography v1.5 + + + + + + + Optimal asymmetric encryption padding + + + + + + + Raw + + + + + + + Another padding scheme + + + + + + + The padding scheme is not known + + + + + + + + + + The cryptographic functions implemented by the cryptographic algorithm. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The classical security level that a cryptographic algorithm provides (in bits). + + + + + + + + + + + + The NIST security strength category as defined in + https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). + A value of 0 indicates that none of the categories are met. + + + + + + + + + + + + + + + + Properties for cryptographic assets of asset type 'certificate' + + + + + + + + The subject name for the certificate + + + + + + + The issuer name for the certificate + + + + + + + The date and time according to ISO-8601 standard from which the certificate is valid + + + + + + + The date and time according to ISO-8601 standard from which the certificate is not valid anymore + + + + + + + The bom-ref to signature algorithm used by the certificate + + + + + + + The bom-ref to the public key of the subject + + + + + + + The format of the certificate. Examples include X.509, PEM, DER, and CVC + + + + + + + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + + + + Properties for cryptographic assets of asset type 'relatedCryptoMaterial' + + + + + + + + The type for the related cryptographic material + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The optional unique identifier for the related cryptographic material. + + + + + + + The key state as defined by NIST SP 800-57. + + + + + + + + + + + + + + + + + The bom-ref to the algorithm used to generate the related cryptographic material. + + + + + + + The date and time (timestamp) when the related cryptographic material was created. + + + + + + + The date and time (timestamp) when the related cryptographic material was activated. + + + + + + + The date and time (timestamp) when the related cryptographic material was updated. + + + + + + + The date and time (timestamp) when the related cryptographic material expires. + + + + + + + The associated value of the cryptographic material. + + + + + + + The size of the cryptographic asset (in bits). + + + + + + + The format of the related cryptographic material (e.g. P8, PEM, DER). + + + + + + + The mechanism by which the cryptographic asset is secured by. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples include HSM, TPM, XGX, Software, and None. + + + + + + + The bom-ref to the algorithm. + + + + + + + + + + + + + Properties specific to cryptographic assets of type: 'protocol'. + + + + + + + + The concrete protocol type. + + + + + + + + Transport Layer Security + + + + + + + Secure Shell + + + + + + + Internet Protocol Security + + + + + + + Internet Key Exchange + + + + + + + Secure Socket Tunneling Protocol + + + + + + + Wi-Fi Protected Access + + + + + + + Another protocol type + + + + + + + The protocol type is not known + + + + + + + + + + The version of the protocol. Examples include 1.0, 1.2, and 1.99. + + + + + + + A list of cipher suites related to the protocol. + + + + + + + + + + + A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + + + + + + + A list of algorithms related to the cipher suite. + + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + A list of common identifiers for the cipher suite. + + + + + + + + Cipher suite identifier. Examples include 0xC0 and 0x9E. + + + + + + + + + + + + + + + + The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, + and additional properties. + + + + + + + + Transform Type 1: encryption algorithms + + + + + + + Transform Type 2: pseudorandom functions + + + + + + + Transform Type 3: integrity algorithms + + + + + + + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + + + + + + Specifies if an Extended Sequence Number (ESN) is used. + + + + + + + IKEv2 Authentication method + + + + + + + + + A protocol-related cryptographic assets + + + + + + + + + The object identifier (OID) of the cryptographic asset. + + + + + + + + + + + + The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + + + + + + + + The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment. + + + + + + + + The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + + + + + + + The entity issuing the assessment. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Every bom-ref must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of attestations asserted by an assessor that maps requirements to claims. + + + + + + + + An attestation asserted by an assessor that maps requirements to claims. + + + + + + + + The short description explaining the main points of the attestation. + + + + + + + The `bom-ref` to the assessor asserting the attestation. + + + + + + + The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + + + + + + + + The `bom-ref` to the requirement being attested to. + + + + + + + The list of `bom-ref` to the claims being attested to. + + + + + + + + The `bom-ref` to the claim being attested to. + + + + + + + + + + The list of `bom-ref` to the counter claims being attested to. + + + + + + + + The `bom-ref` to the counter claim being attested to. + + + + + + + + + + The conformance of the claim meeting a requirement. + + + + + + + + The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + + + + + + + + + + + + + The rationale for the score of conformance. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + + + + The confidence of the claim meeting the requirement. + + + + + + + + The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + + + + + + + + + + + + + The rationale for the confidence score. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + The list of claims. + + + + + + + + + + + The `bom-ref` to a target representing a specific system, application, + API, module, team, person, process, business unit, company, etc... + that this claim is being applied to. + + + + + + + The specific statement or assertion about the target. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + The written explanation of why the evidence provided substantiates the claim. + + + + + + + The list of `bom-ref` to evidence that supports this claim. + + + + + + + The list of `bom-ref` to counterEvidence that supports this claim. + + + + + + Provides the ability to document external references related to the claim the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of evidence + + + + + + + + The list of evidence + + + + + + + + The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). + + + + + + + The written description of what this evidence is and how it was created. + + + + + + + The output or analysis that supports claims. + + + + + + + + The name of the data. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + An optional way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data. + + + + + + + + + + The date and time (timestamp) when the evidence was created. + + + + + The optional date and time (timestamp) when the evidence is no longer valid. + + + + + The author of the evidence. + + + + + The reviewer of the evidence. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of targets which claims are made against. + + + + + + + + The list of organizations which claims are made against. + + + + + + + + + + + + The list of components which claims are made against. + + + + + + + + + + + + The list of services which claims are made against. + + + + + + + + + + + + + + + A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. + It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + + + + + + + + The brief statement affirmed by an individual regarding all declarations. + This could be an affirmation of acceptance by a third-party auditor or receiving + individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct." + + + + + + + The list of signatories authorized on behalf of an organization to assert validity of this document. + + + + + + + + + + + The signatory's name. + + + + + + + The signatory's role within an organization. + + + + + + + The signatory's organization. + + + + + + + An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + + + + + + The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + The name of the standard. This will often be a shortened, single name of the standard. + + + + + + + The version of the standard. + + + + + + + The description of the standard. + + + + + + + The owner of the standard, often the entity responsible for its release. + + + + + + + The list of requirements comprising the standard. + + + + + + + + + + + The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + + + + + + + The title of the requirement. + + + + + + + The textual content of the requirement. + + + + + + + The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + + + + + + + + + + + + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + + + + + + + + + + + + The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of levels associated with the standard. Some standards have different levels of compliance. + + + + + + + + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Textual strings that aid in discovery, search, and retrieval of the associated + object. Tags often serve as a way to group or categorize similar or related objects by various + attributes. + + Examples include: + "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection" + + + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes how a component or service was manufactured or deployed. This is + achieved through the use of formulas, workflows, tasks, and steps, which declare the precise + steps to reproduce along with the observed formulas describing the steps which transpired + in the manufacturing process. + + + + + + The list of declarations which describe the conformance to standards. Each declaration may + include attestations, claims, and evidence. + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Whenever an existing BOM is modified, either manually or through automated + processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with + multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. + The default version is '1'. + + + + + Every BOM generated SHOULD have a unique serial number, even if the contents of + the BOM have not changed over time. If specified, the serial number must conform to RFC-4122. + Use of serial numbers are recommended. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto new file mode 100644 index 0000000..6def360 --- /dev/null +++ b/schema/bom-1.7.proto @@ -0,0 +1,2883 @@ +syntax = "proto3"; +package cyclonedx.v1_7; +import "google/protobuf/timestamp.proto"; + +// Specifies attributes of the text +message AttachedText { + // Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents. [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml). + optional string content_type = 1; + // Specifies the encoding the text is represented in + optional string encoding = 2; + // SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + string value = 3; +} + +message Bom { + // The version of the CycloneDX specification a BOM is written to (starting at version 1.3) + string spec_version = 1; + // The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'. + optional int32 version = 2; + // Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated. + optional string serial_number = 3; + // Provides additional information about a BOM. + optional Metadata metadata = 4; + // Provides the ability to document a list of components. + repeated Component components = 5; + // Provides the ability to document a list of external services. + repeated Service services = 6; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 7; + // Provides the ability to document dependency relationships. + repeated Dependency dependencies = 8; + // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + repeated Composition compositions = 9; + // Vulnerabilities identified in components or services. + repeated Vulnerability vulnerabilities = 10; + // Comments made by people, organizations, or tools about any object with a bom_ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders. + repeated Annotation annotations = 11; + // Specifies custom properties. + repeated Property properties = 12; + // Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps. + repeated Formula formulation = 13; + // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. + repeated Declarations declarations = 14; + // A collection of reusable objects that are defined and may be used elsewhere in the BOM. + repeated Definition definitions = 15; + // A collection of attributions indicating which entity supplied information for specific fields within the BOM. + repeated Citation citations = 16; +} + +enum Classification { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + CLASSIFICATION_NULL = 0; + // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. + CLASSIFICATION_APPLICATION = 1; + // A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries. + CLASSIFICATION_FRAMEWORK = 2; + // A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended. + CLASSIFICATION_LIBRARY = 3; + // A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system + CLASSIFICATION_OPERATING_SYSTEM = 4; + // A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + CLASSIFICATION_DEVICE = 5; + // A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files. + CLASSIFICATION_FILE = 6; + // A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + CLASSIFICATION_CONTAINER = 7; + // A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware + CLASSIFICATION_FIRMWARE = 8; + // A special type of software that operates or controls a particular type of device. Refer to https://en.wikipedia.org/wiki/Device_driver + CLASSIFICATION_DEVICE_DRIVER = 9; + // A runtime environment that interprets or executes software. + // This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms. + CLASSIFICATION_PLATFORM = 10; + // A model based on training data that can make predictions or decisions without being explicitly programmed to do so. + CLASSIFICATION_MACHINE_LEARNING_MODEL = 11; + // A collection of discrete values that convey information. + CLASSIFICATION_DATA = 12; + // A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + CLASSIFICATION_CRYPTOGRAPHIC_ASSET = 13; +} + +message Commit { + // A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + optional string uid = 1; + // The URL to the commit. This URL will typically point to a commit in a version control system. + optional string url = 2; + // The author who created the changes in the commit + optional IdentifiableAction author = 3; + // The person who committed or pushed the commit + optional IdentifiableAction committer = 4; + // The text description of the contents of the commit + optional string message = 5; +} + +message Component { + // Specifies the type of component. For software components, classify as an application if no more specific appropriate classification is available or cannot be determined for the component. + Classification type = 1; + // The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type. + optional string mime_type = 2; + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 3; + // The organization that supplied the component. The supplier may often be the manufacturer but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 4; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.authors` or `.manufacturer` instead. + // The person(s) or organization(s) that authored the component + optional string author = 5 [deprecated = true]; + // The person(s) or organization(s) that published the component + optional string publisher = 6; + // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. + optional string group = 7; + // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery + string name = 8; + // The component version. The version should ideally comply with semantic versioning but is not enforced. + // Version was made optional in v1.4 of the spec. + // For backward compatibility, it is recommended to use an empty string to represent components without version information. + // Must be used exclusively, either 'version' or 'versionRange', but not both. + string version = 9; + // For an external component, this specifies the accepted version range. + // The value must adhere to the Package URL Version Range syntax (vers), as defined at https://github.com/package-url/vers-spec. + // May only be used if `isExternal` is set to `true`. + // Must be used exclusively, either 'version' or 'versionRange', but not both. + optional string versionRange = 33; + // Specifies a description for the component + optional string description = 10; + // Specifies the scope of the component. If a scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM + optional Scope scope = 11; + // The hashes of the component. + repeated Hash hashes = 12; + // A list of SPDX licenses and/or named licenses and/or SPDX License Expression. + repeated LicenseChoice licenses = 13; + // An copyright notice informing users of the underlying claims to copyright ownership in a published work. + optional string copyright = 14; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + optional string cpe = 15; + // Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec + optional string purl = 16; + // Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + optional Swid swid = 17; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original. + optional bool modified = 18; + // Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. + optional Pedigree pedigree = 19; + // Provides the ability to document external references related to the component or to the project the component describes. + repeated ExternalReference external_references = 20; + // Specifies sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Component components = 21; + // Specifies custom properties. + repeated Property properties = 22; + // Specifies license and copyright evidence. + optional Evidence evidence = 23; + // Specifies release notes. + optional ReleaseNotes releaseNotes = 24; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + optional ModelCard modelCard = 25; + // This object SHOULD be specified for any component of type `data` and must not be specified for other component types. + repeated ComponentData data = 26; + // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + optional CryptoProperties cryptoProperties = 27; + // The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `.authors` instead. + optional OrganizationalEntity manufacturer = 28; + // The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `.manufacturer` instead. + repeated OrganizationalContact authors = 29; + // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 30; + // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + repeated string omniborId = 31; + // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + repeated string swhid = 32; + // Determine whether this component is external. + // An external component is one that is not part of an assembly, but is expected to be provided by the environment, regardless of the component's `scope`. This setting can be useful for distinguishing which components are bundled with the product and which can be relied upon to be present in the deployment environment. + // This may be set to `true` for runtime components only. For `Bom.metadata.component`, it must be set to `false`. + optional bool isExternal = 34; // implicit defaults to `false` + // A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + repeated PatentAssertion patent_assertions = 35; +} + +// Specifies the data flow. +message DataFlow { + // Specifies the flow direction of the data. + DataFlowDirection flow = 1; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + string value = 2; + // Name for the defined data + optional string name = 3; + // Short description of the data content and usage + optional string description = 4; + // The URI, URL, or BOM-Link of the components or services the data came in from + repeated string source = 5; + // The URI, URL, or BOM-Link of the components or services the data is sent to + repeated string destination = 6; + // Data Governance + optional DataGovernance governance = 7; +} + +// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "DATA_FLOW_DIRECTION_" +enum DataFlowDirection { + // Default. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + DATA_FLOW_NULL = 0; + // Data that enters a service. + DATA_FLOW_INBOUND = 1; + // Data that exits a service. + DATA_FLOW_OUTBOUND = 2; + // Data flows in and out of the service. + DATA_FLOW_BI_DIRECTIONAL = 3; + // The directional flow of data is not known. + DATA_FLOW_UNKNOWN = 4; +} + +// Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs. +message Dependency { + // References a component or service by its bom_ref attribute + string ref = 1; + // The bom_ref identifiers of the components or services that are dependencies of this dependency object. + repeated Dependency dependencies = 2; + // The bom_ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. + repeated string provides = 3; +} + +// The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff +message Diff { + // Specifies the text of the diff + optional AttachedText text = 1; + // Specifies the URL to the diff + optional string url = 2; +} + +// External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. +message ExternalReference { + // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. + ExternalReferenceType type = 1; + // The URL to the external reference + string url = 2; + // A comment describing the external reference + optional string comment = 3; + // Integrity hashes for the external resource content + repeated Hash hashes = 4; + // Specifies custom properties. + repeated Property properties = 5; +} + +enum ExternalReferenceType { + // Use this if no other types accurately describe the purpose of the external reference. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `other` is our fallback, doubling `unspecified` + EXTERNAL_REFERENCE_TYPE_OTHER = 0; + // Version Control System + EXTERNAL_REFERENCE_TYPE_VCS = 1; + // Issue, defect tracking system, or an Application Lifecycle Management (ALM) system + EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2; + // Website + EXTERNAL_REFERENCE_TYPE_WEBSITE = 3; + // Security advisories + EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4; + // Bill-of-material document (CycloneDX, SPDX, SWID, etc) + EXTERNAL_REFERENCE_TYPE_BOM = 5; + // Mailing list or discussion group + EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6; + // Social media account + EXTERNAL_REFERENCE_TYPE_SOCIAL = 7; + // Real-time chat platform + EXTERNAL_REFERENCE_TYPE_CHAT = 8; + // Documentation, guides, or how-to instructions + EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9; + // Community or commercial support + EXTERNAL_REFERENCE_TYPE_SUPPORT = 10; + // Direct or repository download location + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11; + // The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness + EXTERNAL_REFERENCE_TYPE_LICENSE = 12; + // Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; + // URL to an automated build system + EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; + // Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT. + EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT = 15; + // Human or machine-readable statements containing facts, evidence, or testimony + EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16; + // An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + EXTERNAL_REFERENCE_TYPE_THREAT_MODEL = 17; + // The defined assumptions, goals, and capabilities of an adversary. + EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL = 18; + // Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT = 19; + // The location where a component was published. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 20; + // A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product + EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 21; + // A Vulnerability Exploitability eXchange (VEX) asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally, the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization + EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 22; + // Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 23; + // SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 24; + // Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 25; + // Report generated by analyzing the call stack of a running application + EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 26; + // Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 27; + // Report containing a formal assessment of an organization, business unit, or team against a maturity model + EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 28; + // Industry, regulatory, or other certification from an accredited (if applicable) certification body + EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 29; + // Report or system in which quality metrics can be obtained + EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 30; + // Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32; + // Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + EXTERNAL_REFERENCE_TYPE_POAM = 33; + // A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + EXTERNAL_REFERENCE_TYPE_LOG = 34; + // Parameters or settings that may be used by other components or services. + EXTERNAL_REFERENCE_TYPE_CONFIGURATION = 35; + // Information used to substantiate a claim. + EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; + // Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. + EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; + // The location where the source code distributable can be obtained. This is often an archive format such as zip or tar.gz. The source-distribution type complements the use of the version control (vcs) type. + EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38; + // An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name. + EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39; + // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40; + // Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41; + // Reference to release notes + EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES = 42; + // References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + EXTERNAL_REFERENCE_TYPE_PATENT = 43; + // References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + EXTERNAL_REFERENCE_TYPE_PATENT_FAMILY = 44; + // References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + EXTERNAL_REFERENCE_TYPE_PATENT_ASSERTION = 45; + // A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM. + EXTERNAL_REFERENCE_TYPE_CITATION = 46; +} + +enum HashAlg { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + HASH_ALG_NULL = 0; + HASH_ALG_MD_5 = 1; + HASH_ALG_SHA_1 = 2; + HASH_ALG_SHA_256 = 3; + HASH_ALG_SHA_384 = 4; + HASH_ALG_SHA_512 = 5; + HASH_ALG_SHA_3_256 = 6; + HASH_ALG_SHA_3_384 = 7; + HASH_ALG_SHA_3_512 = 8; + HASH_ALG_BLAKE_2_B_256 = 9; + HASH_ALG_BLAKE_2_B_384 = 10; + HASH_ALG_BLAKE_2_B_512 = 11; + HASH_ALG_BLAKE_3 = 12; + HASH_ALG_STREEBOG_256 = 13; + HASH_ALG_STREEBOG_512 = 14; +} + +// Specifies the file hash of the component +message Hash { + // Specifies the algorithm used to create the hash + HashAlg alg = 1; + // SimpleContent value of element + string value = 2; +} + +message IdentifiableAction { + // The timestamp in which the action occurred + optional google.protobuf.Timestamp timestamp = 1; + // The name of the individual who performed the action + optional string name = 2; + // The email address of the individual who performed the action + optional string email = 3; +} + +enum IssueClassification { + // Default. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + ISSUE_CLASSIFICATION_NULL = 0; + // A fault, flaw, or bug in software + ISSUE_CLASSIFICATION_DEFECT = 1; + // A new feature or behavior in software + ISSUE_CLASSIFICATION_ENHANCEMENT = 2; + // A special type of defect which impacts security + ISSUE_CLASSIFICATION_SECURITY = 3; +} + +// An individual issue that has been resolved. +message Issue { + // Specifies the type of issue + IssueClassification type = 1; + // The identifier of the issue assigned by the source of the issue + optional string id = 2; + // The name of the issue + optional string name = 3; + // A description of the issue + optional string description = 4; + // The source of the issue where it is documented + optional Source source = 5; + // A collection of URL's for reference. Multiple URLs are allowed. Example: "https://example.com" + repeated string references = 6; +} + +// The source of the issue where it is documented. +message Source { + // The name of the source. For example, "National Vulnerability Database", "NVD", and "Apache" + optional string name = 1; + // The url of the issue documentation as provided by the source + optional string url = 2; +} + +message LicenseChoice { + oneof choice { + // A license + License license = 1; + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. + string expression = 2; + // A SPDX license expression and its details + LicenseExpressionDetailed expression_detailed = 5; + } + // This field must only be used when `expression` is chosen as the other options have their own acknowledgement. + optional LicenseAcknowledgementEnumeration acknowledgement = 3; + // This field must only be used when `expression` is chosen as the other options have their own bom_ref. + optional string bom_ref = 4; +} + +// Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license. +message License { + oneof license { + // A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. + string id = 1; + // The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. + string name = 2; + } + // Specifies the full text of the attachment + optional AttachedText text = 3; + // The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness. + optional string url = 4; + // A identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 5; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + optional Licensing licensing = 6; + // Specifies custom properties. + repeated Property properties = 7; + // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. + optional LicenseAcknowledgementEnumeration acknowledgement = 8; +} + +// Specifies the details and attributes related to a software license. +// It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. +message LicenseExpressionDetailed { + + // This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers. + // The `license_identifier` field serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc. + message ExpressionDetails { + // A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + // This field serves as the primary key, which uniquely identifies each record. + // Example values: + // - "Apache-2.0", + // - "GPL-3.0-only WITH Classpath-exception-2.0" + // - "LicenseRef-my-custom-license" + string license_identifier = 1; + // A identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 2; + // A way to include the textual content of the license. + optional AttachedText text = 3; + // The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness + optional string url = 4; + } + + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. + // Example values: + // - "Apache-2.0 AND (MIT OR GPL-2.0-only)", + // - "GPL-3.0-only WITH Classpath-exception-2.0" + string expression = 1; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + // Details for parts of the `expression`. + repeated ExpressionDetails details = 2; + // A identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 3; + // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. + optional LicenseAcknowledgementEnumeration acknowledgement = 4; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + optional Licensing licensing = 5; + // Specifies custom properties. + repeated Property properties = 6; +} + +// Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. +enum LicenseAcknowledgementEnumeration { + // The license acknowledgement is not specified. + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_UNSPECIFIED = 0; + // Declared licenses represent the initial intentions of authors regarding the licensing terms of their code. + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED = 1; + // Concluded licenses are verified and confirmed. + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED = 2; +} + +message Licensing { + // License identifiers that may be used to manage licenses and their lifecycle + repeated string altIds = 1; + // The individual or organization that grants a license to another individual or organization + optional OrganizationalEntityOrContact licensor = 2; + // The individual or organization for which a license was granted to + optional OrganizationalEntityOrContact licensee = 3; + // The individual or organization that purchased the license + optional OrganizationalEntityOrContact purchaser = 4; + // The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase + optional string purchaseOrder = 5; + // The type of license(s) that was granted to the licensee + repeated LicensingTypeEnum licenseTypes = 6; + // The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed. + optional google.protobuf.Timestamp lastRenewal = 7; + // The timestamp indicating when the current license expires (if applicable). + optional google.protobuf.Timestamp expiration = 8; +} + +// EITHER an organization OR an individual +message OrganizationalEntityOrContact { + oneof choice { + // Organization + OrganizationalEntity organization = 1; + // Individual + OrganizationalContact individual = 2; + } +} + +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "LICENSING_TYPE_ENUM_" +enum LicensingTypeEnum { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + LICENSING_TYPE_NULL = 0; + // A license that grants use of software solely for the purpose of education or research. + LICENSING_TYPE_ACADEMIC = 1; + // A license covering use of software embedded in a specific piece of hardware. + LICENSING_TYPE_APPLIANCE = 2; + // A Client Access License (CAL) allows client computers to access services provided by server software. + LICENSING_TYPE_CLIENT_ACCESS = 3; + // A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. + LICENSING_TYPE_CONCURRENT_USER = 4; + // A license where the core of a computer's processor is assigned a specific number of points. + LICENSING_TYPE_CORE_POINTS = 5; + // A license for which consumption is measured by non-standard metrics. + LICENSING_TYPE_CUSTOM_METRIC = 6; + // A license that covers a defined number of installations on computers and other types of devices. + LICENSING_TYPE_DEVICE = 7; + // A license that grants permission to install and use software for trial purposes. + LICENSING_TYPE_EVALUATION = 8; + // A license that grants access to the software to one or more pre-defined users. + LICENSING_TYPE_NAMED_USER = 9; + // A license that grants access to the software on one or more pre-defined computers or devices. + LICENSING_TYPE_NODE_LOCKED = 10; + // An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. + LICENSING_TYPE_OEM = 11; + // A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. + LICENSING_TYPE_PERPETUAL = 12; + // A license where each installation consumes points per processor. + LICENSING_TYPE_PROCESSOR_POINTS = 13; + // A license where the licensee pays a fee to use the software or service. + LICENSING_TYPE_SUBSCRIPTION = 14; + // A license that grants access to the software or service by a specified number of users. + LICENSING_TYPE_USER = 15; + // Another license type. + LICENSING_TYPE_OTHER = 16; +} + +message Metadata { + message DistributionConstraints { + // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes. + optional TlpClassification tlp = 1; + } + + // The date and time (timestamp) when the document was created. + optional google.protobuf.Timestamp timestamp = 1; + // The tool(s) used in the creation of the BOM. + optional Tool tools = 2; + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '.manufacturer' instead. + repeated OrganizationalContact authors = 3; + // The component that the BOM describes. + optional Component component = 4; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use the `.component.manufacturer` instead. + // The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5 [deprecated = true]; + // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 6; + // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes. + // A list of SPDX licenses and/or named licenses and/or SPDX License Expression. + repeated LicenseChoice licenses = 7; + // Specifies custom properties. + repeated Property properties = 8; + // Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle. + repeated Lifecycles lifecycles = 9; + // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. + optional OrganizationalEntity manufacturer = 10; + // Conditions and constraints governing the sharing and distribution of the data or components described by this BOM. + optional DistributionConstraints distributionConstraints = 11; +} + +message Lifecycles { + oneof choice { + // A pre-defined phase in the product lifecycle. + LifecyclePhase phase = 1; + // The name of the lifecycle phase + string name = 2; + } + // The description of the lifecycle phase + optional string description = 3; +} + +enum LifecyclePhase { + // BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + LIFECYCLE_PHASE_DESIGN = 0; + // BOM consists of information obtained prior to a build process and may contain source files, development artifacts, and manifests. The inventory may need to be resolved and retrieved prior to use. + LIFECYCLE_PHASE_PRE_BUILD = 1; + // BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from. + LIFECYCLE_PHASE_BUILD = 2; + // BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device. + LIFECYCLE_PHASE_POST_BUILD = 3; + // BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies. + LIFECYCLE_PHASE_OPERATIONS = 4; + // BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions. + LIFECYCLE_PHASE_DISCOVERY = 5; + // BOM containing inventory that will be, or has been retired from operations. + LIFECYCLE_PHASE_DECOMMISSION = 6; +} + +message OrganizationalContact { + // The name of the contact + optional string name = 1; + // The email address of the contact. + optional string email = 2; + // The phone number of the contact. + optional string phone = 3; + // A identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; +} + +message OrganizationalEntity { + // The name of the organization + optional string name = 1; + // The URL of the organization. Multiple URLs are allowed. + repeated string url = 2; + // A contact person at the organization. Multiple contacts are allowed. + repeated OrganizationalContact contact = 3; + // A identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; + // The physical address (location) of the organization + optional PostalAddressType address = 5; +} + +enum PatchClassification { + // Default. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + PATCH_CLASSIFICATION_NULL = 0; + // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + PATCH_CLASSIFICATION_UNOFFICIAL = 1; + // A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch + PATCH_CLASSIFICATION_MONKEY = 2; + // A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + PATCH_CLASSIFICATION_BACKPORT = 3; + // A patch created by selectively applying commits from other versions or branches of the same software. + PATCH_CLASSIFICATION_CHERRY_PICK = 4; +} + +// Specifies an individual patch +message Patch { + // Specifies the purpose for the patch, including the resolution of defects, security issues, or new behavior or functionality + PatchClassification type = 1; + // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff + optional Diff diff = 2; + // A collection of issues the patch resolves + repeated Issue resolves = 3; +} + +// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known. +message Pedigree { + // Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains an ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from. + repeated Component ancestors = 1; + // Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component. + repeated Component descendants = 2; + // Variants describe relations where the relationship between the components is not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other or if they share a common ancestor. + repeated Component variants = 3; + // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. + repeated Commit commits = 4; + // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits. + repeated Patch patches = 5; + // Notes, observations, and other non-structured commentary describing the component's pedigree. + optional string notes = 6; +} + +enum Scope { + // Default + SCOPE_UNSPECIFIED = 0; + // The component is required for runtime + SCOPE_REQUIRED = 1; + // The component is optional at runtime. Optional components are components that are not capable of being called due to them not being installed or otherwise accessible by any means. Components that are installed but, due to configuration or other restrictions, are prohibited from being called must be scoped as 'required'. + SCOPE_OPTIONAL = 2; + // Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime. + SCOPE_EXCLUDED = 3; +} + +message Service { + // A identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The organization that provides the service. + optional OrganizationalEntity provider = 2; + // The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided. + optional string group = 3; + // The name of the service. This will often be a shortened, single name of the service. + string name = 4; + // The service version. + optional string version = 5; + // Specifies a description for the service. + optional string description = 6; + // The endpoint URIs of the service. Multiple endpoints are allowed. Example: "https://example.com/api/v1/ticker" + repeated string endpoints = 7; + // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. + optional bool authenticated = 8; + // A boolean value indicating if the use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. + optional bool x_trust_boundary = 9; + // Specifies information about the data including the directional flow of data and the data classification. + repeated DataFlow data = 10; + // A list of SPDX licenses and/or named licenses and/or SPDX License Expression. + repeated LicenseChoice licenses = 11; + // Provides the ability to document external references related to the service. + repeated ExternalReference external_references = 12; + // Specifies sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Service services = 13; + // Specifies custom properties. + repeated Property properties = 14; + // Specifies release notes. + optional ReleaseNotes releaseNotes = 15; + // The name of the trust zone the service resides in. + optional string trustZone = 16; + // Textual strings that aid in the discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 17; + // A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + repeated PatentAssertion patent_assertions = 18; +} + +// Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. +message Swid { + // Maps to the tagId of a SoftwareIdentity. + string tag_id = 1; + // Maps to the name of a SoftwareIdentity. + string name = 2; + // Maps to the version of a SoftwareIdentity. Defaults to '0.0' if not specified. + optional string version = 3; + // Maps to the tagVersion of a SoftwareIdentity. Defaults to '0' if not specified. + optional int32 tag_version = 4; + // Maps to the patch of a SoftwareIdentity. Defaults to 'false' if not specified. + optional bool patch = 5; + // Specifies the full content of the SWID tag. + optional AttachedText text = 6; + // The URL to the SWID file. + optional string url = 7; +} + +// Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. +//The default classification is "CLEAR" +enum TlpClassification { + // The information is not subject to any restrictions as regards the sharing. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- "CLEAR" is our fallback, the default. + TLP_CLASSIFICATION_CLEAR = 0; + // The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels. + TLP_CLASSIFICATION_GREEN = 1; + // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients. + TLP_CLASSIFICATION_AMBER = 2; + // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization. + TLP_CLASSIFICATION_AMBER_AND_STRICT = 3; + // The information is subject to restricted distribution to individual recipients only and must not be shared. + TLP_CLASSIFICATION_RED = 4; +} + +// Specifies a tool (manual or automated). +message Tool { + // DEPRECATED - DO NOT USE - This will be removed in a future version. + // The vendor of the tool used to create the BOM. + optional string vendor = 1 [deprecated = true]; + // DEPRECATED - DO NOT USE - This will be removed in a future version. + // The name of the tool used to create the BOM. + optional string name = 2 [deprecated = true]; + // DEPRECATED - DO NOT USE - This will be removed in a future version. + // The version of the tool used to create the BOM. + optional string version = 3 [deprecated = true]; + // DEPRECATED - DO NOT USE - This will be removed in a future version. + repeated Hash hashes = 4 [deprecated = true]; + // DEPRECATED - DO NOT USE - This will be removed in a future version. + // Provides the ability to document external references related to the tool. + repeated ExternalReference external_references = 5 [deprecated = true]; + // A list of software and hardware components used as tools + repeated Component components = 6; + // A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services. + repeated Service services = 7; +} + +// Specifies a property +message Property { + // Name (or key) + string name = 1; + // Value + optional string value = 2; +} + +enum Aggregate { + // The relationship completeness is not specified. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `not specified` is our fallback, doubling `unspecified` + AGGREGATE_NOT_SPECIFIED = 0; + // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + AGGREGATE_COMPLETE = 1; + // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + AGGREGATE_INCOMPLETE = 2; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; + // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + AGGREGATE_UNKNOWN = 5; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9; +} + +message Composition { + // Indicates the aggregate completeness + Aggregate aggregate = 1; + // The assemblies the aggregate completeness applies to + repeated string assemblies = 2; + // The dependencies the aggregate completeness applies to + repeated string dependencies = 3; + // The bom_ref identifiers of the vulnerabilities being described. + repeated string vulnerabilities = 4; + // A identifier which can be used to reference the composition elsewhere in the BOM. Every `bom_ref` must be unique within the BOM. + optional string bom_ref = 5; +} + +message EvidenceCopyright { + // Copyright text + string text = 1; +} + +// Provides the ability to document evidence collected through various forms of extraction or analysis. +message Evidence { + // A list of SPDX licenses and/or named licenses and/or SPDX License Expression. + repeated LicenseChoice licenses = 1; + // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + repeated EvidenceCopyright copyright = 2; + // Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified. + repeated EvidenceIdentity identity = 3; + // Evidence of individual instances of a component spread across multiple locations. + repeated EvidenceOccurrences occurrences = 4; + // Evidence of the components use through the callstack. + optional Callstack callstack = 5; +} + +message Callstack { + // Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + repeated Frames frames = 1; + + message Frames { + // A package organizes modules into namespaces, providing a unique namespace for each type it contains. + optional string package = 1; + // A module or class that encloses functions/methods and other code. + string module = 2; + // A block of code designed to perform a particular task. + optional string function = 3; + // Arguments that are passed to the module or function. + repeated string parameters = 4; + // The line number the code that is called resides on. + optional int32 line = 5; + // The column the code that is called resides. + optional int32 column = 6; + // The full path and filename of the module. + optional string fullFilename = 7; + } +} + +message EvidenceIdentity { + // The identity field of the component which the evidence describes. + EvidenceFieldType field = 1; + // The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + optional float confidence = 2; + // The methods used to extract and/or analyze the evidence. + repeated EvidenceMethods methods = 3; + // The object in the BOM identified by its bom_ref. This is often a component or service, but may be any object type supporting bom_refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation. + repeated string tools = 4; + // The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + optional string concludedValue = 5; +} + +message EvidenceMethods { + // The technique used in this method of analysis. + EvidenceTechnique technique = 1; + // The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + float confidence = 2; + // The value or contents of the evidence. + optional string value = 3; +} + +message EvidenceOccurrences { + // A identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom_ref` must be unique within the BOM. + optional string bom_ref = 1; + // The location or path to where the component was found. + string location = 2; + // The line number where the component was found. + optional int32 line = 3; + // The offset where the component was found. + optional int32 offset = 4; + // The symbol name that was found associated with the component. + optional string symbol = 5; + // Any additional context of the detected component (e.g. a code snippet). + optional string additionalContext = 6; +} + +// buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "EVIDENCE_FIELD_TYPE_" +enum EvidenceFieldType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + EVIDENCE_FIELD_NULL = 0; + EVIDENCE_FIELD_GROUP = 1; + EVIDENCE_FIELD_NAME = 2; + EVIDENCE_FIELD_VERSION = 3; + EVIDENCE_FIELD_PURL = 4; + EVIDENCE_FIELD_CPE = 5; + EVIDENCE_FIELD_SWID = 6; + EVIDENCE_FIELD_HASH = 7; + EVIDENCE_FIELD_OMNIBOR_ID = 8; + EVIDENCE_FIELD_SWHID = 9; +} + +enum EvidenceTechnique { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema + EVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS = 0; + EVIDENCE_TECHNIQUE_BINARY_ANALYSIS = 1; + EVIDENCE_TECHNIQUE_MANIFEST_ANALYSIS = 2; + EVIDENCE_TECHNIQUE_AST_FINGERPRINT = 3; + EVIDENCE_TECHNIQUE_HASH_COMPARISON = 4; + EVIDENCE_TECHNIQUE_INSTRUMENTATION = 5; + EVIDENCE_TECHNIQUE_DYNAMIC_ANALYSIS = 6; + EVIDENCE_TECHNIQUE_FILENAME = 7; + EVIDENCE_TECHNIQUE_ATTESTATION = 8; + EVIDENCE_TECHNIQUE_OTHER = 9; +} + +// A note containing the locale and content. +message Note { + // The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + optional string locale = 1; + // Specifies the full content of the release note. + optional AttachedText text = 2; +} + +message ReleaseNotes { + // The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. + string type = 1; + // The title of the release. + optional string title = 2; + // The URL to an image that may be prominently displayed with the release note. + optional string featuredImage = 3; + // The URL to an image that may be used in messaging on social media platforms. + optional string socialImage = 4; + // A short description of the release. + optional string description = 5; + // The date and time (timestamp) when the release note was created. + optional google.protobuf.Timestamp timestamp = 6; + // Alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names). + repeated string aliases = 7; + // Textual strings that aid in the discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 8; + // A collection of issues that have been resolved. + repeated Issue resolves = 9; + // Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages. + repeated Note notes = 10; + // Specifies custom properties. + repeated Property properties = 11; +} + +// Defines a weakness in a component or service that could be exploited or triggered by a threat source. +message Vulnerability { + // A identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier that uniquely identifies the vulnerability. + optional string id = 2; + // The source that published the vulnerability. + optional Source source = 3; + // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. + repeated VulnerabilityReference references = 4; + // List of vulnerability ratings + repeated VulnerabilityRating ratings = 5; + // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) + repeated int32 cwes = 6; + // A description of the vulnerability as provided by the source. + optional string description = 7; + // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding the root cause. + optional string detail = 8; + // Recommendations of how the vulnerability can be remediated or mitigated. + optional string recommendation = 9; + // Published advisories of the vulnerability if provided. + repeated Advisory advisories = 10; + // The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + optional google.protobuf.Timestamp created = 11; + // The date and time (timestamp) when the vulnerability record was first published. + optional google.protobuf.Timestamp published = 12; + // The date and time (timestamp) when the vulnerability record was last updated. + optional google.protobuf.Timestamp updated = 13; + // Individuals or organizations credited with the discovery of the vulnerability. + optional VulnerabilityCredits credits = 14; + // The tool(s) used to identify, confirm, or score the vulnerability. + optional Tool tools = 15; + // An assessment of the impact and exploitability of the vulnerability. + optional VulnerabilityAnalysis analysis = 16; + // affects + repeated VulnerabilityAffects affects = 17; + // Specifies custom properties. + repeated Property properties = 18; + // The date and time (timestamp) when the vulnerability record was rejected (if applicable). + optional google.protobuf.Timestamp rejected = 19; + // Evidence used to reproduce the vulnerability. + optional ProofOfConcept proofOfConcept = 20; + // A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + optional string workaround = 21; +} + +message ProofOfConcept { + // Precise steps to reproduce the vulnerability. + optional string reproductionSteps = 1; + // A description of the environment in which reproduction was possible. + optional string environment = 2; + // Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + repeated AttachedText supportingMaterial = 3; +} + +message VulnerabilityReference { + // An identifier that uniquely identifies the vulnerability. + string id = 1; + // The source that published the vulnerability. + Source source = 2; +} + +message VulnerabilityRating { + // The source that calculated the severity or risk rating of the vulnerability. + optional Source source = 1; + // The numerical score of the rating. + optional double score = 2; + // Textual representation of the severity that corresponds to the numerical score of the rating. + optional Severity severity = 3; + // Specifies the severity or risk scoring methodology or standard used. + optional ScoreMethod method = 4; + // Textual representation of the metric values used to score the vulnerability. + optional string vector = 5; + // A reason for rating the vulnerability as it was. + optional string justification = 6; +} + +// Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately. +enum Severity { + // The severity is not known. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` + SEVERITY_UNKNOWN = 0; + // Critical severity + SEVERITY_CRITICAL = 1; + // High severity + SEVERITY_HIGH = 2; + // Medium severity + SEVERITY_MEDIUM = 3; + // Low severity + SEVERITY_LOW = 4; + // Informational warning. + SEVERITY_INFO = 5; + // None + SEVERITY_NONE = 6; +} + +enum ScoreMethod { + // An undefined score method. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + SCORE_METHOD_NULL = 0; + // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ + SCORE_METHOD_CVSSV2 = 1; + // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/ + SCORE_METHOD_CVSSV3 = 2; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/ + SCORE_METHOD_CVSSV31 = 3; + // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + SCORE_METHOD_OWASP = 4; + // Other scoring method + SCORE_METHOD_OTHER = 5; + // Common Vulnerability Scoring System v4.0 - https://www.first.org/cvss/v4-0/ + SCORE_METHOD_CVSSV4 = 6; + // Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC + SCORE_METHOD_SSVC = 7; +} + +// Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system. +message Advisory { + // A name of the advisory. + optional string title = 1; + // Location where the advisory can be obtained. + string url = 2; +} + +message VulnerabilityCredits { + // The organizations credited with vulnerability discovery. + repeated OrganizationalEntity organizations = 1; + // The individuals not associated with organizations that are credited with vulnerability discovery. + repeated OrganizationalContact individuals = 2; +} + +message VulnerabilityAnalysis { + // Declares the current state of an occurrence of a vulnerability after automated or manual analysis. + optional ImpactAnalysisState state = 1; + // The rationale of why the impact analysis state was asserted. + optional ImpactAnalysisJustification justification = 2; + // A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable. + repeated VulnerabilityResponse response = 3; + // Detailed description of the impact, including methods used during the assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability. + optional string detail = 4; + // The date and time (timestamp) when the analysis was first issued. + optional google.protobuf.Timestamp firstIssued = 5; + // The date and time (timestamp) when the analysis was last updated. + optional google.protobuf.Timestamp lastUpdated = 6; +} + +enum ImpactAnalysisState { + // An undefined impact analysis state. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + IMPACT_ANALYSIS_STATE_NULL = 0; + // The vulnerability has been remediated. + IMPACT_ANALYSIS_STATE_RESOLVED = 1; + // The vulnerability has been remediated, and evidence of the changes is provided in the affected components pedigree containing verifiable commit history and/or diff(s). + IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2; + // The vulnerability may be directly or indirectly exploitable. + IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3; + // The vulnerability is being investigated. + IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4; + // The vulnerability is not specific to the component or service and was falsely identified or associated. + IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5; + // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases. + IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6; +} + +enum ImpactAnalysisJustification { + // An undefined impact analysis justification. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; + // The code has been removed or tree-shaked. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; + // The vulnerable code is not invoked at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2; + // Exploitability requires a configurable option to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3; + // Exploitability requires a dependency that is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4; + // Exploitability requires a certain environment which is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5; + // Exploitability requires a compiler flag to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6; + // Exploits are prevented at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7; + // Attacks are blocked at physical, logical, or network perimeter. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8; + // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9; +} + +enum VulnerabilityResponse { + // unspecified value. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + VULNERABILITY_RESPONSE_NULL = 0; + // Can not fix + VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + // Will not fix + VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + // Update to a different revision or release + VULNERABILITY_RESPONSE_UPDATE = 3; + // Revert to a previous revision or release + VULNERABILITY_RESPONSE_ROLLBACK = 4; + // There is a workaround available + VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; +} + +message VulnerabilityAffects { + // References a component or service by the objects bom_ref + string ref = 1; + // Zero or more individual versions or range of versions. + repeated VulnerabilityAffectedVersions versions = 2; +} + +message VulnerabilityAffectedVersions { + oneof choice { + // A single version of a component or service. + string version = 1; + // A version range specified in Package URL Version Range syntax (vers), which is defined at https://github.com/package-url/vers-spec + string range = 2; + } + // The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified. + optional VulnerabilityAffectedStatus status = 3; +} + +// The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. +enum VulnerabilityAffectedStatus { + // It is unknown (or unspecified) whether the given version is affected. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` + VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + // The version is affected by the vulnerability. + VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + // The version is not affected by the vulnerability. + VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; +} + +message AnnotatorChoice { + oneof choice { + // The organization that created the annotation + OrganizationalEntity organization = 1; + // The person that created the annotation + OrganizationalContact individual = 2; + // The tool or component that created the annotation + Component component = 3; + // The service that created the annotation + Service service = 4; + } +} + +message Annotation { + // A identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom_ref` must be unique within the BOM. + optional string bom_ref = 1; + // The object in the BOM identified by its bom_ref. This is often a component or service but may be any object type supporting bom_refs. + repeated string subjects = 2; + // The organization, person, component, or service which created the textual content of the annotation. + AnnotatorChoice annotator = 3; + // The date and time (timestamp) when the annotation was created. + google.protobuf.Timestamp timestamp = 4; + // The textual content of the annotation. + string text = 5; +} + +/** + * A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types. + * + * Comment: + * Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json. + */ +message ModelCard { + // A identifier which can be used to reference the model card elsewhere in the BOM. Every `bom_ref` must be unique within the BOM. + optional string bom_ref = 1; + // Hyper-parameters for construction of the model. + optional ModelParameters modelParameters = 2; + // A quantitative analysis of the model + optional QuantitativeAnalysis quantitativeAnalysis = 3; + // What considerations should be taken into account regarding the model's construction, training, and application? + optional ModelCardConsiderations considerations = 4; + + message ModelParameters { + // The overall approach to learning used by the model for problem-solving. + optional Approach approach = 1; + // Directly influences the input and/or output. Examples include classification, regression, clustering, etc. + optional string task = 2; + // The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc. + optional string architectureFamily = 3; + //The specific architecture of the model, such as GPT-1, ResNet-50, YOLOv3, etc. + optional string modelArchitecture = 4; + // The datasets used to train and evaluate the model. + repeated Datasets datasets = 5; + // The input format(s) of the model + repeated MachineLearningInputOutputParameters inputs = 6; + // The output format(s) from the model + repeated MachineLearningInputOutputParameters outputs = 7; + + message Approach { + // Learning types describing the learning problem or hybrid learning problem. + optional ModelParameterApproachType type = 1; + } + + message Datasets { + oneof choice { + // Inline Data Information + ComponentData dataset = 1; + // References a data component by the components bom_ref attribute + string ref = 2; + } + } + + message MachineLearningInputOutputParameters { + // The data format for input/output to the model. Example formats include string, image, time-series + optional string format = 1; + } + } + message QuantitativeAnalysis { + // The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc. + repeated PerformanceMetrics performanceMetrics = 1; + // A collection of graphics that represent various measurements. + optional GraphicsCollection graphics = 2; + + message PerformanceMetrics { + // The type of performance metric. + optional string type = 1; + // The value of the performance metric. + optional string value = 2; + // The name of the slice this metric was computed on. By default, assume this metric is not sliced. + optional string slice = 3; + // The confidence interval of the metric. + optional ConfidenceInterval confidenceInterval = 4; + + message ConfidenceInterval { + // The lower bound of the confidence interval. + optional string lowerBound = 1; + // The upper bound of the confidence interval. + optional string upperBound = 2; + } + } + } + message ModelCardConsiderations { + // Who are the intended users of the model? + repeated string users = 1; + // What are the intended use cases of the model? + repeated string useCases = 2; + // What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance? + repeated string technicalLimitations = 3; + // What are the known tradeoffs in accuracy/performance of the model? + repeated string performanceTradeoffs = 4; + // What are the ethical risks involved in the application of this model? + repeated EthicalConsiderations ethicalConsiderations = 5; + // How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups? + repeated FairnessAssessments fairnessAssessments = 6; + // What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle? + optional EnvironmentalConsiderations environmentalConsiderations = 7; + + message EthicalConsiderations { + // The name of the risk. + optional string name = 1; + // Strategy used to address this risk. + optional string mitigationStrategy = 2; + } + message FairnessAssessments { + // The groups or individuals at risk of being systematically disadvantaged by the model. + optional string groupAtRisk = 1; + // Expected benefits to the identified groups. + optional string benefits = 2; + // Expected harms to the identified groups. + optional string harms = 3; + // With respect to the benefits and harms outlined, please describe any mitigation strategy implemented. + optional string mitigationStrategy = 4; + } + message EnvironmentalConsiderations { + // Describes energy consumption information incurred for one or more component lifecycle activities. + repeated EnergyConsumption energyConsumptions = 1; + // Specifies custom properties for environment considerations. + repeated Property properties = 2; + } + // Describes energy consumption information incurred for the specified lifecycle activity. + message EnergyConsumption { + // An activity that is part of a machine learning model development or operational lifecycle. + enum ActivityType { + // Default + ACTIVITY_TYPE_UNSPECIFIED = 0; + // a lifecycle activity type whose description does not match currently defined values (the default type). + ACTIVITY_TYPE_OTHER = 1; + // model design including problem framing, goal definition and algorithm selection. + ACTIVITY_TYPE_DESIGN = 2; + // model data acquisition including search, selection and transfer. + ACTIVITY_TYPE_DATA_COLLECTION = 3; + // model data preparation including data cleaning, labeling and conversion. + ACTIVITY_TYPE_DATA_PREPARATION = 4; + // model building, training and generalized tuning. + ACTIVITY_TYPE_TRAINING = 5; + // refining a trained model to produce desired outputs for a given problem space. + ACTIVITY_TYPE_FINE_TUNING = 6; + // model validation including model output evaluation and testing. + ACTIVITY_TYPE_VALIDATION = 7; + // explicit model deployment to a target hosting infrastructure. + ACTIVITY_TYPE_DEPLOYMENT = 8; + // generating an output response from a hosted model from a set of inputs. + ACTIVITY_TYPE_INFERENCE = 9; + } + + // The type of activity that is part of a machine learning model development or operational lifecycle. + ActivityType activity = 1; + // The providers of the energy consumed by the associated model development lifecycle activity. + repeated EnergyProviderType energyProviders = 2; + // The total energy cost associated with the model lifecycle activity. + EnergyMeasureType activityEnergyCost = 3; + // The CO2 cost or debit equivalent to the total energy cost. + optional CO2MeasureType co2CostEquivalent = 4; + // The CO2 offset or credit for the CO2 equivalent cost. + optional CO2MeasureType co2CostOffset = 5; + // Specifies custom properties for environment considerations. + repeated Property properties = 6; + } + } +} + + +// Describes the physical provider of energy used for model development or operations. +message EnergyProviderType { + enum EnergySourceType { + // Default + ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; + // energy source: unknown. The energy source is unknown. + ENERGY_SOURCE_TYPE_UNKNOWN = 1; + // energy source: other. An energy source that is not listed. + ENERGY_SOURCE_TYPE_OTHER = 2; + // energy source: coal. Energy produced by types of coal. + ENERGY_SOURCE_TYPE_COAL = 3; + // energy source: oil. Petroleum products (primarily crude oil and its derivative fuel oils). + ENERGY_SOURCE_TYPE_OIL = 4; + // energy source: natural-gas. Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. + ENERGY_SOURCE_TYPE_NATURAL_GAS = 5; + // energy source: nuclear. Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + ENERGY_SOURCE_TYPE_NUCLEAR = 6; + // energy source: wind. Energy produced from moving air. + ENERGY_SOURCE_TYPE_WIND = 7; + // energy source: solar. Energy produced from the sun (i.e., solar radiation). + ENERGY_SOURCE_TYPE_SOLAR = 8; + // energy source: geothermal. Energy produced from heat within the earth. + ENERGY_SOURCE_TYPE_GEOTHERMAL = 9; + // energy source: hydropower. Energy produced from flowing water. + ENERGY_SOURCE_TYPE_HYDROPOWER = 10; + // energy source: biofuel. Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). + ENERGY_SOURCE_TYPE_BIOFUEL = 11; + } + + // BOM unique reference to the energy provider. + optional string bom_ref = 1; + // A description of the energy provider. + string description = 2; + // The organization of the energy provider. + OrganizationalEntity organization = 3; + // The energy source for the energy provider. + EnergySourceType energySource = 4; + // The energy provided by the energy source for an associated activity. + EnergyMeasureType energyProvided = 5; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 6; +} + +// A measure of energy. +message EnergyMeasureType { + enum EnergyMeasureUnitType { + //Default + ENERGY_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h) (the default unit). + ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 1; + } + + // Quantity of energy. + float value = 1; + // Unit of energy. + EnergyMeasureUnitType unit = 2; +} + + +// A measure of carbon dioxide (CO2). +message CO2MeasureType { + enum CO2MeasureUnitType { + // Default + CO2_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // Tonnes (t) of carbon dioxide (CO2) equivalent (eq) (the default unit). + CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 1; + } + + // Quantity of carbon dioxide (CO2). + float value = 1; + // Unit of carbon dioxide (CO2). + CO2MeasureUnitType unit = 2; +} + + +// An address used to identify a contactable location. +message PostalAddressType { + // A identifier which can be used to reference the address elsewhere in the BOM. Every `bom_ref` must be unique within the BOM. + optional string bom_ref = 1; + // The country name or the two-letter ISO 3166-1 country code. + optional string country = 2; + // The region or state in the country. For example, Texas. + optional string region = 3; + // The locality or city within the country. For example, Austin. + optional string locality = 4; + // The post office box number. For example, 901. + optional string postOfficeBoxNumber = 5; + // The postal code. For example, 78758. + optional string postalCodeue = 6; + // The street address. For example, 100 Main Street. + optional string streetAddress = 7; +} + +enum ModelParameterApproachType { + // Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema + MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; + // Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data. + MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED = 1; + // Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error. + MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING = 2; + // Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques. + MODEL_PARAMETER_APPROACH_TYPE_SEMI_SUPERVISED = 3; + // Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data. + MODEL_PARAMETER_APPROACH_TYPE_SELF_SUPERVISED = 4; +} + +message ComponentData { + // A identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom_ref` must be unique within the BOM. + optional string bom_ref = 1; + // The general theme or subject matter of the data being specified. + ComponentDataType type = 2; + // The name of the dataset. + optional string name = 3; + // The contents or references to the contents of the data being described. + optional ComponentDataContents contents = 4; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 5; + // A description of any sensitive data in a dataset. + repeated string sensitiveData = 6; + // A collection of graphics that represent various measurements. + optional GraphicsCollection graphics = 7; + // A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc. + optional string description = 8; + // Data Governance + optional DataGovernance governance = 9; + + message ComponentDataContents { + // A way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + // Provides the ability to document name-value parameters used for configuration. + repeated Property properties = 3; + } +} + +// Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle. +message DataGovernance { + // Data custodians are responsible for the safe custody, transport, and storage of data. + repeated DataGovernanceResponsibleParty custodians = 1; + // Data stewards are responsible for data content, context, and associated business rules. + repeated DataGovernanceResponsibleParty stewards = 2; + // Data owners are concerned with risk and appropriate access to data. + repeated DataGovernanceResponsibleParty owners = 3; + + message DataGovernanceResponsibleParty { + oneof choice { + // The organization that is responsible for specific data governance role(s). + OrganizationalEntity organization = 1; + // The individual that is responsible for specific data governance role(s). + OrganizationalContact contact = 2; + } + } +} + +enum ComponentDataType { + // Any type of code, code snippet, or data-as-code + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema + COMPONENT_DATA_TYPE_SOURCE_CODE = 0; + // Parameters or settings that may be used by other components. + COMPONENT_DATA_TYPE_CONFIGURATION = 1; + // A collection of data. + COMPONENT_DATA_TYPE_DATASET = 2; + // Data that can be used to create new instances of what the definition defines. + COMPONENT_DATA_TYPE_DEFINITION = 3; + // Any other type of data that does not fit into existing definitions. + COMPONENT_DATA_TYPE_OTHER = 4; +} + +// A collection of graphics that represent various measurements. +message GraphicsCollection { + // A description of this collection of graphics. + optional string description = 1; + // A collection of graphics. + repeated Graphic graphic = 2; + + message Graphic { + // The name of the graphic. + optional string name = 1; + // The graphic (vector or raster). Base64 encoding must be specified for binary images. + optional AttachedText image = 2; + } +} + +// Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed. +message Formula { + // BOM unique reference to the resource. + optional string bom_ref = 1; + // Transient components that are used in tasks that constitute one or more of this formula's workflows + repeated Component components = 2; + // Transient services that are used in tasks that constitute one or more of this formula's workflows + repeated Service services = 3; + // List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered. + repeated Workflow workflows = 4; + // Domain-specific formula properties. + repeated Property properties = 5; +} + +// A specialized orchestration task. +message Workflow { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific resource instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The tasks that comprise the workflow. + repeated Task tasks = 7; + // The graph of dependencies between tasks within the workflow. + repeated Dependency taskDependencies = 8; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 9; + // The trigger that initiated the task. + optional Trigger trigger = 10; + // The sequence of steps for the task. + repeated Step steps = 11; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 12; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 13; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for workflow's instance. + repeated Dependency runtimeTopology = 17; +} + +// Describes the inputs, sequence of steps and resources used to accomplish a task and its output. +message Task { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific task instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 7; + // The trigger that initiated the task. + optional Trigger trigger = 8; + // "The sequence of steps for the task. + repeated Step steps = 9; + // Represents resources and data brought into a task at runtime by an executor or task commands + repeated InputType inputs = 10; + // Represents resources and data output from a task at runtime by an executor or task commands + repeated OutputType outputs = 11; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for task's instance. + repeated Dependency runtimeTopology = 17; +} + +// Executes specific commands or tools in order to accomplish its owning task as part of a sequence. +message Step { + // A name for the step. + optional string name = 1; + // A description of the step. + optional string description = 2; + // Ordered list of commands or directives for the step + repeated Command commands = 3; + // Domain-specific step properties. + repeated Property properties = 4; +} + +message Command { + // A text representation of the executed command. + optional string executed = 1; + // Domain-specific command properties. + repeated Property properties = 2; +} + +// A named filesystem or data resource shareable by workflow tasks. +message Workspace { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps. + repeated string aliases = 4; + // A description of the resource instance. + optional string description = 5; + // Domain-specific workspace instance properties. + repeated Property properties = 6; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 7; + // Describes the read-write access control for the workspace relative to the owning resource instance. + optional AccessMode accessMode = 8; + // A path to a location on disk where the workspace will be available for the associated task's steps. + optional string mountPath = 9; + // The name of a domain-specific data type the workspace represents. + optional string managedDataType = 10; + // Identifies the reference to the request for a specific volume type and parameters. + optional string volumeRequest = 11; + // Information about the actual volume instance allocated to the workspace. + optional Volume volume = 12; + + enum AccessMode { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + ACCESS_MODE_READ_ONLY = 0; + ACCESS_MODE_READ_WRITE = 1; + ACCESS_MODE_READ_WRITE_ONCE = 2; + ACCESS_MODE_WRITE_ONCE = 3; + ACCESS_MODE_WRITE_ONLY = 4; + } +} + +// An identifiable, logical unit of data storage tied to a physical device. +message Volume { + // The unique identifier for the volume instance within its deployment context. + optional string uid = 1; + // The name of the volume instance + optional string name = 2; + // The volume mode for the volume instance. + optional VolumeMode mode = 3; + // The underlying path created from the actual volume. + optional string path = 4; + // The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as the IEC standard unit in either decimal or binary form. + optional string sizeAllocated = 5; + // Indicates if the volume persists beyond the life of the resource it is associated with. + optional bool persistent = 6; + // Indicates if the volume is remotely (i.e., network) attached. + optional bool remote = 7; + // Domain-specific volume instance properties. + repeated Property properties = 8; + + enum VolumeMode { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + VOLUME_MODE_FILESYSTEM = 0; + VOLUME_MODE_BLOCK = 1; + } +} + +// Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data. +message Trigger { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Additional properties of the trigger. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The source type of event which caused the trigger to fire. + TriggerType type = 7; + // The event data that caused the associated trigger to activate. + optional Event event = 8; + // A list of conditions used to determine if a trigger should be activated. + repeated Condition conditions = 9; + // The date and time (timestamp) when the trigger was activated. + optional google.protobuf.Timestamp timeActivated = 10; + // Represents resources and data brought into a task at runtime by an executor or task commands + repeated InputType inputs = 11; + // Represents resources and data output from a task at runtime by an executor or task commands + repeated OutputType outputs = 12; + + enum TriggerType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + TRIGGER_TYPE_MANUAL = 0; + TRIGGER_TYPE_API = 1; + TRIGGER_TYPE_WEBHOOK = 2; + TRIGGER_TYPE_SCHEDULED = 3; + } +} + +// Represents something that happened that may trigger a response. +message Event { + // The unique identifier of the event. + optional string uid = 1; + // A description of the event. + optional string description = 2; + // The date and time (timestamp) when the event was received. + optional google.protobuf.Timestamp timeReceived = 3; + // Encoding of the raw event data. + optional AttachedText data = 4; + // References the component or service that was the source of the event + optional ResourceReferenceChoice source = 5; + // References the component or service that was the target of the event + optional ResourceReferenceChoice target = 6; + // Additional properties of the event. + repeated Property properties = 7; +} + +// Type that represents various input data types and formats. +message InputType { + // A references to the component or service that provided the input to the task (e.g., reference to a service with a data flow value of `inbound`) + optional ResourceReferenceChoice source = 1; + // A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace) + optional ResourceReferenceChoice target = 2; + // A reference to an independent resource provided as an input to a task by the workflow runtime. + optional ResourceReferenceChoice resource = 3; + // Inputs that have the form of parameters with names and values. + repeated Parameter parameters = 4; + // Inputs that have the form of parameters with names and values. + repeated EnvironmentVars environmentVars = 5; + // Inputs that have the form of data. + optional AttachedText data = 6; + // Additional properties of the input data. + repeated Property properties = 7; +} + +// Type that represents various output data types and formats. +message OutputType { + // Describes the type of data output. + optional OutputTypeType type = 1; + // Component or service that generated or provided the output from the task (e.g., a build tool) + optional ResourceReferenceChoice source = 2; + // Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`) + optional ResourceReferenceChoice target = 3; + // A reference to an independent resource generated as output by the task. + optional ResourceReferenceChoice resource = 4; + // Outputs that have the form of data. + optional AttachedText data = 5; + // Outputs that have the form of environment variables. + repeated EnvironmentVars environmentVars = 6; + // Additional properties of the output data. + repeated Property properties = 7; + + // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "OUTPUT_TYPE_TYPE_" + enum OutputTypeType { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + OUTPUT_TYPE_ARTIFACT = 0; + OUTPUT_TYPE_ATTESTATION = 1; + OUTPUT_TYPE_LOG = 2; + OUTPUT_TYPE_EVIDENCE = 3; + OUTPUT_TYPE_METRICS = 4; + OUTPUT_TYPE_OTHER = 5; + } +} + +// Type that permits a choice to reference a resource using an iternal bom_ref identifier or an external reference. +message ResourceReferenceChoice { + oneof choice { + // References an object by its bom_ref attribute + string ref = 1; + // Reference to an externally accessible resource + ExternalReference externalReference = 2; + } +} + +// A condition that was used to determine a trigger should be activated. +message Condition { + // Describes the set of conditions which cause the trigger to activate. + optional string description = 1; + // The logical expression that was evaluated that determined the trigger should be fired. + optional string expression = 2; + // Domain-specific condition instance properties. + repeated Property properties = 3; +} + +enum TaskType { + // A task that copies software or data used to accomplish other tasks in the workflow. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error; it shall be fixed with v2.0 of this very schema + TASK_TYPE_COPY = 0; + // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. + TASK_TYPE_CLONE = 1; + // A task that checks source code for programmatic and stylistic errors. + TASK_TYPE_LINT = 2; + // A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. + TASK_TYPE_SCAN = 3; + // A task that merges changes or fixes into source code prior to a build step in the workflow. + TASK_TYPE_MERGE = 4; + // A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. + TASK_TYPE_BUILD = 5; + // A task that verifies the functionality of a component or service. + TASK_TYPE_TEST = 6; + // A task that delivers a built artifact to one or more target repositories or storage systems. + TASK_TYPE_DELIVER = 7; + // A task that deploys a built artifact for execution on one or more target systems. + TASK_TYPE_DEPLOY = 8; + // A task that releases a built, versioned artifact to a target repository or distribution system. + TASK_TYPE_RELEASE = 9; + // A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. + TASK_TYPE_CLEAN = 10; + // A workflow task that does not match current task type definitions. + TASK_TYPE_OTHER = 11; +} + +// A representation of a functional parameter. +message Parameter { + // The name of the parameter. + optional string name = 1; + // The value of the parameter. + optional string value = 2; + // The data type of the parameter. + optional string dataType = 3; +} + +message EnvironmentVars { + oneof choice { + // Name-value pair + Property property = 1; + // Value + string value = 2; + } +} + +// The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. +message Declarations { + message Assessor { + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + optional bool thirdParty = 2; + // The entity issuing the assessment. + optional OrganizationalEntity organization = 3; + } + + // Attestation + message Attestation { + // Map + message AttestationMap { + + // Conformance + message AttestationConformance { + // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + optional double score = 1; + // The rationale for the conformance score. + optional string rationale = 2; + // The list of `bom_ref` to the evidence provided describing the mitigation strategies. + repeated string mitigationStrategies = 3; + } + + // Confidence + message AttestationConfidence { + // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + optional double score = 1; + // The rationale for the confidence score. + optional string rationale = 2; + } + + // The `bom_ref` to the requirement being attested to. + optional string requirement = 1; + // The list of `bom_ref` to the claims being attested to. + repeated string claims = 2; + // The list of `bom_ref` to the counter claims being attested to. + repeated string counterClaims = 3; + // The conformance of the claim meeting a requirement. + optional AttestationConformance conformance = 4; + // The confidence of the claim meeting the requirement. + optional AttestationConfidence confidence = 5; + } + + // The short description explaining the main points of the attestation. + optional string summary = 1; + // The `bom_ref` to the assessor asserting the attestation. + optional string assessor = 2; + // The grouping of requirements to claims and the attestors' declared conformance and confidence thereof. + repeated AttestationMap map = 3; + } + + message Claim { + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The `bom_ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to. + optional string target = 2; + // The specific statement or assertion about the target. + optional string predicate = 3; + // The list of `bom_ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated. + repeated string mitigationStrategies = 4; + // The written explanation of why the evidence provided substantiates the claim. + optional string reasoning = 5; + // The list of `bom_ref` to evidence that supports this claim. + repeated string evidence = 6; + // The list of `bom_ref` to counterEvidence that supports this claim. + repeated string counterEvidence = 7; + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + + message Evidence { + message Data { + message Contents { + // A way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + } + + // The name of the data. + optional string name = 1; + // The contents or references to the contents of the data being described. + optional Contents contents = 2; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 3; + // A description of any sensitive data included. + repeated string sensitiveData = 4; + // Data Governance + optional DataGovernance governance = 5; + } + + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. + optional string propertyName = 2; + // The written description of what this evidence is and how it was created. + optional string description = 3; + // The output or analysis that supports claims. + repeated Data data = 4; + // The date and time (timestamp) when the evidence was created. + optional google.protobuf.Timestamp created = 5; + // The date and time (timestamp) when the evidence is no longer valid. + optional google.protobuf.Timestamp expires = 6; + // The author of the evidence. + optional OrganizationalContact author = 7; + // The reviewer of the evidence. + optional OrganizationalContact reviewer = 8; + } + + message Targets { + // The list of organizations which claims are made against. + repeated OrganizationalEntity organizations = 1; + // The list of components which claims are made against. + repeated Component components = 2; + // The list of services which claims are made against. + repeated Service services = 3; + } + + message Affirmation { + message Signatory { + // The signatory's name. + optional string name = 1; + // The signatory's role within an organization. + optional string role = 2; + // The signatory's organization. + optional OrganizationalEntity organization = 3; + // An External reference provides a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + optional ExternalReference externalReference = 4; + } + + // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. Example: "I certify, to the best of my knowledge, that all information is correct." + optional string statement = 1; + // The list of signatories authorized on behalf of an organization to assert validity of this document. + repeated Signatory signatories = 2; + } + + // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + repeated Assessor assessors = 1; + // The list of attestations asserted by an assessor that maps requirements to claims. + repeated Attestation attestations = 2; + // The list of claims. + repeated Claim claims = 3; + // The list of evidence + repeated Evidence evidence = 4; + // The list of targets which claims are made against. + optional Targets targets = 5; + // A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + optional Affirmation affirmation = 6; +} + +message Definition { + // A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + message Standard { + message Requirement { + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom_ref. + optional string identifier = 2; + // The title of the requirement. + optional string title = 3; + // The textual content of the requirement. + optional string text = 4; + // The supplemental text that provides additional guidance or context to the requirement but is not directly part of the requirement. + repeated string descriptions = 5; + // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. The use of CRE promotes clear and unambiguous communication among stakeholders. + repeated string openCre = 6; + // The `bom_ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + optional string parent = 7; + // Specifies custom properties. + repeated Property properties = 8; + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 9; + } + + message Level { + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier used in the standard to identify a specific level. + optional string identifier = 2; + // The title of the level. + optional string title = 3; + // The description of the level. + optional string description = 4; + // The list of requirement `bom_ref`s that comprise the level. + repeated string requirements = 5; + } + + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The name of the standard. This will often be a shortened, single name of the standard. + optional string name = 2; + // The version of the standard. + optional string version = 3; + // The description of the standard. + optional string description = 4; + // The owner of the standard, often the entity responsible for its release. + optional string owner = 5; + // The list of requirements comprising the standard. + repeated Requirement requirements = 6; + // The list of levels associated with the standard. Some standards have different levels of compliance. + repeated Level levels = 7; + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + + // The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + repeated Standard standards = 1; + // The list of either individual patents or patent families. + repeated PatentOrFamily patents = 2; +} + +// "Cryptographic Properties +message CryptoProperties { + // Asset Type + enum CryptoAssetType { + // ProtoBuff's default value + CRYPTO_ASSET_TYPE_UNSPECIFIED = 0; + // Mathematical function commonly used for data encryption, authentication, and digital signatures. + CRYPTO_ASSET_TYPE_ALGORITHM = 1; + // An electronic document that is used to provide the identity or validate a public key. + CRYPTO_ASSET_TYPE_CERTIFICATE = 2; + // A set of rules and guidelines that govern the behavior and communication with each other. + CRYPTO_ASSET_TYPE_PROTOCOL = 3; + // Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens. + CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 4; + } + + // Algorithm Propertie + message AlgorithmProperties { + + // Primitive + enum CryptoPrimitive { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_PRIMITIVE_UNSPECIFIED = 0; + // The primitive is not known + CRYPTO_PRIMITIVE_UNKNOWN = 1; + // Another primitive type - none of the following + CRYPTO_PRIMITIVE_OTHER = 2; + // Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important. + CRYPTO_PRIMITIVE_DRBG = 3; + // In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message. + CRYPTO_PRIMITIVE_MAC = 4; + // A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission. + CRYPTO_PRIMITIVE_BLOCK_CIPHER = 5; + // A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). + CRYPTO_PRIMITIVE_STREAM_CIPHER = 6; + // In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication. + CRYPTO_PRIMITIVE_SIGNATURE = 7; + // A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing. + CRYPTO_PRIMITIVE_HASH = 8; + // Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography. + CRYPTO_PRIMITIVE_PKE = 9; + // An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF. + CRYPTO_PRIMITIVE_XOF = 10; + // A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input. + CRYPTO_PRIMITIVE_KDF = 11; + // In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome. + CRYPTO_PRIMITIVE_KEY_AGREE = 12; + // A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key. + CRYPTO_PRIMITIVE_KEM = 13; + // Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols. + CRYPTO_PRIMITIVE_AE = 14; + // A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive. + CRYPTO_PRIMITIVE_COMBINER = 15; + // Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES. + CRYPTO_PRIMITIVE_KEY_WRAP = 16; + } + + // Execution Environment + enum CryptoExecutionEnvironment { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_EXECUTION_ENVIRONMENT_UNSPECIFIED = 0; + // The execution environment is not known + CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 1; + // Another implementation environment - none of the following + CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 2; + // A software implementation running in plain unencrypted RAM. + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 3; + // A software implementation running in encrypted RAM. + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 4; + // A software implementation running in a trusted execution environment. + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 5; + // A hardware implementation. + CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 6; + } + + // Implementation platform + enum CryptoImplementationPlatform { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_IMPLEMENTATION_PLATFORM_UNSPECIFIED = 0; + // the platform is not known + CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 1; + // none of the following + CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 2; + CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 3; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 4; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 5; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 6; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 7; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 8; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 9; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 10; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 11; + CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 12; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 13; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 14; + } + + // Mode + enum CryptoAlgorithmMode { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_MODE_UNSPECIFIED = 0; + // The mode of operation is not known + CRYPTO_ALGORITHM_MODE_UNKNOWN = 1; + // Another mode of operation - none of the following + CRYPTO_ALGORITHM_MODE_OTHER = 2; + // Cipher block chaining + CRYPTO_ALGORITHM_MODE_CBC = 3; + // Electronic codebook + CRYPTO_ALGORITHM_MODE_ECB = 4; + // Counter with cipher block chaining message authentication code + CRYPTO_ALGORITHM_MODE_CCM = 5; + // Galois/counter + CRYPTO_ALGORITHM_MODE_GCM = 6; + // Cipher feedback + CRYPTO_ALGORITHM_MODE_CFB = 7; + // Output feedback + CRYPTO_ALGORITHM_MODE_OFB = 8; + // Counter + CRYPTO_ALGORITHM_MODE_CTR = 9; + } + + // Padding + enum CryptoAlgorithmPadding { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_PADDING_UNSPECIFIED = 0; + // The padding scheme is not known + CRYPTO_ALGORITHM_PADDING_UNKNOWN = 1; + // Another padding scheme - none of the following + CRYPTO_ALGORITHM_PADDING_OTHER = 2; + // Public Key Cryptography Standard: Password-Based Cryptography + CRYPTO_ALGORITHM_PADDING_PKCS5 = 3; + // Public Key Cryptography Standard: Cryptographic Message Syntax + CRYPTO_ALGORITHM_PADDING_PKCS7 = 4; + // Public Key Cryptography Standard: RSA Cryptography v1.5 + CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 5; + // Optimal asymmetric encryption padding + CRYPTO_ALGORITHM_PADDING_OAEP = 6; + // Raw + CRYPTO_ALGORITHM_PADDING_RAW = 7; + } + + // Cryptographic functions + enum CryptoAlgorithmFunction { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_ALGORITHM_FUNCTION_UNSPECIFIED = 0; + // meaning "there is some, but it is unclear which one" + CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 1; + // none of the following + CRYPTO_ALGORITHM_FUNCTION_OTHER = 2; + CRYPTO_ALGORITHM_FUNCTION_GENERATE = 3; + CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 4; + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 5; + CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 6; + CRYPTO_ALGORITHM_FUNCTION_DIGEST = 7; + CRYPTO_ALGORITHM_FUNCTION_TAG = 8; + CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 9; + CRYPTO_ALGORITHM_FUNCTION_SIGN = 10; + CRYPTO_ALGORITHM_FUNCTION_VERIFY = 11; + CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 12; + CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 13; + } + + // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). + optional CryptoPrimitive primitive = 1; + // A valid algorithm family identifier. + // If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for ProtoBuf is not available. + optional string algorithmFamily = 12; + // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + optional string parameterSetIdentifier = 2; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.ellipticCurve` instead. + // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). + optional string curve = 3 [deprecated = true]; + // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. + // If specified, this value must be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for ProtoBuf is not available. + optional string ellipticCurve = 13; + // The target and execution environment in which the algorithm is implemented in. + optional CryptoExecutionEnvironment executionEnvironment = 4; + // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. + optional CryptoImplementationPlatform implementationPlatform = 5; + // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). + repeated string certificationLevel = 6; + // The mode of operation in which the cryptographic algorithm (block cipher) is used. + optional CryptoAlgorithmMode mode = 7; + // The padding scheme that is used for the cryptographic algorithm. + optional CryptoAlgorithmPadding padding = 8; + // The cryptographic functions implemented by the cryptographic algorithm. + repeated CryptoAlgorithmFunction cryptoFunctions = 9; + // The classical security level that a cryptographic algorithm provides (in bits). + optional int32 classicalSecurityLevel = 10; + // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. + optional int32 nistQuantumSecurityLevel = 11; + } // end of AlgorithmProperties + + // Certificate State + message CertificateState { + + // Pre-defined certificate states + enum PredefinedState { + // ProtoBuff's default value + PREDEFINED_STATE_UNSPECIFIED = 0; + // The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use. + PREDEFINED_STATE_PRE_ACTIVATION = 1; + // The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both. + PREDEFINED_STATE_ACTIVE = 2; + // The use of a certificate may be suspended for several possible reasons. + PREDEFINED_STATE_SUSPENDED = 3; + // Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information. + PREDEFINED_STATE_DEACTIVATED = 4; + // A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date. + PREDEFINED_STATE_REVOKED = 5; + // The certificate has been destroyed. + PREDEFINED_STATE_DESTROYED = 6; + } + + // A reason for the certificate being in this state. + optional string reason = 1; + // The state can be either a predefined state or a custom state + oneof state { + // A pre-defined state in the certificate lifecycle. + PredefinedState predefined_state = 2; + // The name of the certificate lifecycle state for custom states. + string name = 3; + } + // The description of the certificate lifecycle state (only used with custom states). + optional string description = 4; + } // end of CertificateState + + // Certificate Properties + message CertificateProperties { + // The serial number is a unique identifier for the certificate issued by a CA. + optional string serialNumber = 9; + // The subject name for the certificate + optional string subjectName = 1; + // The issuer name for the certificate + optional string issuerName = 2; + // The date and time according to ISO-8601 standard from which the certificate is valid + optional google.protobuf.Timestamp notValidBefore = 3; + // The date and time according to ISO-8601 standard from which the certificate is not valid anymore + optional google.protobuf.Timestamp notValidAfter = 4; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.relatedCryptographicAssets` instead. + // The bom-ref to signature algorithm used by the certificate + optional string signatureAlgorithmRef = 5 [deprecated = true]; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.relatedCryptographicAssets` instead. + // The bom-ref to the public key of the subject + optional string subjectPublicKeyRef = 6 [deprecated = true]; + // The format of the certificate. Examples include X.509, PEM, DER, and CVC. + optional string certificateFormat = 7; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.certificateFileExtension` instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + optional string certificateExtension = 8 [deprecated = true]; + // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + optional string certificateFileExtension = 10; + // The fingerprint is a cryptographic hash of the certificate excluding it's signature. + optional Hash fingerprint = 11; + // The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages. + repeated CertificateState certificateState = 12; + // The date and time (timestamp) when the certificate was created or pre-activated. + optional google.protobuf.Timestamp creationDate = 13; + // The date and time (timestamp) when the certificate was activated. + optional google.protobuf.Timestamp activationDate = 14; + // The date and time (timestamp) when the related certificate was deactivated. + optional google.protobuf.Timestamp deactivationDate = 15; + // The date and time (timestamp) when the certificate was revoked. + optional google.protobuf.Timestamp revocationDate = 16; + // The date and time (timestamp) when the certificate was destroyed. + optional google.protobuf.Timestamp destructionDate = 17; + // A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + optional CertificateExtensions certificateExtensions = 18; + // A list of cryptographic assets related to this component. + optional RelatedCryptographicAssets relatedCryptographicAssets = 19; + } // end of CertificateProperties + + // Certificate Extensions + message CertificateExtensions { + // Common extension names + enum CommonExtensionName { + // ProtoBuff's default value + COMMON_EXTENSION_NAME_UNSPECIFIED = 0; + COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS = 1; + COMMON_EXTENSION_NAME_KEY_USAGE = 2; + COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE = 3; + COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME = 4; + COMMON_EXTENSION_NAME_AUTHORITY_KEY_IDENTIFIER = 5; + COMMON_EXTENSION_NAME_SUBJECT_KEY_IDENTIFIER = 6; + COMMON_EXTENSION_NAME_AUTHORITY_INFORMATION_ACCESS = 7; + COMMON_EXTENSION_NAME_CERTIFICATE_POLICIES = 8; + COMMON_EXTENSION_NAME_CRL_DISTRIBUTION_POINTS = 9; + COMMON_EXTENSION_NAME_SIGNED_CERTIFICATE_TIMESTAMP = 10; + } + + // Extension represents either a common extension or a custom extension + message Extension { + oneof extension_type { + // Common extension with predefined name + CommonExtension commonExtension = 1; + // Custom extension with user-defined name + CustomExtension customExtension = 2; + } + } + + // Common extension with predefined name + message CommonExtension { + // The name of the extension + CommonExtensionName name = 1; + // The value of the certificate extension + string value = 2; + } + + // Custom extension with user-defined name + message CustomExtension { + // The name for the custom certificate extension + string name = 1; + // The description of the custom certificate extension + optional string value = 2; + } + + // List of certificate extensions + repeated Extension extensions = 1; + } + + // Related Cryptographic Assets + message RelatedCryptographicAssets { + // Related Cryptographic Asset + message RelatedCryptographicAsset { + // The type of the related cryptographic asset + string type = 1; + // The reference to the related cryptographic asset + string ref = 2; + } + + // List of related cryptographic assets + repeated RelatedCryptographicAsset assets = 1; + } + + // Related Cryptographic Material Properties + message RelatedCryptoMaterialProperties { + + // relatedCryptoMaterialType + enum CryptoRelatedType { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_RELATED_TYPE_UNSPECIFIED = 0; + // The type of cryptographic asset is not known. + CRYPTO_RELATED_TYPE_UNKNOWN = 1; + // Another type of cryptographic asset - none of the following + CRYPTO_RELATED_TYPE_OTHER = 2; + CRYPTO_RELATED_TYPE_PRIVATE_KEY = 3; + CRYPTO_RELATED_TYPE_PUBLIC_KEY = 4; + CRYPTO_RELATED_TYPE_SECRET_KEY = 5; + CRYPTO_RELATED_TYPE_KEY = 6; + CRYPTO_RELATED_TYPE_CIPHERTEXT = 7; + CRYPTO_RELATED_TYPE_SIGNATURE = 8; + CRYPTO_RELATED_TYPE_DIGEST = 9; + CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 10; + CRYPTO_RELATED_TYPE_NONCE = 11; + CRYPTO_RELATED_TYPE_SEED = 12; + CRYPTO_RELATED_TYPE_SALT = 13; + CRYPTO_RELATED_TYPE_SHARED_SECRET = 14; + CRYPTO_RELATED_TYPE_TAG = 15; + CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 16; + CRYPTO_RELATED_TYPE_PASSWORD = 17; + CRYPTO_RELATED_TYPE_CREDENTIAL = 18; + CRYPTO_RELATED_TYPE_TOKEN = 19; + } + + // State + enum CryptoRelatedState { + // Default + CRYPTO_RELATED_STATE_UNSPECIFIED = 0; + CRYPTO_RELATED_STATE_PRE_ACTIVATION = 1; + CRYPTO_RELATED_STATE_ACTIVE = 2; + CRYPTO_RELATED_STATE_SUSPENDED = 3; + CRYPTO_RELATED_STATE_DEACTIVATED = 4; + CRYPTO_RELATED_STATE_COMPROMISED = 5; + CRYPTO_RELATED_STATE_DESTROYED = 6; + } + + // Secured By + message CryptoRelatedSecuredBy { + // Specifies the mechanism by which the cryptographic asset is secured. Examples include HSM, TPM, SGX, Software, and None + optional string mechanism = 1; + // The bom_ref to the algorithm. + optional string algorithmRef = 2; + } + + // The type for the related cryptographic material + optional CryptoRelatedType type = 1; + // The unique identifier for the related cryptographic material. + optional string id = 2; + // The key state as defined by NIST SP 800-57. + optional CryptoRelatedState state = 3; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.relatedCryptographicAssets` instead. + // The bom-ref to the algorithm used to generate the related cryptographic material. + optional string algorithmRef = 4 [deprecated = true]; + // The date and time (timestamp) when the related cryptographic material was created. + optional google.protobuf.Timestamp creationDate = 5; + // The date and time (timestamp) when the related cryptographic material was activated. + optional google.protobuf.Timestamp activationDate = 6; + // The date and time (timestamp) when the related cryptographic material was updated. + optional google.protobuf.Timestamp updateDate = 7; + // The date and time (timestamp) when the related cryptographic material expires. + optional google.protobuf.Timestamp expirationDate = 8; + // The associated value of the cryptographic material. + optional string value = 9; + // The size of the cryptographic asset (in bits). + optional int64 size = 10; + // The format of the related cryptographic material (e.g. P8, PEM, DER). + optional string format = 11; + // The mechanism by which the cryptographic asset is secured. + optional CryptoRelatedSecuredBy securedBy = 12; + // The fingerprint is a cryptographic hash of the asset. + optional Hash fingerprint = 13; + // A list of cryptographic assets related to this component. + optional RelatedCryptographicAssets relatedCryptographicAssets = 14; + } // end of RelatedCryptoMaterialProperties + + // Protocol Properties + message ProtocolProperties { + enum CryptoProtocolType { + // ProtoBuff's default value -- it differs from "unknown" + CRYPTO_PROTOCOL_TYPE_UNSPECIFIED = 0; + // The protocol type is not known + CRYPTO_PROTOCOL_TYPE_UNKNOWN = 1; + // Another protocol type - none of the following + CRYPTO_PROTOCOL_TYPE_OTHER = 2; + // Transport Layer Security + CRYPTO_PROTOCOL_TYPE_TLS = 3; + // Secure Shell + CRYPTO_PROTOCOL_TYPE_SSH = 4; + // Internet Protocol Security + CRYPTO_PROTOCOL_TYPE_IPSEC = 5; + // Internet Key Exchange + CRYPTO_PROTOCOL_TYPE_IKE = 6; + // Secure Socket Tunneling Protocol + CRYPTO_PROTOCOL_TYPE_SSTP = 7; + // Wi-Fi Protected Access + CRYPTO_PROTOCOL_TYPE_WPA = 8; + // Datagram Transport Layer Security + CRYPTO_PROTOCOL_TYPE_DTLS = 9; + // Quick UDP Internet Connections + CRYPTO_PROTOCOL_TYPE_QUIC = 10; + // Extensible Authentication Protocol variant + CRYPTO_PROTOCOL_TYPE_EAP_AKA = 11; + // Enhanced version of EAP-AKA + CRYPTO_PROTOCOL_TYPE_EAP_AKA_PRIME = 12; + // Protection of Inter-Network Signaling + CRYPTO_PROTOCOL_TYPE_PRINS = 13; + // Authentication and Key Agreement for 5G + CRYPTO_PROTOCOL_TYPE_5G_AKA = 14; + } + + // Object representing a cipher suite + message CryptoProtocolCipherSuite { + // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + optional string name = 1; + // A list of algorithms related to the cipher suite. Use the bom_ref to the algorithm cryptographic asset. + repeated string algorithms = 2; + // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E + repeated string identifiers = 3; + // A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE. + repeated string tlsGroups = 4; + // A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification. + repeated string tlsSignatureSchemes = 5; + } + + + // DEPRECATED - DO NOT USE - This will be removed in a future version. + // IKEv2 Transform Types + message Ikev2TransformTypes { + // Transform Type 1: encryption algorithms + repeated string encr = 1; + // Transform Type 2: pseudorandom functions + repeated string prf = 2; + // Transform Type 3: integrity algorithms + repeated string integ = 3; + // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + repeated string ke = 4; + // Specifies if an Extended Sequence Number (ESN) is used. + optional bool esn = 5; + // IKEv2 Authentication method + repeated string auth = 6; + } + + // IKEv2 Transform Types Detailed + message Ikev2TransformTypesDetailed { + // IKEv2 Encryption Algorithm (ENCR) + message Encr { + // A name for the encryption method + optional string name = 1; + // The key length of the encryption algorithm + optional int32 keyLength = 2; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 3; + } + + // IKEv2 Pseudorandom Function (PRF) + message Prf { + // A name for the pseudorandom function + optional string name = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; + } + + // IKEv2 Integrity Algorithm (INTEG) + message Integ { + // A name for the integrity algorithm + optional string name = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; + } + + // IKEv2 Key Exchange Method (KE) + message Ke { + // A group identifier for the key exchange algorithm + optional int32 group = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; + } + + // IKEv2 Authentication method + message Auth { + // A name for the authentication method + optional string name = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; + } + + // Transform Type 1: encryption algorithms + repeated Encr encr = 1; + // Transform Type 2: pseudorandom functions + repeated Prf prf = 2; + // Transform Type 3: integrity algorithms + repeated Integ integ = 3; + // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + repeated Ke ke = 4; + // Specifies if an Extended Sequence Number (ESN) is used. + optional bool esn = 5; + // IKEv2 Authentication method + repeated Auth auth = 6; + } + + // The concrete protocol type. + optional CryptoProtocolType type = 1; + // The version of the protocol. Examples include 1.0, 1.2, and 1.99. + optional string version = 2; + // A list of cipher suites related to the protocol. + repeated CryptoProtocolCipherSuite cipherSuites = 3; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.ikev2TransformTypesDetailed` instead. + // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties. + optional Ikev2TransformTypes ikev2TransformTypes = 4 [deprecated = true]; + // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties. + // If this field is present, the deprecated field `.ikev2TransformTypes` MUST be ignored. + optional Ikev2TransformTypesDetailed ikev2TransformTypesDetailed = 7; + // The bom-ref(s) to protocol-related cryptographic assets + repeated string cryptoRef = 5; + // A list of cryptographic assets related to this component. + optional RelatedCryptographicAssets relatedCryptographicAssets = 6; + } // end of ProtocolProperties + + // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. + CryptoAssetType assetType = 1; + // Additional properties specific to a cryptographic algorithm. + optional AlgorithmProperties algorithmProperties = 2; + // Properties for cryptographic assets of asset type 'certificate' + optional CertificateProperties certificateProperties = 3; + // Properties for cryptographic assets of asset type: `related-crypto-material` + optional RelatedCryptoMaterialProperties relatedCryptoMaterialProperties = 4; + // Properties specific to cryptographic assets of type: `protocol`. + optional ProtocolProperties protocolProperties = 5; + // The object identifier (OID) of the cryptographic asset. + optional string oid = 6; +} + +// Either an individual patents or patent families. +message PatentOrFamily { + oneof item { + // An individual patent + Patent patent = 1; + // A patent family + PatentFamily patent_family = 2; + } +} + +// The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context. +message PriorityApplication { + //The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd). + string application_number = 1; + // The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd). + string jurisdiction = 2; + // The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd). + google.protobuf.Timestamp filing_date = 3; +} + +// A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable. +message Patent { + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd). + string patent_number = 2; + // The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd). + optional string application_number = 3; + // The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd). + string jurisdiction = 4; + // The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context. + optional PriorityApplication priority_application = 5; + // This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. + optional string publication_number = 6; + // The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd). + optional string title = 7; + // A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd). + optional string abstract = 8; + // The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd). + optional google.protobuf.Timestamp filing_date = 9; + // The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd). + optional google.protobuf.Timestamp grant_date = 10; + // The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules. + optional google.protobuf.Timestamp patent_expiration_date = 11; + // Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status. + PatentLegalStatus patent_legal_status = 12; + // A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors. + repeated OrganizationalEntityOrContact patent_assignee = 13; + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference external_references = 14; +} + +// Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status. +enum PatentLegalStatus { + // Default + PATENT_LEGAL_STATUS_UNSPECIFIED = 0; + // The patent application has been filed but not yet examined or granted. + PATENT_LEGAL_STATUS_PENDING = 1; + // The patent application has been examined and a patent has been issued. + PATENT_LEGAL_STATUS_GRANTED = 2; + // The patent has been declared invalid through a legal or administrative process. + PATENT_LEGAL_STATUS_REVOKED = 3; + // The patent has reached the end of its enforceable term. + PATENT_LEGAL_STATUS_EXPIRED = 4; + // The patent is no longer in force due to non-payment of maintenance fees or other requirements. + PATENT_LEGAL_STATUS_LAPSED = 5; + // The patent application was voluntarily withdrawn by the applicant. + PATENT_LEGAL_STATUS_WITHDRAWN = 6; + // The patent application was abandoned, often due to lack of action or response. + PATENT_LEGAL_STATUS_ABANDONED = 7; + // Processing of the patent application has been temporarily halted. + PATENT_LEGAL_STATUS_SUSPENDED = 8; + // A previously abandoned or lapsed patent has been reinstated. + PATENT_LEGAL_STATUS_REINSTATED = 9; + // The patent application or granted patent is under formal opposition proceedings. + PATENT_LEGAL_STATUS_OPPOSED = 10; + // The patent or application has been officially terminated. + PATENT_LEGAL_STATUS_TERMINATED = 11; + // The patent has been invalidated, either in part or in full. + PATENT_LEGAL_STATUS_INVALIDATED = 12; + // The granted patent is active and enforceable. + PATENT_LEGAL_STATUS_IN_FORCE = 13; +} + +// A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable. +message PatentFamily { + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd). + string family_id = 2; + // The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context. + optional PriorityApplication priority_application = 3; + // A collection of patents or applications that belong to this family, each identified by a `bom_ref` pointing to a patent object defined elsewhere in the BOM. + repeated string members = 4; // bom_ref strings + // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference external_references = 5; +} + +// An assertion linking a patent or patent family to this component or service. +message PatentAssertion { + // A identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion. + PatentAssertionType assertion_type = 2; + // A list of BOM references (`bom_ref`) linking to patents or patent families associated with this assertion. + repeated string patent_refs = 3; + // A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom_ref` pointing to one of these objects. + Asserter asserter = 4; + // Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license. + string notes = 5; +} + +message Asserter { + oneof value { + // An organization + OrganizationalEntity organization = 1; + // An individual + OrganizationalContact individual = 2; + // A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom_ref` pointing to one of these objects. + string ref = 3; + } +} + +// The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion. +enum PatentAssertionType { + // Default + PATENT_ASSERTION_TYPE_UNSPECIFIED = 0; + // The manufacturer asserts ownership of the patent or patent family. + PATENT_ASSERTION_TYPE_OWNERSHIP = 1; + // The manufacturer asserts they have a license to use the patent or patent family. + PATENT_ASSERTION_TYPE_LICENSE = 2; + // A third party has asserted a claim or potential infringement against the manufacturer’s component or service. + PATENT_ASSERTION_TYPE_THIRD_PARTY_CLAIM = 3; + // The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service. + PATENT_ASSERTION_TYPE_STANDARDS_INCLUSION = 4; + // The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim. + PATENT_ASSERTION_TYPE_PRIOR_ART = 5; + // The manufacturer asserts exclusive rights granted through a licensing agreement. + PATENT_ASSERTION_TYPE_EXCLUSIVE_RIGHTS = 6; + // he manufacturer asserts they will not enforce the patent or patent family against certain uses or users. + PATENT_ASSERTION_TYPE_NON_ASSERTION = 7; + // The patent or patent family is being used under a research or evaluation license. + PATENT_ASSERTION_TYPE_RESEARCH_OR_EVALUATION = 8; +} + +// Details a specific attribution of data within the BOM to a contributing entity or process. +message Citation { + message Pointers { + // Users of other serialisation formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations. + // Must contain at least 1 item. + repeated string pointer = 1; + } + message Expressions { + // Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialisation. + // Use [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified. + // Implementers shall ensure the expression is valid within the context of the applicable serialisation format. Use either "pointer" or "expression" but not both in this object. + // Must contain at least 1 item. + repeated string expression = 1; + } + + // Unique identifier for the citation. + optional string bom_ref = 1; + // Exactly one of the "pointers" or "expressions" elements must be present. + oneof target { + // One or more JSON Pointers(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies. + Pointers pointers = 2; + // One or more path expressions used to locate values within a BOM. + Expressions expressions = 3; + } + // Timestamp when the attribution was made or the information was supplied. + google.protobuf.Timestamp timestamp = 4; + // The `bom_ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information. + // At least one of the "attributed_to" or "process" elements must be present. + optional string attributed_to = 5; + // The `bom_ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data. + // At least one of the "attributed_to" or "process" elements must be present. + optional string process = 6; + // A description or comment about the context or quality of the data attribution. + optional string note = 7; +} diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json new file mode 100644 index 0000000..08d6a3c --- /dev/null +++ b/schema/bom-1.7.schema.json @@ -0,0 +1,6700 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "type": "object", + "title": "CycloneDX Bill of Materials Standard", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "bomFormat": { + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value must be \"CycloneDX\".", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification the BOM conforms to.", + "examples": ["1.7"] + }, + "serialNumber": { + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "type": "integer", + "title": "BOM Version", + "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "minimum": 1, + "default": 1, + "examples": [1] + }, + "metadata": { + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "dependencies": { + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships including provided & implemented components." + }, + "compositions": { + "type": "array", + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "vulnerabilities": { + "type": "array", + "items": {"$ref": "#/definitions/vulnerability"}, + "uniqueItems": true, + "title": "Vulnerabilities", + "description": "Vulnerabilities identified in components or services." + }, + "annotations": { + "type": "array", + "items": {"$ref": "#/definitions/annotations"}, + "uniqueItems": true, + "title": "Annotations", + "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed." + }, + "formulation": { + "type": "array", + "items": {"$ref": "#/definitions/formula"}, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + }, + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "title": "Attestation", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/definitions/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "title": "Map", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/definitions/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterClaims": { + "type": "array", + "title": "Counter Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "title": "Claim", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "target": { + "$ref": "#/definitions/refLinkType", + "title": "Target", + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "title": "Evidence", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Property Name", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "title": "Data", + "additionalProperties": false, + "properties": { + "name": { + "title": "Data Name", + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/definitions/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/definitions/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": {"$ref": "#/definitions/component"} + }, + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": {"$ref": "#/definitions/service"} + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "additionalProperties": false, + "properties": { + "statement": { + "type": "string", + "title": "Statement", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ "I certify, to the best of my knowledge, that all information is correct." ] + }, + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "title": "Signatory", + "additionalProperties": false, + "oneOf": [ + { + "required": ["signature"] + }, + { + "required": ["externalReference", "organization"] + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/definitions/externalReference", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/definitions/standard" + } + }, + "patents": { + "type": "array", + "title": "Patents", + "description": "The list of either individual patents or patent families.", + "items": { + "anyOf": [ + { "$ref": "#/definitions/patent" }, + { "$ref": "#/definitions/patentFamily" } + ] + } + } + } + }, + "citations": { + "type": "array", + "items": {"$ref": "#/definitions/citation"}, + "uniqueItems": true, + "title": "Citations", + "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "definitions": { + "refType": { + "title": "BOM Reference", + "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "type": "string", + "minLength": 1, + "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + }, + "refLinkType": { + "title": "BOM Reference", + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "$ref": "#/definitions/refType" + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "title": "BOM-Link", + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/definitions/bomLinkDocumentType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "metadata": { + "type": "object", + "title": "BOM Metadata", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "title": "Pre-Defined Phase", + "required": ["phase"], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + { + "title": "Custom Phase", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + } + }, + "tools": { + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated]\nThe tool(s) used in the creation, enrichment, and validation of the BOM.", + "deprecated": true, + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "manufacturer": { + "title": "BOM Manufacturer", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors": { + "type": "array", + "title": "BOM Authors", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "deprecated": true, + "title": "Component Manufacture (legacy)", + "description": "[Deprecated] This will be removed in a future version. Use the `@.component.manufacturer` instead.\nThe organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "$ref": "#/definitions/licenseChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "distributionConstraints": { + "title": "Distribution Constraints", + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", + "type": "object", + "properties": { + "tlp": { + "$ref": "#/definitions/tlpClassification", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." + } + }, + "additionalProperties": false + } + } + }, + "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", + "type" : "string", + "default": "CLEAR", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "AMBER_AND_STRICT", + "RED" + ], + "meta:enum": { + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "[Deprecated] This will be removed in a future version. Use component or service instead.\nInformation about the automated or manual tool used", + "additionalProperties": false, + "deprecated": true, + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The name of the vendor who created the tool" + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The name of the tool" + }, + "version": { + "$ref": "#/definitions/version", + "title": "Tool Version", + "description": "The version of the tool" + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "organizationalEntity": { + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "address": { + "$ref": "#/definitions/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "additionalProperties": false, + "title": "Organizational Person", + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data", + "cryptographic-asset" + ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information.", + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + }, + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors" :{ + "type": "array", + "title": "Component Authors", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "author": { + "deprecated": true, + "type": "string", + "title": "Component Author (legacy)", + "description": "[Deprecated] This will be removed in a future version. Use `@.authors` or `@.manufacturer` instead.\nThe person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "$ref": "#/definitions/version", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "versionRange": { + "$ref": "#/definitions/versionRange", + "title": "Component Version Range", + "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "modelCard": { + "$ref": "#/definitions/modelCard", + "title": "AI/ML Model Card" + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/componentData"}, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." + }, + "cryptoProperties": { + "$ref": "#/definitions/cryptoProperties", + "title": "Cryptographic Properties" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "allOf": [ + { + "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", + "not": { + "required": ["version", "versionRange"] + } + }, + { + "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", + "if": { + "properties": { "isExternal": { "const": false } } + }, + "then": { + "not": { "required": ["versionRange"] } + }, + "else": true + } + ] + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", + "default": "text/plain", + "examples": [ + "text/plain", + "application/json", + "image/png" + ] + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the encoding the text is represented in.", + "enum": [ + "base64" + ], + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + } + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "hash": { + "type": "object", + "title": "Hash", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "title": "Hash Algorithm", + "description": "The algorithm that generated the hash value.", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3", + "Streebog-256", + "Streebog-512" + ] + }, + "hash-content": { + "type": "string", + "title": "Hash Value", + "description": "The value of the hash.", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." + } + } + }, + "license": { + "type": "object", + "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "examples": ["Acme Software License"] + }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, + "text": { + "title": "License text", + "description": "A way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + }, + "licensing": {"$ref": "#/definitions/licensing"}, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, + "licenseChoice": { + "title": "License Choice", + "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", + "type": "array", + "items": { + "oneOf": [ + { + "type": "object", + "title": "License", + "required": [ + "license" + ], + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/definitions/license" + } + } + }, + { + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", + "type": "object", + "additionalProperties": false, + "required": [ + "expression" + ], + "properties": { + "expression": { + "type": "string", + "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "expressionDetails": { + "title": "Expression Details", + "description": "Details for parts of the `expression`.", + "type": "array", + "items": { + "type": "object", + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "required": [ + "licenseIdentifier" + ], + "properties": { + "licenseIdentifier": { + "title": "License Identifier", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" + ] + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "text": { + "title": "License texts", + "description": "A way to include the textual content of the license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + } + }, + "additionalProperties": false + } + }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "licensing": { + "$ref": "#/definitions/licensing" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + } + ] + } + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/definitions/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "A comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "source-distribution", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", + "configuration", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "electronic-signature", + "digital-signature", + "rfc-9116", + "patent", + "patent-family", + "patent-assertion", + "citation", + "other" + ], + "meta:enum": { + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", + "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", + "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-assertion" : "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", + "other": "Use this if no other types accurately describe the purpose of the external reference." + } + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + } + } + }, + "service": { + "type": "object", + "title": "Service", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "$ref": "#/definitions/version", + "title": "Service Version", + "description": "The service version." + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/serviceData"}, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Service License(s)" + }, + "patentAssertions": { + "$ref": "#/definitions/patentAssertions", + "title": "Service Patent(s)" + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "serviceData": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + }, + "source": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + }, + "dataFlowDirection": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "meta:enum": { + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "bi-directional": "Data flows in and out of the service.", + "unknown": "The directional flow of data is not known." + }, + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service." + }, + "copyright": { + "type": "object", + "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text", + "description": "The textual content of the copyright." + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "oneOf" : [ + { + "type": "array", + "title": "Array of Identity Objects", + "items": { "$ref": "#/definitions/componentIdentityEvidence" } + }, + { + "title": "A Single Identity Object", + "description": "[Deprecated]", + "$ref": "#/definitions/componentIdentityEvidence", + "deprecated": true + } + ] + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ "location" ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + }, + "line": { + "type": "integer", + "minimum": 0, + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "minimum": 0, + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." + } + } + } + }, + "callstack": { + "type": "object", + "title": "Call Stack", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "License Evidence" + }, + "copyright": { + "type": "array", + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright Evidence", + "description": "Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection." + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describes how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + }, + "localeType": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { + "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "locale": { + "$ref": "#/definitions/localeType", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + }, + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/definitions/attachment" + } + } + }, + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/definitions/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." + }, + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues that have been resolved." + }, + "notes": { + "type": "array", + "items": {"$ref": "#/definitions/note"}, + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "advisory": { + "type": "object", + "title": "Advisory", + "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.", + "required": ["url"], + "additionalProperties": false, + "properties": { + "title": { + "type": "string", + "title": "Title", + "description": "A name of the advisory." + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "Location where the advisory can be obtained." + } + } + }, + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.", + "enum": [ + "critical", + "high", + "medium", + "low", + "info", + "none", + "unknown" + ], + "meta:enum": { + "critical": "Critical severity", + "high": "High severity", + "medium": "Medium severity", + "low": "Low severity", + "info": "Informational warning.", + "none": "None", + "unknown": "The severity is not known" + } + }, + "scoreMethod": { + "type": "string", + "title": "Method", + "description": "Specifies the severity or risk scoring methodology or standard used.", + "enum": [ + "CVSSv2", + "CVSSv3", + "CVSSv31", + "CVSSv4", + "OWASP", + "SSVC", + "other" + ], + "meta:enum": { + "CVSSv2": "Common Vulnerability Scoring System v2.0", + "CVSSv3": "Common Vulnerability Scoring System v3.0", + "CVSSv31": "Common Vulnerability Scoring System v3.1", + "CVSSv4": "Common Vulnerability Scoring System v4.0", + "OWASP": "OWASP Risk Rating Methodology", + "SSVC": "Stakeholder Specific Vulnerability Categorization", + "other": "Another severity or risk scoring methodology" + } + }, + "impactAnalysisState": { + "type": "string", + "title": "Impact Analysis State", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.", + "enum": [ + "resolved", + "resolved_with_pedigree", + "exploitable", + "in_triage", + "false_positive", + "not_affected" + ], + "meta:enum": { + "resolved": "The vulnerability has been remediated.", + "resolved_with_pedigree": "The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).", + "exploitable": "The vulnerability may be directly or indirectly exploitable.", + "in_triage": "The vulnerability is being investigated.", + "false_positive": "The vulnerability is not specific to the component or service and was falsely identified or associated.", + "not_affected": "The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases." + } + }, + "impactAnalysisJustification": { + "type": "string", + "title": "Impact Analysis Justification", + "description": "The rationale of why the impact analysis state was asserted.", + "enum": [ + "code_not_present", + "code_not_reachable", + "requires_configuration", + "requires_dependency", + "requires_environment", + "protected_by_compiler", + "protected_at_runtime", + "protected_at_perimeter", + "protected_by_mitigating_control" + ], + "meta:enum": { + "code_not_present": "The code has been removed or tree-shaked.", + "code_not_reachable": "The vulnerable code is not invoked at runtime.", + "requires_configuration": "Exploitability requires a configurable option to be set/unset.", + "requires_dependency": "Exploitability requires a dependency that is not present.", + "requires_environment": "Exploitability requires a certain environment which is not present.", + "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", + "protected_at_runtime": "Exploits are prevented at runtime.", + "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", + "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + } + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the severity or risk ratings of a vulnerability.", + "additionalProperties": false, + "properties": { + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that calculated the severity or risk rating of the vulnerability." + }, + "score": { + "type": "number", + "title": "Score", + "description": "The numerical score of the rating." + }, + "severity": { + "$ref": "#/definitions/severity", + "description": "Textual representation of the severity that corresponds to the numerical score of the rating." + }, + "method": { + "$ref": "#/definitions/scoreMethod" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability" + }, + "justification": { + "type": "string", + "title": "Justification", + "description": "A reason for rating the vulnerability as it was" + } + } + }, + "vulnerabilitySource": { + "type": "object", + "title": "Source", + "description": "The source of vulnerability information. This is often the organization that published the vulnerability.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-39182" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", + "National Vulnerability Database", + "OSS Index", + "VulnDB", + "GitHub Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines a weakness in a component or service that could be exploited or triggered by a threat source.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "references": { + "type": "array", + "title": "References", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", + "items": { + "type": "object", + "required": [ + "id", + "source" + ], + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "An identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + } + } + } + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of vulnerability ratings", + "items": { + "$ref": "#/definitions/rating" + } + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", + "examples": [399], + "items": { + "$ref": "#/definitions/cwe" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the vulnerability as provided by the source." + }, + "detail": { + "type": "string", + "title": "Details", + "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause." + }, + "recommendation": { + "type": "string", + "title": "Recommendation", + "description": "Recommendations of how the vulnerability can be remediated or mitigated." + }, + "workaround": { + "type": "string", + "title": "Workarounds", + "description": "A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments." + }, + "proofOfConcept": { + "type": "object", + "title": "Proof of Concept", + "description": "Evidence used to reproduce the vulnerability.", + "properties": { + "reproductionSteps": { + "type": "string", + "title": "Steps to Reproduce", + "description": "Precise steps to reproduce the vulnerability." + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "A description of the environment in which reproduction was possible." + }, + "supportingMaterial": { + "type": "array", + "title": "Supporting Material", + "description": "Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.", + "items": { "$ref": "#/definitions/attachment" } + } + } + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "items": { + "$ref": "#/definitions/advisory" + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database." + }, + "published": { + "type": "string", + "format": "date-time", + "title": "Published", + "description": "The date and time (timestamp) when the vulnerability record was first published." + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Updated", + "description": "The date and time (timestamp) when the vulnerability record was last updated." + }, + "rejected": { + "type": "string", + "format": "date-time", + "title": "Rejected", + "description": "The date and time (timestamp) when the vulnerability record was rejected (if applicable)." + }, + "credits": { + "type": "object", + "title": "Credits", + "description": "Individuals or organizations credited with the discovery of the vulnerability.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The organizations credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalEntity" + } + }, + "individuals": { + "type": "array", + "title": "Individuals", + "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalContact" + } + } + } + }, + "tools": { + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated]\nThe tool(s) used to identify, confirm, or score the vulnerability.", + "deprecated": true, + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "analysis": { + "type": "object", + "title": "Impact Analysis", + "description": "An assessment of the impact and exploitability of the vulnerability.", + "additionalProperties": false, + "properties": { + "state": { + "$ref": "#/definitions/impactAnalysisState" + }, + "justification": { + "$ref": "#/definitions/impactAnalysisJustification" + }, + "response": { + "type": "array", + "title": "Response", + "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.", + "items": { + "type": "string", + "enum": [ + "can_not_fix", + "will_not_fix", + "update", + "rollback", + "workaround_available" + ], + "meta:enum": { + "can_not_fix": "Can not fix", + "will_not_fix": "Will not fix", + "update": "Update to a different revision or release", + "rollback": "Revert to a previous revision or release", + "workaround_available": "There is a workaround available" + } + } + }, + "detail": { + "type": "string", + "title": "Detail", + "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability." + }, + "firstIssued": { + "type": "string", + "format": "date-time", + "title": "First Issued", + "description": "The date and time (timestamp) when the analysis was first issued." + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the analysis was last updated." + } + } + }, + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "description": "References a component or service by the objects bom-ref" + }, + "versions": { + "type": "array", + "title": "Versions", + "description": "Zero or more individual versions or range of versions.", + "items": { + "type": "object", + "oneOf": [ + { + "required": ["version"] + }, + { + "required": ["range"] + } + ], + "additionalProperties": false, + "properties": { + "version": { + "title": "Version", + "description": "A single version of a component or service.", + "$ref": "#/definitions/version" + }, + "range": { + "title": "Version Range", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "$ref": "#/definitions/versionRange" + }, + "status": { + "title": "Status", + "description": "The vulnerability status for the version or range of versions.", + "$ref": "#/definitions/affectedStatus", + "default": "affected" + } + } + } + } + } + }, + "title": "Affects", + "description": "The components or services that are affected by the vulnerability." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "affectedStatus": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ], + "meta:enum": { + "affected": "The version is affected by the vulnerability.", + "unaffected": "The version is not affected by the vulnerability.", + "unknown": "It is unknown (or unspecified) whether the given version is affected." + } + }, + "version": { + "description": "A single disjunctive version identifier, for a component or service.", + "type": "string", + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] + }, + "versionRange": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 4096, + "examples": [ + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "range": { + "deprecated": true, + "description": "Deprecated definition. use definition `versionRange` instead.", + "$ref": "#/definitions/versionRange" + }, + "annotations": { + "type": "object", + "title": "Annotations", + "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.", + "required": [ + "subjects", + "annotator", + "timestamp", + "text" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "subjects": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Subjects", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." + }, + "annotator": { + "type": "object", + "title": "Annotator", + "description": "The organization, person, component, or service which created the textual content of the annotation.", + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + }, + { + "required": [ + "component" + ] + }, + { + "required": [ + "service" + ] + } + ], + "additionalProperties": false, + "properties": { + "organization": { + "description": "The organization that created the annotation", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "description": "The person that created the annotation", + "$ref": "#/definitions/organizationalContact" + }, + "component": { + "description": "The tool or component that created the annotation", + "$ref": "#/definitions/component" + }, + "service": { + "description": "The service that created the annotation", + "$ref": "#/definitions/service" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the annotation was created." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the annotation." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "modelCard": { + "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", + "type": "object", + "title": "Model Card", + "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "modelParameters": { + "type": "object", + "title": "Model Parameters", + "description": "Hyper-parameters for construction of the model.", + "additionalProperties": false, + "properties": { + "approach": { + "type": "object", + "title": "Approach", + "description": "The overall approach to learning used by the model for problem solving.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Learning Type", + "description": "Learning types describing the learning problem or hybrid learning problem.", + "enum": [ + "supervised", + "unsupervised", + "reinforcement-learning", + "semi-supervised", + "self-supervised" + ], + "meta:enum": { + "supervised": "Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.", + "unsupervised": "Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.", + "reinforcement-learning": "Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.", + "semi-supervised": "Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.", + "self-supervised": "Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data." + } + } + } + }, + "task": { + "type": "string", + "title": "Task", + "description": "Directly influences the input and/or output. Examples include classification, regression, clustering, etc." + }, + "architectureFamily": { + "type": "string", + "title": "Architecture Family", + "description": "The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc." + }, + "modelArchitecture": { + "type": "string", + "title": "Model Architecture", + "description": "The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc." + }, + "datasets": { + "type": "array", + "title": "Datasets", + "description": "The datasets used to train and evaluate the model.", + "items" : { + "oneOf" : [ + { + "title": "Inline Data Information", + "$ref": "#/definitions/componentData" + }, + { + "type": "object", + "title": "Data Reference", + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "type": "string", + "description": "References a data component by the components bom-ref attribute" + } + } + } + ] + } + }, + "inputs": { + "type": "array", + "title": "Inputs", + "description": "The input format(s) of the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + }, + "outputs": { + "type": "array", + "title": "Outputs", + "description": "The output format(s) from the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + } + } + }, + "quantitativeAnalysis": { + "type": "object", + "title": "Quantitative Analysis", + "description": "A quantitative analysis of the model", + "additionalProperties": false, + "properties": { + "performanceMetrics": { + "type": "array", + "title": "Performance Metrics", + "description": "The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.", + "items": { "$ref": "#/definitions/performanceMetric" } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" } + } + }, + "considerations": { + "type": "object", + "title": "Considerations", + "description": "What considerations should be taken into account regarding the model's construction, training, and application?", + "additionalProperties": false, + "properties": { + "users": { + "type": "array", + "title": "Users", + "description": "Who are the intended users of the model?", + "items": { + "type": "string" + } + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "description": "What are the intended use cases of the model?", + "items": { + "type": "string" + } + }, + "technicalLimitations": { + "type": "array", + "title": "Technical Limitations", + "description": "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?", + "items": { + "type": "string" + } + }, + "performanceTradeoffs": { + "type": "array", + "title": "Performance Tradeoffs", + "description": "What are the known tradeoffs in accuracy/performance of the model?", + "items": { + "type": "string" + } + }, + "ethicalConsiderations": { + "type": "array", + "title": "Ethical Considerations", + "description": "What are the ethical risks involved in the application of this model?", + "items": { "$ref": "#/definitions/risk" } + }, + "environmentalConsiderations":{ + "$ref": "#/definitions/environmentalConsiderations", + "title": "Environmental Considerations", + "description": "What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?" + }, + "fairnessAssessments": { + "type": "array", + "title": "Fairness Assessments", + "description": "How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?", + "items": { + "$ref": "#/definitions/fairnessAssessment" + } + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "inputOutputMLParameters": { + "type": "object", + "title": "Input and Output Parameters", + "additionalProperties": false, + "properties": { + "format": { + "title": "Input/Output Format", + "description": "The data format for input/output to the model.", + "type": "string", + "examples": [ "string", "image", "time-series"] + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } + }, + "name": { + "title": "Dataset Name", + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" }, + "description": { + "title": "Dataset Description", + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", + "$ref": "#/definitions/organizationalEntity" + }, + "contact": { + "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["contact"] + } + ] + }, + "graphicsCollection": { + "type": "object", + "title": "Graphics Collection", + "description": "A collection of graphics that represent various measurements.", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "A description of this collection of graphics.", + "type": "string" + }, + "collection": { + "title": "Collection", + "description": "A collection of graphics.", + "type": "array", + "items": { "$ref": "#/definitions/graphic" } + } + } + }, + "graphic": { + "type": "object", + "title": "Graphic", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the graphic.", + "type": "string" + }, + "image": { + "title": "Graphic Image", + "description": "The graphic (vector or raster). Base64 encoding must be specified for binary images.", + "$ref": "#/definitions/attachment" + } + } + }, + "performanceMetric": { + "type": "object", + "title": "Performance Metric", + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "The type of performance metric.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the performance metric.", + "type": "string" + }, + "slice": { + "title": "Slice", + "description": "The name of the slice this metric was computed on. By default, assume this metric is not sliced.", + "type": "string" + }, + "confidenceInterval": { + "title": "Confidence Interval", + "description": "The confidence interval of the metric.", + "type": "object", + "additionalProperties": false, + "properties": { + "lowerBound": { + "title": "Lower Bound", + "description": "The lower bound of the confidence interval.", + "type": "string" + }, + "upperBound": { + "title": "Upper Bound", + "description": "The upper bound of the confidence interval.", + "type": "string" + } + } + } + } + }, + "risk": { + "type": "object", + "title": "Risk", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the risk.", + "type": "string" + }, + "mitigationStrategy": { + "title": "Mitigation Strategy", + "description": "Strategy used to address this risk.", + "type": "string" + } + } + }, + "fairnessAssessment": { + "type": "object", + "title": "Fairness Assessment", + "description": "Information about the benefits and harms of the model to an identified at risk group.", + "additionalProperties": false, + "properties": { + "groupAtRisk": { + "type": "string", + "title": "Group at Risk", + "description": "The groups or individuals at risk of being systematically disadvantaged by the model." + }, + "benefits": { + "type": "string", + "title": "Benefits", + "description": "Expected benefits to the identified groups." + }, + "harms": { + "type": "string", + "title": "Harms", + "description": "Expected harms to the identified groups." + }, + "mitigationStrategy": { + "type": "string", + "title": "Mitigation Strategy", + "description": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + } + }, + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "environmentalConsiderations": { + "type": "object", + "title": "Environmental Considerations", + "description": "Describes various environmental impact metrics.", + "additionalProperties": false, + "properties": { + "energyConsumptions": { + "title": "Energy Consumptions", + "description": "Describes energy consumption information incurred for one or more component lifecycle activities.", + "type": "array", + "items": { + "$ref": "#/definitions/energyConsumption" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "energyConsumption": { + "title": "Energy consumption", + "description": "Describes energy consumption information incurred for the specified lifecycle activity.", + "type": "object", + "required": [ + "activity", + "energyProviders", + "activityEnergyCost" + ], + "additionalProperties": false, + "properties": { + "activity": { + "type": "string", + "title": "Activity", + "description": "The type of activity that is part of a machine learning model development or operational lifecycle.", + "enum": [ + "design", + "data-collection", + "data-preparation", + "training", + "fine-tuning", + "validation", + "deployment", + "inference", + "other" + ], + "meta:enum": { + "design": "A model design including problem framing, goal definition and algorithm selection.", + "data-collection": "Model data acquisition including search, selection and transfer.", + "data-preparation": "Model data preparation including data cleaning, labeling and conversion.", + "training": "Model building, training and generalized tuning.", + "fine-tuning": "Refining a trained model to produce desired outputs for a given problem space.", + "validation": "Model validation including model output evaluation and testing.", + "deployment": "Explicit model deployment to a target hosting infrastructure.", + "inference": "Generating an output response from a hosted model from a set of inputs.", + "other": "A lifecycle activity type whose description does not match currently defined values." + } + }, + "energyProviders": { + "title": "Energy Providers", + "description": "The provider(s) of the energy consumed by the associated model development lifecycle activity.", + "type": "array", + "items": { "$ref": "#/definitions/energyProvider" } + }, + "activityEnergyCost": { + "title": "Activity Energy Cost", + "description": "The total energy cost associated with the model lifecycle activity.", + "$ref": "#/definitions/energyMeasure" + }, + "co2CostEquivalent": { + "title": "CO2 Equivalent Cost", + "description": "The CO2 cost (debit) equivalent to the total energy cost.", + "$ref": "#/definitions/co2Measure" + }, + "co2CostOffset": { + "title": "CO2 Cost Offset", + "description": "The CO2 offset (credit) for the CO2 equivalent cost.", + "$ref": "#/definitions/co2Measure" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "energyMeasure": { + "type": "object", + "title": "Energy Measure", + "description": "A measure of energy.", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, + "properties": { + "value": { + "type": "number", + "title": "Value", + "description": "Quantity of energy." + }, + "unit": { + "type": "string", + "enum": [ "kWh" ], + "title": "Unit", + "description": "Unit of energy.", + "meta:enum": { + "kWh": "Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)." + } + } + } + }, + "co2Measure": { + "type": "object", + "title": "CO2 Measure", + "description": "A measure of carbon dioxide (CO2).", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, + "properties": { + "value": { + "type": "number", + "title": "Value", + "description": "Quantity of carbon dioxide (CO2)." + }, + "unit": { + "type": "string", + "enum": [ "tCO2eq" ], + "title": "Unit", + "description": "Unit of carbon dioxide (CO2).", + "meta:enum": { + "tCO2eq": "Tonnes (t) of carbon dioxide (CO2) equivalent (eq)." + } + } + } + }, + "energyProvider": { + "type": "object", + "title": "Energy Provider", + "description": "Describes the physical provider of energy used for model development or operations.", + "required": [ + "organization", + "energySource", + "energyProvided" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the energy provider." + }, + "organization": { + "type": "object", + "title": "Organization", + "description": "The organization that provides energy.", + "$ref": "#/definitions/organizationalEntity" + }, + "energySource": { + "type": "string", + "enum": [ + "coal", + "oil", + "natural-gas", + "nuclear", + "wind", + "solar", + "geothermal", + "hydropower", + "biofuel", + "unknown", + "other" + ], + "meta:enum": { + "coal": "Energy produced by types of coal.", + "oil": "Petroleum products (primarily crude oil and its derivative fuel oils).", + "natural-gas": "Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.", + "nuclear": "Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).", + "wind": "Energy produced from moving air.", + "solar": "Energy produced from the sun (i.e., solar radiation).", + "geothermal": "Energy produced from heat within the earth.", + "hydropower": "Energy produced from flowing water.", + "biofuel": "Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).", + "unknown": "The energy source is unknown.", + "other": "An energy source that is not listed." + }, + "title": "Energy Source", + "description": "The energy source for the energy provider." + }, + "energyProvided": { + "$ref": "#/definitions/energyMeasure", + "title": "Energy Provided", + "description": "The energy provided by the energy source for an associated activity." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "postalAddress": { + "type": "object", + "title": "Postal address", + "description": "An address used to identify a contactable location.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the address elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "country": { + "type": "string", + "title": "Country", + "description": "The country name or the two-letter ISO 3166-1 country code." + }, + "region": { + "type": "string", + "title": "Region", + "description": "The region or state in the country.", + "examples": [ "Texas" ] + }, + "locality": { + "type": "string", + "title": "Locality", + "description": "The locality or city within the country.", + "examples": [ "Austin" ] + }, + "postOfficeBoxNumber": { + "type": "string", + "title": "Post Office Box Number", + "description": "The post office box number.", + "examples": [ "901" ] + }, + "postalCode": { + "type": "string", + "title": "Postal Code", + "description": "The postal code.", + "examples": [ "78758" ] + }, + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ "100 Main Street" ] + } + } + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/definitions/workflow" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/workspace" + } + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/definitions/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/definitions/dependency" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/definitions/command" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "command": { + "type": "object", + "additionalProperties": false, + "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": {"type": "string"} + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" + ] + }, + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" + }, + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", + "examples": ["ConfigMap","Secret"], + "type": "string" + }, + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": ["a kubernetes Persistent Volume Claim (PVC) name"], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": ["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"], + "$ref": "#/definitions/volume" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", + "examples": ["10GB", "2Ti", "1Pi"], + "type": "string" + }, + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" + }, + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "type": "object", + "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "type": { + "title": "Type", + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" + ] + }, + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/definitions/event" + }, + "conditions": { + "type": "array", + "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", + "type": "string", + "format": "date-time" + }, + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/definitions/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "source": { + "title": "Source", + "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "a reference to a configuration file in a repository (i.e., a bom-ref)", + "a reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/parameter" + } + }, + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "outputType": { + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": ["a log file described as an `externalReference` within its target domain."], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/definitions/externalReference" + } + }, + "oneOf": [ + { + "required": [ + "ref" + ] + }, + { + "required": [ + "externalReference" + ] + } + ] + }, + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "taskType": { + "type": "string", + "enum": [ + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" + ], + "meta:enum": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" + }, + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + }, + "componentIdentityEvidence": { + "type": "object", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component.", + "required": [ "field" ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", "name", "version", "purl", "cpe", "omniborId", "swhid", "swid", "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "standard": { + "type": "object", + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard. This will often be a shortened, single name of the standard." + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the standard." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "type": "object", + "title": "Requirement", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." + }, + "descriptions": { + "type": "array", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "items": { "type": "string" } + }, + "openCre": { + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ "CRE:764-507" ] + } + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "type": "object", + "title": "Level", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "signature": { + "$ref": "jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "enum": [ + "drbg", + "mac", + "block-cipher", + "stream-cipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "key-agree", + "kem", + "ae", + "combiner", + "key-wrap", + "other", + "unknown" + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } + }, + "algorithmFamily": { + "$ref": "cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", + "examples": ["3DES", "Blowfish", "ECDH"] + }, + "parameterSetIdentifier": { + "type": "string", + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + }, + "curve": { + "deprecated": true, + "type": "string", + "title": "Elliptic Curve", + "description": "[Deprecated] This will be removed in a future version. Use `@.ellipticCurve` instead.\nThe specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." + }, + "ellipticCurve": { + "$ref": "cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value must be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." + }, + "executionEnvironment": { + "type": "string", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.", + "enum": [ + "software-plain-ram", + "software-encrypted-ram", + "software-tee", + "hardware", + "other", + "unknown" + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } + }, + "implementationPlatform": { + "type": "string", + "title": "Implementation platform", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "armv9-a", + "armv9-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "array", + "title": "Certification Level", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } + } + }, + "mode": { + "type": "string", + "title": "Mode", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } + }, + "padding": { + "type": "string", + "title": "Padding", + "description": "The padding scheme that is used for the cryptographic algorithm.", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } + }, + "cryptoFunctions": { + "type": "array", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'", + "additionalProperties": false, + "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the certificate" + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the certificate" + }, + "notValidBefore": { + "type": "string", + "format": "date-time", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid" + }, + "notValidAfter": { + "type": "string", + "format": "date-time", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" + }, + "signatureAlgorithmRef": { + "deprecated": true, + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to signature algorithm used by the certificate" + }, + "subjectPublicKeyRef": { + "deprecated": true, + "$ref": "#/definitions/refType", + "title": "Key reference", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to the public key of the subject" + }, + "certificateFormat": { + "type": "string", + "title": "Certificate Format", + "description": "The format of the certificate", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateExtension": { + "deprecated": true, + "type": "string", + "title": "Certificate File Extension", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.certificateFileExtension` instead.\nThe file extension of the certificate", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactivated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revocation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "commonExtensionName", + "commonExtensionValue" + ], + "additionalProperties": false, + "properties": { + "commonExtensionName": { + "type": "string", + "title": "name", + "description": "The name of the extension.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "commonExtensionValue": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", + "required": [ + "customExtensionName" + ], + "additionalProperties": false, + "properties": { + "customExtensionName": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "customExtensionValue": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "digest": "The output of the hash function.", + "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", + "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", + "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", + "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", + "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", + "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", + "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", + "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", + "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", + "token": "An object encapsulating a security identity.", + "other": "Another type of cryptographic asset.", + "unknown": "The type of cryptographic asset is not known." + } + }, + "id": { + "type": "string", + "title": "ID", + "description": "The unique identifier for the related cryptographic material." + }, + "state": { + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "algorithmRef": { + "deprecated": true, + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "[DEPRECATED] Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to the algorithm used to generate the related cryptographic material." + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." + }, + "size": { + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." + }, + "format": { + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." + } + } + }, + "protocolProperties": { + "type": "object", + "title": "Protocol Properties", + "description": "Properties specific to cryptographic assets of type: `protocol`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The concrete protocol type.", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "dtls", + "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", + "other", + "unknown" + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } + }, + "version": { + "type": "string", + "title": "Protocol Version", + "description": "The version of the protocol.", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher Suites", + "description": "A list of cipher suites related to the protocol.", + "items": { + "$ref": "#/definitions/cipherSuite", + "title": "Cipher Suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", + "additionalProperties": false, + "properties": { + "encr": { + "title": "Encryption Algorithms (ENCR)", + "description": "Transform Type 1: encryption algorithms", + "anyOf": [ + { + "type": "array", + "title": "Encryption Algorithms (ENCR)", + "items": { + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "title": "Encryption Algorithm (ENCR) References", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 1: encryption algorithms" + } + ] + }, + "prf": { + "title": "Pseudorandom Functions (PRF)", + "description": "Transform Type 2: pseudorandom functions", + "anyOf": [ + { + "type": "array", + "title": "Pseudorandom Functions (PRF)", + "items": { + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 2: pseudorandom functions" + } + ] + }, + "integ": { + "title": "Integrity Algorithms (INTEG)", + "description": "Transform Type 3: integrity algorithms", + "anyOf": [ + { + "type": "array", + "title": "Integrity Algorithms (INTEG)", + "items": { + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 3: integrity algorithms" + } + ] + }, + "ke": { + "title": "Key Exchange Methods (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "anyOf": [ + { + "type": "array", + "title": "Key Exchange Methods (KE)", + "items": { + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Method (KE)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." + } + ] + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number (ESN)", + "description": "Specifies if an Extended Sequence Number (ESN) is used." + }, + "auth": { + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "anyOf": [ + { + "type": "array", + "title": "IKEv2 Authentication Methods", + "items": { + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nIKEv2 Authentication method" + } + ] + } + } + }, + "cryptoRefArray": { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "title": "Cryptographic References", + "description": "[DEPRECATED] Use `@.relatedCryptographicAssets` instead.\nA list of protocol-related cryptographic assets" + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "The object identifier (OID) of the cryptographic asset." + } + } + }, + "cipherSuite": { + "type": "object", + "title": "Cipher Suite", + "description": "Object representing a cipher suite", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Common Name", + "description": "A common name for the cipher suite.", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "identifiers": { + "type": "array", + "title": "Cipher Suite Identifiers", + "description": "A list of common identifiers for the cipher suite.", + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier", + "examples": [ + "0xC0", + "0x9E" + ] + } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } + } + } + }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE)", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "cryptoRefArray" : { + "deprecated": true, + "title": "Encryption Algorithm (ENCR) Reference Array", + "description": "Deprecated definition.", + "type": "array", + "items": { + "$ref": "#/definitions/refType" + } + }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/definitions/relatedCryptographicAsset", + "title": "Related Cryptographic Asset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, + "securedBy": { + "type": "object", + "title": "Secured By", + "description": "Specifies the mechanism by which the cryptographic asset is secured by", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "Mechanism", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." + } + } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] + }, + "patentFamily": { + "type": "object", + "title": "Patent Family", + "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", + "required": ["familyId"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + }, + "familyId": { + "type": "string", + "title": "Patent Family ID", + "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + }, + "priorityApplication": { + "$ref": "#/definitions/priorityApplication" + }, + "members": { + "type": "array", + "title": "Family Members", + "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", + "items": { + "$ref": "#/definitions/refLinkType", + "title": "BOM Reference", + "description": "A `bom-ref` linking to a patent or application object within the BOM." + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "items": { + "$ref": "#/definitions/externalReference" + } + } + } + }, + "patent": { + "type": "object", + "title": "Patent", + "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "required": ["patentNumber", "jurisdiction", "patentLegalStatus"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "patentNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Number", + "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", + "examples": ["US987654321", "EP1234567B1"] + }, + "applicationNumber": { + "$ref": "#/definitions/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/definitions/patentJurisdiction" + }, + "priorityApplication": { + "$ref": "#/definitions/priorityApplication" + }, + "publicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Publication Number", + "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + }, + "title": { + "type": "string", + "title": "Patent Title", + "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + }, + "abstract": { + "type": "string", + "title": "Patent Abstract", + "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + }, + "filingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "grantDate": { + "type": "string", + "format": "date", + "title": "Grant Date", + "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + }, + "patentExpirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date", + "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + }, + "patentLegalStatus": { + "type": "string", + "title": "Legal Status", + "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "enum": [ + "pending", + "granted", + "revoked", + "expired", + "lapsed", + "withdrawn", + "abandoned", + "suspended", + "reinstated", + "opposed", + "terminated", + "invalidated", + "in-force" + ], + "meta:enum": { + "pending": "The patent application has been filed but not yet examined or granted.", + "granted": "The patent application has been examined and a patent has been issued.", + "revoked": "The patent has been declared invalid through a legal or administrative process.", + "expired": "The patent has reached the end of its enforceable term.", + "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", + "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", + "abandoned": "The patent application was abandoned, often due to lack of action or response.", + "suspended": "Processing of the patent application has been temporarily halted.", + "reinstated": "A previously abandoned or lapsed patent has been reinstated.", + "opposed": "The patent application or granted patent is under formal opposition proceedings.", + "terminated": "The patent or application has been officially terminated.", + "invalidated": "The patent has been invalidated, either in part or in full.", + "in-force": "The granted patent is active and enforceable." + } + }, + "patentAssignee": { + "type": "array", + "title": "Patent Assignees", + "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", + "items": { + "oneOf": [ + { + "title": "Person", + "$ref": "#/definitions/organizationalContact" + }, + { + "title": "Organizational Entity", + "$ref": "#/definitions/organizationalEntity" + } + ] + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "items": { + "$ref": "#/definitions/externalReference" + } + } + } + }, + "patentAssertions": { + "type": "array", + "title": "Patent Assertions", + "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "items": { + "type": "object", + "title": "Patent Assertion", + "description": "An assertion linking a patent or patent family to this component or service.", + "required": ["assertionType", "asserter"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", + "enum": [ + "ownership", + "license", + "third-party-claim", + "standards-inclusion", + "prior-art", + "exclusive-rights", + "non-assertion", + "research-or-evaluation" + ], + "meta:enum": { + "ownership": "The manufacturer asserts ownership of the patent or patent family.", + "license": "The manufacturer asserts they have a license to use the patent or patent family.", + "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", + "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", + "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", + "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", + "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", + "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." + } + }, + "patentRefs": { + "type": "array", + "title": "Patent References", + "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", + "items": { + "$ref": "#/definitions/refType" + } + }, + "asserter": { + "oneOf": [ + { + "$ref": "#/definitions/organizationalEntity", + "title": "Organizational Entity" + }, + { + "$ref": "#/definitions/organizationalContact", + "title": "Person" + }, + { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." + } + ] + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." + } + } + } + }, + "patentApplicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Application Number", + "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", + "examples": ["US20240000123", "EP23123456"] + }, + "patentJurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", + "pattern": "^[A-Z]{2}$", + "examples": ["US", "EP", "JP"] + }, + "patentFilingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "priorityApplication": { + "type": "object", + "title": "Priority Application", + "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", + "required": ["applicationNumber", "jurisdiction", "filingDate"], + "additionalProperties": false, + "properties": { + "applicationNumber": { + "$ref": "#/definitions/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/definitions/patentJurisdiction" + }, + "filingDate": { + "$ref": "#/definitions/patentFilingDate" + } + } + }, + "citation": { + "type": "object", + "title": "Citation", + "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference" + }, + "pointers": { + "type": "array", + "items": { + "type": "string", + "title": "Field Reference", + "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies.\nUsers of other serialization formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations." + }, + "minItems": 1, + "title": "Field References", + "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "expressions": { + "type": "array", + "items": { + "type": "string", + "title": "Path Expression", + "description": "Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialization.\nUse [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified.\nImplementers shall ensure the expression is valid within the context of the applicable serialization format." + }, + "minItems": 1, + "title": "Path Expressions", + "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time when the attribution was made or the information was supplied." + }, + "attributedTo": { + "$ref": "#/definitions/refLinkType", + "title": "Attributed To", + "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "process": { + "$ref": "#/definitions/refLinkType", + "title": "Process Reference", + "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "note": { + "type": "string", + "title": "Note", + "description": "A description or comment about the context or quality of the data attribution." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "A digital signature verifying the authenticity or integrity of the attribution." + } + }, + "required": ["timestamp"], + "anyOf": [ + { "required": ["attributedTo"] }, + { "required": ["process"] } + ], + "oneOf": [ + { "required": ["pointers"] }, + { "required": ["expressions"] } + ] + } + } +} diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd new file mode 100644 index 0000000..deba3de --- /dev/null +++ b/schema/bom-1.7.xsd @@ -0,0 +1,9742 @@ + + + + + + + + + CycloneDX Bill of Materials Standard + https://cyclonedx.org/ + Apache License, Version 2.0 + + + + + + Identifier for referable and therefore interlink-able elements. + + + + + + + + + + Descriptor for an element identified by the attribute "bom-ref" in the same BOM document. + In contrast to `bomLinkElementType`. + + + + + + + + + + + + + + + + + =2.0.0|<5.0.0" + - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" + - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1" + - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ]]> + + + + + + + + + + + + Descriptor for another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + Descriptor for an element in another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + + + + + + The date and time (timestamp) when the BOM was created. + + + + + + Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle. + + + + + + + + + + + + A pre-defined phase in the product lifecycle. + + + + + + + + + The name of the lifecycle phase + + + + + + + The description of the lifecycle phase + + + + + + + + + + + + + The tool(s) used in the creation of the BOM. + + + + + + + DEPRECATED. Use `../components` or `../services` instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + The person(s) who created the BOM. + Authors are common in BOMs created through manual processes. BOMs created through automated means may have './manufacturer' instead. + + + + + + + + + + + The component that the BOM describes. + + + + + + The organization that created the BOM. + Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have './authors' instead. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `./component/manufacturer` instead. + The organization that manufactured the component that the BOM describes. + + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacturer, but may also be a distributor or repackager. + + + + + + The license information for the BOM document. + This may be different from the license(s) of the component(s) that the BOM describes. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Conditions and constraints governing the sharing and distribution of the data or components + described by this BOM. + + + + + + + + The Traffic Light Protocol (TLP) classification that controls the sharing and + distribution of the data that the BOM describes. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + BOM produced early in the development lifecycle containing inventory of components and services + that are proposed or planned to be used. The inventory may need to be procured, retrieved, + or resourced prior to use. + + + + + + + BOM consisting of information obtained prior to a build process and may contain source files + and development artifacts and manifests. The inventory may need to be resolved and retrieved + prior to use. + + + + + + + BOM consisting of information obtained during a build process where component inventory is + available for use. The precise versions of resolved components are usually available at this + time as well as the provenance of where the components were retrieved from. + + + + + + + BOM consisting of information obtained after a build process has completed and the resulting + components(s) are available for further analysis. Built components may exist as the result of a + CI/CD process, may have been installed or deployed to a system or device, and may need to be + retrieved or extracted from the system or device. + + + + + + + BOM produced that represents inventory that is running and operational. This may include staging + or production environments and will generally encompass multiple SBOMs describing the applications + and operating system, along with HBOMs describing the hardware that makes up the system. Operations + Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, + and additional dependencies. + + + + + + + BOM consisting of information observed through network discovery providing point-in-time + enumeration of embedded, on-premise, and cloud-native services such as server applications, + connected devices, microservices, and serverless functions. + + + + + + + BOM containing inventory that will be, or has been retired from operations. + + + + + + + + + + + The name of the organization + + + + + The physical address (location) of the organization. + + + + + + The URL of the organization. Multiple URLs are allowed. + Example: https://example.com + + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. + The default classification is "CLEAR" + + + + + + + The information is not subject to any restrictions as regards the sharing. + + + + + + + The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels. + + + + + + + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients. + + + + + + + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization. + + + + + + + The information is subject to restricted distribution to individual recipients only and must not be shared. + + + + + + + + + Information about the automated or manual tool used + + + + + The name of the vendor who created the tool + + + + + The name of the tool + + + + + The version of the tool + + + + + + + + + + + + Provides the ability to document external references related to the tool. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. + + + + + The phone number of the contact. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacturer, but may also be a distributor or repackager. + + + + + + The organization that created the component. + Manufacturer is common in components created through automated processes. Components created through manual means may have './authors' instead. + + + + + + + The person(s) who created the component. + Authors are common in components created through manual processes. Components created through automated means may have `./manufacturer` instead. + + + + + + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./authors` or `./manufacturer` instead. + The person(s) or organization(s) that authored the component. + + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + Must be used exclusively, either 'version' or 'versionRange', but not both. + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + + + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'required' + scope SHOULD be assumed by the consumer of the BOM. + + + + + The hashes of the component. + + + + + + + + + + + A copyright notice informing users of the underlying claims to copyright ownership in a published work. + + + + + + A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + + + + + + + + Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (purl). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform + to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + + + + + + + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must + be valid and conform to the specification defined at: + https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating if the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + A list of software and hardware components included in the parent component. This is not a + dependency tree. It provides a way to specify a hierarchical representation of component + assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document evidence collected through various forms of extraction or analysis. + + + + + Specifies release notes. + + + + + A model card describes the intended uses of a machine learning model and potential + limitations, including biases and ethical considerations. Model cards typically contain the + training parameters, which datasets were used to train the model, performance metrics, and other + relevant data useful for ML transparency. This object SHOULD be specified for any component of + type `machine-learning-model` and must not be specified for other component types. + + + + + This object SHOULD be specified for any component of type `data` and must not be + specified for other component types. + + + + + + Cryptographic assets have properties that uniquely define them and that make them actionable + for further reasoning. As an example, it makes a difference if one knows the algorithm family + (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the + security level and the algorithm primitive (authenticated encryption) is only defined by the + definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 + vs. HMAC-SHA1 also makes a difference. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + Determine whether this component is external. + An external component is one that is not part of an assembly, but is expected to be provided by the environment, regardless of the component's `@scope`. This setting can be useful for distinguishing which components are bundled with the product and which can be relied upon to be present in the deployment environment. + This may be set to `true` for runtime components only. For `/metadata/component`, it must be set to `false`. + + + + + + + An identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + An identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + Declared licenses and concluded licenses represent two different stages in the + licensing process within software development. Declared licenses refer to the + initial intention of the software authors regarding the licensing terms under + which their code is released. On the other hand, concluded licenses are the + result of a comprehensive analysis of the project's codebase to identify and + confirm the actual licenses of the components used, which may differ from the + initially declared licenses. While declared licenses provide an upfront indication + of the licensing intentions, concluded licenses offer a more thorough understanding + of the actual licensing within a project, facilitating proper compliance and risk + management. Observed licenses are defined in `evidence.licenses`. Observed licenses + form the evidence necessary to substantiate a concluded license. + + + + + + + + + + License identifiers that may be used to manage licenses and + their lifecycle + + + + + + + + + + The individual or organization that grants a license to another + individual or organization + + + + + + + The organization that granted the license + + + + + The individual, not associated with an organization, + that granted the license + + + + + + + + + The individual or organization for which a license was granted to + + + + + + + The organization that was granted the license + + + + + The individual, not associated with an organization, + that was granted the license + + + + + + + + + The individual or organization that purchased the license + + + + + + + The organization that purchased the license + + + + + The individual, not associated with an organization, + that purchased the license + + + + + + + + + The purchase order identifier the purchaser sent to a supplier or + vendor to authorize a purchase + + + + + The type of license(s) that was granted to the licensee + + + + + + + + + + The timestamp indicating when the license was last + renewed. For new purchases, this is often the purchase or acquisition date. + For non-perpetual licenses or subscriptions, this is the timestamp of when the + license was last renewed. + + + + + The timestamp indicating when the current license + expires (if applicable). + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies the details and attributes related to a software license. + It can either include a valid SPDX license identifier or a named license, along with additional + properties such as license acknowledgment, comprehensive commercial licensing information, and + the full text of the license. + + + + + + A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. + + + + + The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. + + + + + + Specifies the full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements. + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + + + Specifies the details and attributes related to a software license. + It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. + + + + + + Details for parts of the `expression`. + + + + + This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers. + The `license-identifier` attribute serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc. + + + + + + A way to include the textual content of the license. + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + This attribute serves as the primary key, which uniquely identifies each record. + + Example values: + - Apache-2.0 + - GPL-3.0-only WITH Classpath-exception-2.0 + - LicenseRef-my-custom-license + + + + + + + An identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements. + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + + The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + + + + + Specifies the format and nature of the data being attached, helping systems correctly + interpret and process the content. Common content type examples include `application/json` + for JSON data and `text/plain` for plan text documents. + RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive + list of registered content types, refer to the IANA media types registry at + https://www.iana.org/assignments/media-types/media-types.xhtml. + + + + + + + Specifies the encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + + A runtime environment that interprets or executes software. + This may include runtimes such as those that execute bytecode, just-in-time compilers, + interpreters, or low-code/no-code application platforms. + + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware SHOULD include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + + + + + + A special type of software that operates or controls a particular type of device. + Refer to https://en.wikipedia.org/wiki/Device_driver + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + A model based on training data that can make predictions or decisions without + being explicitly programmed to do so. + + + + + A collection of discrete values that convey information. + + + + + A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A license that grants use of software solely for the purpose + of education or research. + + + + + A license covering use of software embedded in a specific + piece of hardware. + + + + + A Client Access License (CAL) allows client computers to access + services provided by server software. + + + + + A Concurrent User license (aka floating license) limits the + number of licenses for a software application and licenses are shared among + a larger number of users. + + + + + A license where the core of a computer's processor is assigned + a specific number of points. + + + + + A license for which consumption is measured by non-standard + metrics. + + + + + A license that covers a defined number of installations on + computers and other types of devices. + + + + + A license that grants permission to install and use software + for trial purposes. + + + + + A license that grants access to the software to one or more + pre-defined users. + + + + + A license that grants access to the software on one or more + pre-defined computers or devices. + + + + + An Original Equipment Manufacturer license that is delivered + with hardware, cannot be transferred to other hardware, and is valid for the + life of the hardware. + + + + + A license where the software is sold on a one-time basis and + the licensee can use a copy of the software indefinitely. + + + + + A license where each installation consumes points per + processor. + + + + + A license where the licensee pays a fee to use the software + or service. + + + + + A license that grants access to the software or service by a + specified number of users. + + + + + Another license type. + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-materials (SBOM, OBOM, HBOM, SaaSBOM, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type. + + + + + Direct or repository download location + + + + + The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness. + Example: https://www.apache.org/licenses/LICENSE-2.0.txt + + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + URL to release notes + + + + + Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT. + + + + + A model card describes the intended uses of a machine learning model, potential + limitations, biases, ethical considerations, training parameters, datasets used to train the + model, performance metrics, and other relevant data useful for ML transparency. + + + + + A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + + + + + Parameters or settings that may be used by other components or services. + + + + + Information used to substantiate a claim. + + + + + Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. + + + + + Human or machine-readable statements containing facts, evidence, or testimony + + + + + An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + + + + + The defined assumptions, goals, and capabilities of an adversary. + + + + + Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + + + + + A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product. + + + + + A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization. + + + + + Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + + + + + SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + + + + + Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + + + + + Report generated by analyzing the call stack of a running application + + + + + Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + + + + + Report containing a formal assessment of an organization, business unit, or team against a maturity model + + + + + Industry, regulatory, or other certification from an accredited (if applicable) certification body + + + + + Report or system in which quality metrics can be obtained + + + + + Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + + + + + Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + + + An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + + + + + A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + + + + + Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + + + + + References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + + + + + References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + + + + + References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM. + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be + relevant, but are not included with the BOM. They may also establish specific relationships + within or external to the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URI (URL or URN) to the external reference. External references + are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns. + External references may also include formally registered URNs such as CycloneDX BOM-Link to + reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external + references into relationships that can be expressed in a BOM or across BOMs. Refer to: + https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + A comment describing the external reference + + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + An individual issue that has been resolved. + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + A collection of URL's for reference. Multiple URLs are allowed. + Example: "https://example.com" + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complementary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The component or service that is a dependency of this dependency object. + + + + + + The component or service that define a given specification or standard, which is provided or implemented by this dependency object. + For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use. + + + + + + References a component or service by its bom-ref attribute + + + + + + + + References a component or service by its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Defines the direct dependencies of a component or service. Components or services + that do not have their own dependencies must be declared as empty elements within the graph. + Components or services that are not represented in the dependency graph may have unknown + dependencies. It is recommended that implementations assume this to be opaque and not an + indicator of a object being dependency-free. It is recommended to leverage compositions to + indicate unknown dependency graphs. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + The endpoint URIs of the service. Multiple endpoints are allowed. + Example: "https://example.com/api/v1/ticker" + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + The name of the trust zone the service resides in. + + + + + Specifies information about the data including the directional flow of data and the data classification. + + + + + + + DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use `./dataflow/classification` instead + + + + + + Specifies the data classification. + + + + + + Specifies the data classification. + + + + + + The URI, URL, or BOM-Link of the components or services the data came in from. + + + + + + + + + + + + + + The URI, URL, or BOM-Link of the components or services the data is sent to. + + + + + + + + + + + + + + + + Name for the defined data. + + + + + + + Short description of the data content and usage. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + + + + + + + Provides the ability to document external references related to the service. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + A list of services included or deployed behind the parent service. This is not a dependency + tree. It provides a way to specify a hierarchical representation of service assemblies. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies release notes. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + Data that enters a service. + + + + + + Data that exits a service. + + + + + Data flows in and out of the service. + + + + + The directional flow of data is not known. + + + + + + + + A list of SPDX licenses and/or named licenses and/or SPDX License Expression. + + + + + + + + + + + + + + Declared licenses represent the initial intentions of authors regarding + the licensing terms of their code. + + + + + + + Concluded licenses are verified and confirmed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Examines the source code without executing it. + + + + + + + Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal. + + + + + + + Examines a package management system such as those used for building software or installing software. + + + + + + + Examines the Abstract Syntax Tree (AST) of source code or a compiled binary. + + + + + + + Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software. + + + + + + + Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application. + + + + + + + Evaluates a running application. + + + + + + + Evaluates file name of a component against a set of known file names of identified software. + + + + + + + A testimony to the accuracy of the identify of a component made by an individual or entity. + + + + + + + Any other technique. + + + + + + + + + + + Evidence that substantiates the identity of a component. The identify may be an + object or an array of identity objects. Support for specifying identity as a single object was + introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is recommended that all + implementations are aware of "unbounded". + + + + + + The identity field of the component which the evidence describes. + + + + + The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + + + + + The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + + + + + The methods used to extract and/or analyze the evidence. + + + + + + + + + The technique used in this method of analysis. + + + + + The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + + + + + The value or contents of the evidence. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + Evidence of individual instances of a component spread across multiple locations. + + + + + + + + + The location or path to where the component was found. + + + + + The line number where the component was found. + + + + + The offset where the component was found. + + + + + The symbol name that was found associated with the component. + + + + + Any additional context of the detected component (e.g. a code snippet). + + + + + + + + An identifier which can be used to reference the occurrence elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + + + + + + Evidence of the components use through the callstack. + + + + + + + + + + Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + + + + + + + A package organizes modules into namespaces, providing a unique namespace for each type it contains. + + + + + A module or class that encloses functions/methods and other code. + + + + + A block of code designed to perform a particular task. + + + + + Arguments that are passed to the module or function. + + + + + + + + + + The line number the code that is called resides on. + + + + + The column the code that is called resides. + + + + + The full path and filename of the module. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + + + Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Specifies an aggregate type that describes how complete a relationship is. + + + + + + The bom-ref identifiers of the components or services being described. Assemblies refer to + nested relationships whereby a constituent part may include other constituent parts. References + do not cascade to child parts. References are explicit for the specified constituent part only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the components or services being described. Dependencies refer to a + relationship whereby an independent constituent part requires another independent constituent + part. References do not cascade to transitive dependencies. References are explicit for the + specified dependency only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the vulnerabilities being described. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + An identifier which can be used to reference the composition elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + + + + + The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + + + + + The relationship completeness is not specified. + + + + + + + + + Defines a syntax for representing two character language code (ISO-639) followed by an optional two + character country code. The language code must be lower case. If the country code is specified, the + country code must be upper case. The language code and country code must be separated by a minus sign. + Examples: en, en-US, fr, fr-CA + + + + + + + + + + + + The software versioning type. It is recommended that the release type use one + of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software + release types is not practical, so standardizing on the recommended values, whenever possible, + is strongly encouraged. + * major = A major release may contain significant changes or may introduce breaking changes. + * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. + * patch = Patch releases are typically unplanned and may resolve defects or important security issues. + * pre-release = A pre-release may include alpha, beta, or release candidates and typically have + limited support. They provide the ability to preview a release prior to its general availability. + * internal = Internal releases are not for public consumption and are intended to be used exclusively + by the project or manufacturer that produced it. + + + + + + The title of the release. + + + + + The URL to an image that may be prominently displayed with the release note. + + + + + The URL to an image that may be used in messaging on social media platforms. + + + + + A short description of the release. + + + + + The date and time (timestamp) when the release note was created. + + + + + + + + One or more alternate names the release may be referred to. This may + include unofficial terms used by development and marketing teams (e.g. code names). + + + + + + + + + + A collection of issues that have been resolved. + + + + + + + + + + + + + Zero or more release notes containing the locale and content. Multiple + note elements may be specified to support release notes in a wide variety of languages. + + + + + + + The ISO-639 (or higher) language code and optional ISO-3166 + (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + + + + + Specifies the full content of the release note. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A model card describes the intended uses of a machine learning model and potential limitations, including + biases and ethical considerations. Model cards typically contain the training parameters, which datasets + were used to train the model, performance metrics, and other relevant data useful for ML transparency. + This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified + for other component types. + + + + + + + Hyper-parameters for construction of the model. + + + + + + + + The overall approach to learning used by the model for problem solving. + + + + + + + + Learning types describing the learning problem or hybrid learning problem. + + + + + + + + + + Directly influences the input and/or output. Examples include classification, + regression, clustering, etc. + + + + + + + The model architecture family such as transformer network, convolutional neural + network, residual neural network, LSTM neural network, etc. + + + + + + + The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. + + + + + + + The datasets used to train and evaluate the model. + + + + + + + References a data component by the components bom-ref attribute + + + + + + + + Inline Data Information + + + + + + + + + The input format(s) of the model + + + + + + + + + + + The data format for input to the model. Example formats include string, image, time-series + + + + + + + + + + + + + The output format(s) from the model + + + + + + + + + + + The data format for output from the model. Example formats include string, image, time-series + + + + + + + + + + + + + + + + A quantitative analysis of the model + + + + + + + + + + + + + + The type of performance metric. + + + + + + + The value of the performance metric. + + + + + + + The name of the slice this metric was computed on. By default, assume + this metric is not sliced. + + + + + + + The confidence interval of the metric. + + + + + + + + The lower bound of the confidence interval. + + + + + + + The upper bound of the confidence interval. + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements + + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding must be specified for binary images. + + + + + + + + + + + + + + + + + + + What considerations should be taken into account regarding the model's construction, training, + and application? + + + + + + + + Who are the intended users of the model? + + + + + + + + + + + + What are the intended use cases of the model? + + + + + + + + + + + + What are the known technical limitations of the model? E.g. What kind(s) of data + should the model be expected not to perform well on? What are the factors that might + degrade model performance? + + + + + + + + + + + + What are the known tradeoffs in accuracy/performance of the model? + + + + + + + + + + + + What are the ethical risks involved in the application of this model? + + + + + + + + + + + The name of the risk + + + + + + + Strategy used to address this risk + + + + + + + + + + + + + What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle? + + + + + + + How does the model affect groups at risk of being systematically disadvantaged? + What are the harms and benefits to the various affected groups? + + + + + + + + + + + The groups or individuals at risk of being systematically disadvantaged by the model. + + + + + + + Expected benefits to the identified groups. + + + + + + + Expected harms to the identified groups. + + + + + + + With respect to the benefits and harms outlined, please + describe any mitigation strategy implemented. + + + + + + + + + + + + + + + + + An identifier which can be used to reference the model card elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. + + + + + + + + + Describes various environmental impact metrics. + + + + + + + Describes energy consumption information incurred for one or more component lifecycle activities. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes energy consumption information incurred for the specified lifecycle activity. + + + + + + + The type of activity that is part of a machine learning model development or operational lifecycle. + + + + + + + + model design including problem framing, goal definition and algorithm selection. + + + + + + + model data acquisition including search, selection and transfer. + + + + + + + model data preparation including data cleaning, labeling and conversion. + + + + + + + model building, training and generalized tuning. + + + + + + + refining a trained model to produce desired outputs for a given problem space. + + + + + + + model validation including model output evaluation and testing. + + + + + + + explicit model deployment to a target hosting infrastructure. + + + + + + + generating an output response from a hosted model from a set of inputs. + + + + + + + a lifecycle activity type whose description does not match currently defined values. + + + + + + + + + + The provider(s) of the energy consumed by the associated model development lifecycle activity. + + + + + + + The total energy cost associated with the model lifecycle activity. + + + + + + + The CO2 cost (debit) equivalent to the total energy cost. + + + + + + + The CO2 offset (credit) for the CO2 equivalent cost. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + A measure of energy. + + + + + + + Quantity of energy. + + + + + + + Unit of energy. + + + + + + + + kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h). + + + + + + + + + + + + + A measure of carbon dioxide (CO2). + + + + + + + Quantity of carbon dioxide (CO2). + + + + + + + Unit of carbon dioxide (CO2). + + + + + + + + Tonnes (t) of carbon dioxide (CO2) equivalent (eq). + + + + + + + + + + + + + Describes the physical provider of energy used for model development or operations. + + + + + + + A description of the energy provider. + + + + + + + The organization of the energy provider. + + + + + + + The energy source for the energy provider. + + + + + + + + Energy produced by types of coal. + + + + + + + Petroleum products (primarily crude oil and its derivative fuel oils). + + + + + + + Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. + + + + + + + Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + + + + + + + Energy produced from moving air. + + + + + + + Energy produced from the sun (i.e., solar radiation). + + + + + + + Energy produced from heat within the earth. + + + + + + + Energy produced from flowing water. + + + + + + + Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). + + + + + + + The energy source is unknown. + + + + + + + An energy source that is not listed. + + + + + + + + + + The energy provided by the energy source for an associated activity. + + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the energy provider elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + An address used to identify a contactable location. + + + + + + + The country name or the two-letter ISO 3166-1 country code. + + + + + + + The region or state in the country. For example, Texas. + + + + + + + The locality or city within the country. For example, Austin. + + + + + + + The post office box number. For example, 901. + + + + + + + The postal code. For example, 78758. + + + + + + + The street address. For example, 100 Main Street. + + + + + + + + An identifier which can be used to reference the address elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + + Supervised machine learning involves training an algorithm on labeled + data to predict or classify new data based on the patterns learned from + the labeled examples. + + + + + + + Unsupervised machine learning involves training algorithms on unlabeled + data to discover patterns, structures, or relationships without explicit + guidance, allowing the model to identify inherent structures or clusters + within the data. + + + + + + + Reinforcement learning is a type of machine learning where an agent learns + to make decisions by interacting with an environment to maximize cumulative + rewards, through trial and error. + + + + + + + Semi-supervised machine learning utilizes a combination of labeled and + unlabeled data during training to improve model performance, leveraging + the benefits of both supervised and unsupervised learning techniques. + + + + + + + Self-supervised machine learning involves training models to predict parts + of the input data from other parts of the same data, without requiring + external labels, enabling learning from large amounts of unlabeled data. + + + + + + + + + + + + The general theme or subject matter of the data being specified. + + + + + + + The name of the dataset. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + A way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + Provides the ability to document name-value parameters used for configuration. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data in a dataset. + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of the dataset. Can describe size of dataset, whether it's used for source code, + training, testing, or validation, etc. + + + + + + + + + An identifier which can be used to reference the dataset elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. + + + + + + + + + + + Data custodians are responsible for the safe custody, transport, and storage of data. + + + + + + + + + + + + Data stewards are responsible for data content, context, and associated business rules. + + + + + + + + + + + + Data owners are concerned with risk and appropriate access to data. + + + + + + + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding must be specified for binary images. + + + + + + + + + + + + + + + + + Any type of code, code snippet, or data-as-code. + + + + + Parameters or settings that may be used by other components. + + + + + A collection of data. + + + + + Data that can be used to create new instances of what the definition defines. + + + + + Any other type of data that does not fit into existing definitions. + + + + + + + + + References a component or service by its bom-ref attribute + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies an individual property with a name and value. + + + + + + The name of the property. Duplicate names are allowed, each potentially having a different value. + + + + + + + + + + + Defines a weakness in a component or service that could be exploited or triggered by a threat source. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + Zero or more pointers to vulnerabilities that are the equivalent of the + vulnerability specified. Often times, the same vulnerability may exist in multiple sources of + vulnerability intelligence, but have different identifiers. References provide a way to + correlate vulnerabilities across multiple sources of vulnerability intelligence. + + + + + + A pointer to a vulnerability that is the equivalent of the + vulnerability specified. + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + List of vulnerability ratings. + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + A description of the vulnerability as provided by the source. + + + + + If available, an in-depth description of the vulnerability as provided by the + source organization. Details often include information useful in understanding root cause. + + + + + Recommendations of how the vulnerability can be remediated or mitigated. + + + + + A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + + + + + + + Evidence used to reproduce the vulnerability. + + + + + + Precise steps to reproduce the vulnerability. + + + + + A description of the environment in which reproduction was possible. + + + + + Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + + + + + + + + + + + + + + + Published advisories of the vulnerability if provided. + + + + + + + + + + The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + + + + + The date and time (timestamp) when the vulnerability record was first published. + + + + + The date and time (timestamp) when the vulnerability record was last updated. + + + + + The date and time (timestamp) when the vulnerability record was rejected (if applicable). + + + + + Individuals or organizations credited with the discovery of the vulnerability. + + + + + + The organizations credited with vulnerability discovery. + + + + + + + + + + The individuals, not associated with organizations, that are credited with vulnerability discovery. + + + + + + + + + + + + + The tool(s) used to identify, confirm, or score the vulnerability. + + + + + + + DEPRECATED. Use `../components` or `../services` instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + + An assessment of the impact and exploitability of the vulnerability. + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + A response to the vulnerability by the manufacturer, supplier, or + project responsible for the affected component or service. More than one response + is allowed. Responses are strongly encouraged for vulnerabilities where the analysis + state is exploitable. + + + + + + + + + + + Detailed description of the impact including methods used during assessment. + If a vulnerability is not exploitable, this field should include specific details + on why the component or service is not impacted by this vulnerability. + + + + + + + The date and time (timestamp) when the analysis was first issued. + + + + + + + The date and time (timestamp) when the analysis was last updated. + + + + + + + + + The components or services that are affected by the vulnerability. + + + + + + + + + References a component or service by the objects bom-ref. + + + + + + + + Zero or more individual versions or range of versions. + + + + + + + + + + A single version of a component or service. + + + + + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec + + + + + + + The vulnerability status for the version or range of versions. + + + + + + + + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + An identifier which can be used to reference the vulnerability elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The name of the source. + For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories + + + + + + The url of the vulnerability documentation as provided by the source. + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + + + + + + + + + + + The source that calculated the severity or risk rating of the vulnerability. + + + + + The numerical score of the rating. + + + + + Textual representation of the severity that corresponds to the numerical score of the rating. + + + + + The risk scoring methodology/standard used. + + + + + Textual representation of the metric values used to score the vulnerability. + + + + + A reason for rating the vulnerability as it was. + + + + + + + + + + A name of the advisory. + + + + + Location where the advisory can be obtained. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that created the annotation + + + + + The person that created the annotation + + + + + The tool or component that created the annotation + + + + + The service that created the annotation + + + + + + + + + + + The objects in the BOM identified by their bom-ref's. This is often components or services, but may be any object type supporting bom-refs. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + The organization, individual, component, or service which created the textual content + of the annotation. + + + + + The date and time (timestamp) when the annotation was created. + + + + + The textual content of the annotation. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the annotation elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Textual representation of the severity of the vulnerability adopted by the analysis method. If the + analysis method uses values other than what is provided, the user is expected to translate appropriately. + + + + + + Critical severity + + + + + High severity + + + + + Medium severity + + + + + Low severity + + + + + Informational warning. + + + + + None + + + + + The severity is not known + + + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The vulnerability has been remediated. + + + + + + + The vulnerability has been remediated and evidence of the changes are provided in the affected + components pedigree containing verifiable commit history and/or diff(s). + + + + + + + The vulnerability may be directly or indirectly exploitable. + + + + + + + The vulnerability is being investigated. + + + + + + + The vulnerability is not specific to the component or service and was falsely identified or associated. + + + + + + + The component or service is not affected by the vulnerability. Justification should be specified + for all not_affected cases. + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + The code has been removed or tree-shaked. + + + + + + + The vulnerable code is not invoked at runtime. + + + + + + + Exploitability requires a configurable option to be set/unset. + + + + + + + Exploitability requires a dependency that is not present. + + + + + + + Exploitability requires a certain environment which is not present. + + + + + + + Exploitability requires a compiler flag to be set/unset. + + + + + + + Exploits are prevented at runtime. + + + + + + + Attacks are blocked at physical, logical, or network perimeter. + + + + + + + Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + + + + + + + + + + Specifies the severity or risk scoring methodology or standard used. + + + + + + + Common Vulnerability Scoring System v2.0 standard as defined at https://www.first.org/cvss/v2/ + + + + + + + Common Vulnerability Scoring System v3.0 standard as defined at https://www.first.org/cvss/v3-0/ + + + + + + + Common Vulnerability Scoring System v3.1 standard as defined at https://www.first.org/cvss/v3-1/ + + + + + + + Common Vulnerability Scoring System v4.0 standard as defined at https://www.first.org/cvss/v4-0/ + + + + + + + OWASP Risk Rating as defined at https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + + + + + + + Stakeholder Specific Vulnerability Categorization as defined at https://github.com/CERTCC/SSVC + + + + + + + Another severity or risk scoring methodology + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + Can not fix + + + + + Will not fix + + + + + Update to a different revision or release + + + + + Revert to a previous revision or release + + + + + There is a workaround available + + + + + + + + + The vulnerability status of a given version or range of versions of a product. The statuses + 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. + The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. + There can be many reasons for an 'unknown' status, including that an investigation has not been + undertaken or that a vendor has not disclosed the status. + + + + + + The version is affected by the vulnerability. + + + + + The version is not affected by the vulnerability. + + + + + It is unknown (or unspecified) whether the given version is affected. + + + + + + + + + Describes the formulation of any referencable object within the BOM, + including components, services, metadata, declarations, or the BOM itself. This may + encompass how the object was created, assembled, deployed, tested, certified, or otherwise + brought into its present form. Common examples include software build pipelines, + deployment processes, AI/ML model training, cryptographic key generation or certification, + and third-party audits. Processes are modeled using declared and observed formulas, + composed of workflows, tasks, and individual steps. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes workflows and resources that captures rules and other aspects of how the associated + BOM component or service was formed. + + + + + + Transient components that are used in tasks that constitute one or more of + this formula's workflows + + + + + Transient services that are used in tasks that constitute one or more of + this formula's workflows + + + + + List of workflows that can be declared to accomplish specific orchestrated goals + and independently triggered. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + An identifier which can be used to reference the formula elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + References to component or service resources that are used to realize + the resource instance. + + + + + The tasks that comprise the workflow. + + + + + The graph of dependencies between tasks within the workflow. + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + The trigger that initiated the task. + + + + + + The sequence of steps for the task. + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor + or task commands + + + + + + + + + + Represents resources and data output from a task at runtime by executor + or task commands + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + A graph of the component runtime topology for workflow's instance. + A description of the runtime component and service topology. This can describe a partial or + complete topology used to host and execute the task (e.g., hardware, operating systems, + configurations, etc.) + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + References an object by its bom-ref attribute + + + + + + + + + + Reference to an externally accessible resource. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + + + The trigger that initiated the task. + + + + + + + The sequence of steps for the task. + + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands. + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + + + A graph of the component runtime topology for task's instance. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the task elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A task that copies software or data used to accomplish other tasks in the workflow. + + + + + A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. + + + + + A task that checks source code for programmatic and stylistic errors. + + + + + A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. + + + + + A task that merges changes or fixes into source code prior to a build step in the workflow. + + + + + A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. + + + + + A task that verifies the functionality of a component or service. + + + + + A task that delivers a built artifact to one or more target repositories or storage systems. + + + + + A task that deploys a built artifact for execution on one or more target systems. + + + + + A task that releases a built, versioned artifact to a target repository or distribution system. + + + + + A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. + + + + + A workflow task that does not match current task type definitions. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A named filesystem or data resource shareable by workflow tasks. + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping + so other tasks can use their own local name in their steps. + + + + + + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Describes the read-write access control for the workspace relative to the owning resource instance. + + + + + + + A path to a location on disk where the workspace will be available to the associated task's steps. + + + + + + + The name of a domain-specific data type the workspace represents. This property is for CI/CD + frameworks that are able to provide access to structured, managed data at a more granular level + than a filesystem. + + + + + + + Identifies the reference to the request for a specific volume type and parameters. + + + + + + + Information about the actual volume instance allocated to the workspace. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + An identifiable, logical unit of data storage tied to a physical device. + + + + + + + The unique identifier for the volume instance within its deployment context. + + + + + + + The name of the volume instance + + + + + + + The mode for the volume instance. + + + + + + + The underlying path created from the actual volume. + + + + + + + The allocated size of the volume accessible to the associated workspace. This should include + the scalar size as well as IEC standard unit in either decimal or binary form. + + + + + + + Indicates if the volume persists beyond the life of the resource it is associated with. + + + + + + + Indicates if the volume is remotely (i.e., network) attached. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + + + + + Executes specific commands or tools in order to accomplish its owning task as part of a sequence. + + + + + + + A name for the step. + + + + + + + A description of the step. + + + + + + + Ordered list of commands or directives for the step + + + + + + + + + + + A text representation of the executed command. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + The source type of event which caused the trigger to fire. + + + + + + + The event data that caused the associated trigger to activate. + + + + + + A list of conditions used to determine if a trigger should be activated. + + + + + + + A condition that was used to determine a trigger should be activated. + + + + + + + + Describes the set of conditions which cause the trigger to activate. + + + + + + + The logical expression that was evaluated that determined the trigger should be fired. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + The date and time (timestamp) when the trigger was activated. + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the trigger elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + The unique identifier of the event. + + + + + + + A description of the event. + + + + + + + The date and time (timestamp) when the event was received. + + + + + + + Encoding of the raw event data. + + + + + + + References the component or service that was the source of the event + + + + + + + References the component or service that was the target of the event + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Type that represents various input data types and formats. + + + + + + + + A reference to an independent resource provided as an input to a task by the workflow runtime. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + + + + + + + + + + Inputs that have the form of data. + + + + + + + + A references to the component or service that provided the input to the task + (e.g., reference to a service with data flow value of inbound) + + + + + + + A reference to the component or service that received or stored the input if not the task + itself (e.g., a local, named storage workspace) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + A reference to an independent resource generated as output by the task. + + + + + + + Outputs that have the form of environment variables. + + + + + + + + + + + + + + + + Outputs that have the form of data. + + + + + + + + Describes the type of data output. + + + + + + + Component or service that generated or provided the output from the task (e.g., a build tool) + + + + + + + Component or service that received the output from the task + (e.g., reference to an artifactory service with data flow value of outbound) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + + + + + + + A representation of a functional parameter. + + + + + + + The name of the parameter. + + + + + + + The value of the parameter. + + + + + + + The data type of the parameter. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Cryptographic assets have properties that uniquely define them and that make them actionable for + further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) + or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the + algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. + The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + + + + + + + Cryptographic assets occur in several forms. Algorithms and protocols are most commonly + implemented in specialized cryptographic libraries. They may however also be 'hardcoded' + in software components. Certificates and related cryptographic material like keys, tokens, + secrets or passwords are other cryptographic assets to be modelled. + + + + + + + + Mathematical function commonly used for data encryption, authentication, and + digital signatures. + + + + + + + An electronic document that is used to provide the identity or validate a public key. + + + + + + + A set of rules and guidelines that govern the behavior and communication with each other. + + + + + + + Other cryptographic assets that are related to algorithms, certificate, and protocols + such as keys and tokens. + + + + + + + + + + Additional properties specific to a cryptographic algorithm. + + + + + + + + Cryptographic building blocks used in higher-level cryptographic systems and + protocols. Primitives represent different cryptographic routines: deterministic + random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message + authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), + streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), + public-key encryption schemes (pke, e.g. RSA), extended output functions + (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement + algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated + encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms + (combiner, e.g. SP800-56Cr2). + + + + + + + + Deterministic Random Bit Generator (DRBG) is a type of pseudorandom + number generator designed to produce a sequence of bits from an initial + seed value. DRBGs are commonly used in cryptographic applications where + reproducibility of random values is important. + + + + + + + In cryptography, a Message Authentication Code (MAC) is information + used for authenticating and integrity-checking a message. + + + + + + + A block cipher is a symmetric key algorithm that operates on fixed-size + blocks of data. It encrypts or decrypts the data in block units, + providing confidentiality. Block ciphers are widely used in various + cryptographic modes and protocols for secure data transmission. + + + + + + + A stream cipher is a symmetric key cipher where plaintext digits are + combined with a pseudorandom cipher digit stream (keystream). + + + + + + + In cryptography, a signature is a digital representation of a message + or data that proves its origin, identity, and integrity. Digital + signatures are generated using cryptographic algorithms and are widely + used for authentication and verification in secure communication. + + + + + + + A hash function is a mathematical algorithm that takes an input + (or 'message') and produces a fixed-size string of characters, which is + typically a hash value. Hash functions are commonly used in various + cryptographic applications, including data integrity verification and + password hashing. + + + + + + + Public Key Encryption (PKE) is a type of encryption that uses a pair of + public and private keys for secure communication. The public key is used + for encryption, while the private key is used for decryption. PKE is a + fundamental component of public-key cryptography. + + + + + + + An XOF is an extendable output function that can take arbitrary input + and creates a stream of output, up to a limit determined by the size of + the internal state of the hash function that underlies the XOF. + + + + + + + A Key Derivation Function (KDF) derives key material from another source + of entropy while preserving the entropy of the input. + + + + + + + In cryptography, a key-agreement is a protocol whereby two or more + parties agree on a cryptographic key in such a way that both influence + the outcome. + + + + + + + A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for + transporting random keying material to a recipient using the recipient's + public key. + + + + + + + Authenticated Encryption (AE) is a cryptographic process that provides + both confidentiality and data integrity. It ensures that the encrypted + data has not been tampered with and comes from a legitimate source. + AE is commonly used in secure communication protocols. + + + + + + + A combiner aggregates many candidates for a cryptographic primitive and + generates a new candidate for the same primitive. + + + + + + + Key-wrap is a cryptographic technique used to securely encrypt and + protect cryptographic keys using algorithms like AES. + + + + + + + Another primitive type. + + + + + + + The primitive is not known. + + + + + + + + + + A valid algorithm family identifier. + If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for XML is not available. + + + + + + + An identifier for the parameter set of the cryptographic algorithm. Examples: in + AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the + digest length, '128' in SHAKE128 identifies its maximum security level in bits, and + 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./ellipticCurve` instead. + The specific underlying Elliptic Curve (EC) definition employed which is an indicator + of the level of security strength, performance and complexity. Absent an + authoritative source of curve names, CycloneDX recommends use of curve names as + defined at https://neuromancer.sk/std/, the source from which can be found at + https://github.com/J08nY/std-curves. + + + + + + + The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. + If specified, this value must be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for XML is not available. + + + + + + + The target and execution environment in which the algorithm is implemented in. + + + + + + + + A software implementation running in plain unencrypted RAM. + + + + + + + A software implementation running in encrypted RAM. + + + + + + A software implementation running in a trusted execution environment. + + + + + + A hardware implementation. + + + + + + Another implementation environment. + + + + + + The execution environment is not known. + + + + + + + + + + The target platform for which the algorithm is implemented. The implementation can + be 'generic', running on any platform or for a specific platform. + + + + + + + + + + + + + + + + + + + + + + + + + The certification that the implementation of the cryptographic algorithm has + received, if any. Certifications include revisions and levels of FIPS 140 or + Common Criteria of different Extended Assurance Levels (CC-EAL). + + + + + + + + No certification obtained + + + + + + + FIPS 140-1 Level 1 + + + + + + + FIPS 140-1 Level 2 + + + + + + + FIPS 140-1 Level 3 + + + + + + + FIPS 140-1 Level 4 + + + + + + + FIPS 140-2 Level 1 + + + + + + + FIPS 140-2 Level 2 + + + + + + + FIPS 140-2 Level 3 + + + + + + + FIPS 140-2 Level 4 + + + + + + + FIPS 140-3 Level 1 + + + + + + + FIPS 140-3 Level 2 + + + + + + + FIPS 140-3 Level 3 + + + + + + + FIPS 140-3 Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 1 + + + + + + + Common Criteria - Evaluation Assurance Level 1 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 2 + + + + + + + Common Criteria - Evaluation Assurance Level 2 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 3 + + + + + + + Common Criteria - Evaluation Assurance Level 3 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 4 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 5 + + + + + + + Common Criteria - Evaluation Assurance Level 5 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 6 + + + + + + + Common Criteria - Evaluation Assurance Level 6 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 7 + + + + + + + Common Criteria - Evaluation Assurance Level 7 (Augmented) + + + + + + + Another certification + + + + + + + The certification level is not known + + + + + + + + + + The mode of operation in which the cryptographic algorithm (block cipher) is used. + + + + + + + + Cipher block chaining + + + + + + + Electronic codebook + + + + + + + Counter with cipher block chaining message authentication code + + + + + + + Galois/counter + + + + + + + Cipher feedback + + + + + + + Output feedback + + + + + + + Counter + + + + + + + Another mode of operation + + + + + + + The mode of operation is not known + + + + + + + + + + The padding scheme that is used for the cryptographic algorithm. + + + + + + + + Password-Based Cryptography Specification #5 + + + + + + + Public Key Cryptography Standard: Cryptographic Message Syntax + + + + + + + Public Key Cryptography Standard: RSA Cryptography v1.5 + + + + + + + Optimal asymmetric encryption padding + + + + + + + Raw + + + + + + + Another padding scheme + + + + + + + The padding scheme is not known + + + + + + + + + + The cryptographic functions implemented by the cryptographic algorithm. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The classical security level that a cryptographic algorithm provides (in bits). + + + + + + + + + + + + The NIST security strength category as defined in + https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). + A value of 0 indicates that none of the categories are met. + + + + + + + + + + + + + + + + Properties for cryptographic assets of asset type 'certificate' + + + + + + + + The serial number is a unique identifier for the certificate issued by a CA. + + + + + + + The subject name for the certificate + + + + + + + The issuer name for the certificate + + + + + + + The date and time according to ISO-8601 standard from which the certificate is valid + + + + + + + The date and time according to ISO-8601 standard from which the certificate is not valid anymore + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. + The bom-ref to signature algorithm used by the certificate + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. + The bom-ref to the public key of the subject + + + + + + + The format of the certificate. Examples include X.509, PEM, DER, and CVC + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./certificateFileExtension` instead. + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + The fingerprint is a cryptographic hash of the certificate excluding it's signature. + + + + + + + The certificate lifecycle is a comprehensive process that manages digital + certificates from their initial creation to eventual expiration or revocation. + It typically involves several stages. + + + + + + + + + + A pre-defined state in the certificate lifecycle. + + + + + + + + The certificate has been issued by the issuing + certificate authority (CA) but has not been authorized + for use. + + + + + + + The certificate may be used to cryptographically protect + information, cryptographically process previously protected + information, or both. + + + + + + + Certificates in the deactivated state shall not be used + to apply cryptographic protection but, in some cases, + may be used to process cryptographically protected + information. + + + + + + + The use of a certificate may be suspended for several + possible reasons. + + + + + + + A revoked certificate is a digital certificate that has + been invalidated by the issuing certificate authority (CA) + before its scheduled expiration date. + + + + + + + The certificate has been destroyed. + + + + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + The name of the certificate lifecycle state. + + + + + + + The description of the certificate lifecycle state. + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + + The date and time (timestamp) when the certificate was created or pre-activated. + + + + + + + The date and time (timestamp) when the certificate was activated. + + + + + + + The date and time (timestamp) when the related certificate was deactivated. + + + + + + + The date and time (timestamp) when the certificate was revoked. + + + + + + + The date and time (timestamp) when the certificate was destroyed. + + + + + + + A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + + + + + + + + Extension: This can be either a common extension + (with a well-known name and value) or a custom extension + (for application or vendor-specific data). + + + + + + + + + + The name of the extension. + + + + + + + + Specifies whether a certificate can be used as a CA certificate or not. + + + + + + + Specifies the allowed uses of the public key in the certificate. + + + + + + + Specifies additional purposes for which the public key can be used. + + + + + + + Allows inclusion of additional names to identify the entity associated with the certificate. + + + + + + + Identifies the public key of the CA that issued the certificate. + + + + + + + Identifies the public key associated with the entity the certificate was issued to. + + + + + + + Contains CA issuers and OCSP information. + + + + + + + Defines the policies under which the certificate was issued and can be used. + + + + + + + Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained. + + + + + + + Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof. + + + + + + + + + + The value of the certificate extension. + + + + + + + + + + The name for the custom certificate extension. + + + + + + + The description of the custom certificate extension. + + + + + + + + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + + + + + + + + Properties for cryptographic assets of asset type 'relatedCryptoMaterial' + + + + + + + + The type for the related cryptographic material + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The unique identifier for the related cryptographic material. + + + + + + + The key state as defined by NIST SP 800-57. + + + + + + + + + + + + + + + + + The bom-ref to the algorithm used to generate the related cryptographic material. + + + + + + + The date and time (timestamp) when the related cryptographic material was created. + + + + + + + The date and time (timestamp) when the related cryptographic material was activated. + + + + + + + The date and time (timestamp) when the related cryptographic material was updated. + + + + + + + The date and time (timestamp) when the related cryptographic material expires. + + + + + + + The associated value of the cryptographic material. + + + + + + + The size of the cryptographic asset (in bits). + + + + + + + The format of the related cryptographic material (e.g. P8, PEM, DER). + + + + + + + The mechanism by which the cryptographic asset is secured by. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples include HSM, TPM, XGX, Software, and None. + + + + + + + The bom-ref to the algorithm. + + + + + + + + + + The fingerprint is a cryptographic hash of the related cryptographic material, excluding it's signature. + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + + + + + + + + Properties specific to cryptographic assets of type: 'protocol'. + + + + + + + + The concrete protocol type. + + + + + + + + Transport Layer Security + + + + + + + Secure Shell + + + + + + + Internet Protocol Security + + + + + + + Internet Key Exchange + + + + + + + Secure Socket Tunneling Protocol + + + + + + + Wi-Fi Protected Access + + + + + + + Datagram Transport Layer Security + + + + + + + Quick UDP Internet Connections + + + + + + + Extensible Authentication Protocol variant + + + + + + + Enhanced version of EAP-AKA + + + + + + + Protection of Inter-Network Signaling + + + + + + + Authentication and Key Agreement for 5G + + + + + + + Another protocol type + + + + + + + The protocol type is not known + + + + + + + + + + The version of the protocol. Examples include 1.0, 1.2, and 1.99. + + + + + + + A list of cipher suites related to the protocol. + + + + + + + + + + + A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + + + + + + + A list of algorithms related to the cipher suite. + + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + A list of common identifiers for the cipher suite. + + + + + + + + Cipher suite identifier. Examples include 0xC0 and 0x9E. + + + + + + + + + + A list of TLS named groups (formerly known as curves) for + this cipher suite. These groups define the parameters for + key exchange algorithms like ECDHE. + + + + + + + + The name of the TLS group. + Example values: x25519, ffdhe2048 + + + + + + + + + + A list of signature schemes supported for cipher suite. + These schemes specify the algorithms used for digital + signatures in TLS handshakes and certificate verification. + + + + + + + + The name of the TLS signature scheme. + Example values: ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, ed25519 + + + + + + + + + + + + + + + + The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, + and additional properties. + + + + + + + + Transform Type 1: encryption algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the encryption method. + Example: ENCR_AES_GCM_16 + + + + + + + The key length of the encryption algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Transform Type 2: pseudorandom functions + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the pseudorandom function. + Example: PRF_HMAC_SHA2_256 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Transform Type 3: integrity algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the integrity algorithm. + Example: AUTH_HMAC_SHA2_256_128 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A group identifier for the key exchange algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Specifies if an Extended Sequence Number (ESN) is used. + + + + + + + IKEv2 Authentication method + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the authentication method. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + + + A protocol-related cryptographic assets + + + + + + + + + The object identifier (OID) of the cryptographic asset. + + + + + + + + + + + + The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + + + + + + + + The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment. + + + + + + + + The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + + + + + + + The entity issuing the assessment. + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of attestations asserted by an assessor that maps requirements to claims. + + + + + + + + An attestation asserted by an assessor that maps requirements to claims. + + + + + + + + The short description explaining the main points of the attestation. + + + + + + + The `bom-ref` to the assessor asserting the attestation. + + + + + + + The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + + + + + + + + The `bom-ref` to the requirement being attested to. + + + + + + + The list of `bom-ref` to the claims being attested to. + + + + + + + + The `bom-ref` to the claim being attested to. + + + + + + + + + + The list of `bom-ref` to the counter claims being attested to. + + + + + + + + The `bom-ref` to the counter claim being attested to. + + + + + + + + + + The conformance of the claim meeting a requirement. + + + + + + + + The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + + + + + + + + + + + + + The rationale for the score of conformance. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + + + + The confidence of the claim meeting the requirement. + + + + + + + + The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + + + + + + + + + + + + + The rationale for the confidence score. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + The list of claims. + + + + + + + + + + + The `bom-ref` to a target representing a specific system, application, + API, module, team, person, process, business unit, company, etc... + that this claim is being applied to. + + + + + + + The specific statement or assertion about the target. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + The written explanation of why the evidence provided substantiates the claim. + + + + + + + The list of `bom-ref` to evidence that supports this claim. + + + + + + + The list of `bom-ref` to counterEvidence that supports this claim. + + + + + + Provides the ability to document external references related to the claim the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of evidence + + + + + + + + The list of evidence + + + + + + + + The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). + + + + + + + The written description of what this evidence is and how it was created. + + + + + + + The output or analysis that supports claims. + + + + + + + + The name of the data. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + A way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data. + + + + + + + + + + The date and time (timestamp) when the evidence was created. + + + + + The date and time (timestamp) when the evidence is no longer valid. + + + + + The author of the evidence. + + + + + The reviewer of the evidence. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of targets which claims are made against. + + + + + + + + The list of organizations which claims are made against. + + + + + + + + + + + + The list of components which claims are made against. + + + + + + + + + + + + The list of services which claims are made against. + + + + + + + + + + + + + + + A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. + It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + + + + + + + + The brief statement affirmed by an individual regarding all declarations. + This could be an affirmation of acceptance by a third-party auditor or receiving + individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct." + + + + + + + The list of signatories authorized on behalf of an organization to assert validity of this document. + + + + + + + + + + + The signatory's name. + + + + + + + The signatory's role within an organization. + + + + + + + The signatory's organization. + + + + + + + An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + + + + + + + + + + + + + + + + The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + The name of the standard. This will often be a shortened, single name of the standard. + + + + + + + The version of the standard. + + + + + + + The description of the standard. + + + + + + + The owner of the standard, often the entity responsible for its release. + + + + + + + The list of requirements comprising the standard. + + + + + + + + + + + The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + + + + + + + The title of the requirement. + + + + + + + The textual content of the requirement. + + + + + + + The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + + + + + + + + + + + + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + + + + + + + + + + + + The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of levels associated with the standard. Some standards have different levels of compliance. + + + + + + + + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Textual strings that aid in discovery, search, and retrieval of the associated + object. Tags often serve as a way to group or categorize similar or related objects by various + attributes. + + Examples include: + "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection" + + + + + + + + + + A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable. + + + + + + The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd). + + + + + + A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM. + + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable. + + + + + + The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd). + + + + + + + + This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. + + Purpose: Identifies the publicly available version of the application. + + Format: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. + + Example: + - US: US20240000123A1 (indicates the first publication of application US20240000123) + - Europe: EP23123456A1 (first publication of European application EP23123456). + + WIPO ST.96 v8.0: + - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd + + + + + The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd). + + + + + A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd). + + + + + The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd). + + + + + The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd). + + + + + The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules. + + + + + Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status. + + + + + Organisations or individuals to whom the patent rights are assigned. Supports joint ownership. + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + An assertion linking a patent or patent family to a component or service. This allows expression of ownership, licensing, third-party claims, and other legal relationships. + + + + + + The type of assertion being made (e.g. ownership, license, third-party-claim, etc.). + + + + + A list of references (`bom-ref`) linking to patents or families associated with this assertion. + + + + + + + + + + The organisation, individual, or BOM reference asserting the patent claim. + + + + + + + + + + + + Additional clarifications regarding the assertion, such as geographic or temporal constraints. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + The legal status of the patent, reflecting various administrative or judicial states a patent or application may be in. Aligned with concepts in WIPO ST.27. + + + + + The patent application has been filed but not yet examined or granted. + + + The patent application has been examined and a patent has been issued. + + + The patent has been declared invalid through a legal or administrative process. + + + The patent has reached the end of its enforceable term. + + + The patent is no longer in force due to non-payment of maintenance fees or other requirements. + + + The patent application was voluntarily withdrawn by the applicant. + + + The patent application was abandoned, often due to lack of action or response. + + + Processing of the patent application has been temporarily halted. + + + A previously abandoned or lapsed patent has been reinstated. + + + The patent application or granted patent is under formal opposition proceedings. + + + The patent or application has been officially terminated. + + + The patent has been invalidated, either in part or in full. + + + The granted patent is active and enforceable. + + + + + + + + Specifies the type of assertion made about a patent or patent family. Enables documentation of legal, ownership, or usage-related claims. + + + + + The manufacturer asserts ownership of the patent or patent family. + + + The manufacturer asserts they have a license to use the patent or patent family. + + + A third party has asserted a claim or potential infringement against the manufacturer’s component or service. + + + The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service. + + + The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim. + + + The manufacturer asserts exclusive rights granted through a licensing agreement. + + + The manufacturer asserts they will not enforce the patent or patent family against certain uses or users. + + + The patent or patent family is being used under a research or evaluation license. + + + + + + + + + + + + + + The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd). + + + + + + + + + + + The date the priority application was filed. Aligned with `FilingDate` in WIPO ST.96. + + + + + + + + + The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context. + + + + + + + + + + + + + + + Details a specific attribution of data within the BOM to a contributing entity or process. + + + + + + + + + + Details a specific attribution of data within the BOM to a contributing entity or process. + + + + + + Exactly one of the "pointers" or "expressions" elements must be present. + + + + + + + One or more JSON Pointers(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies. + + + + + + + + A JSON Pointer(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies. + Users of other serialisation formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations. + + + + + + + + + + One or more path expressions used to locate values within a BOM. + + + + + + + + Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialisation. + Use [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified. + Implementers shall ensure the expression is valid within the context of the applicable serialisation format. + + + + + + + + + + + The date and time when the attribution was made or the information was supplied. + + + + + + + The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information. + At least one of the "attributedTo" or "process" elements must be present. + + + + + + + The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data. + At least one of the "attributedTo" or "process" elements must be present. + + + + + + + An description or comment about the context or quality of the data attribution. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes the formulation of any referencable object within the BOM, + including components, services, metadata, declarations, or the BOM itself. This may + encompass how the object was created, assembled, deployed, tested, certified, or otherwise + brought into its present form. Common examples include software build pipelines, + deployment processes, AI/ML model training, cryptographic key generation or certification, + and third-party audits. Processes are modeled using declared and observed formulas, + composed of workflows, tasks, and individual steps. + + + + + + The list of declarations which describe the conformance to standards. Each declaration may + include attestations, claims, and evidence. + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + A collection of attributions indicating which entity supplied information for specific fields within the BOM. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Whenever an existing BOM is modified, either manually or through automated + processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with + multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. + The default version is '1'. + + + + + Every BOM generated SHOULD have a unique serial number, even if the contents of + the BOM have not changed over time. If specified, the serial number must conform to RFC-4122. + Use of serial numbers are recommended. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json new file mode 100644 index 0000000..e3e1728 --- /dev/null +++ b/schema/cryptography-defs.json @@ -0,0 +1,3793 @@ +{ + "$schema": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "lastUpdated": "2025-03-22T00:00:00Z", + "algorithms": [ + { + "family": "RSASSA-PKCS1", + "standard": [ + { + "name": "RFC8017", + "url": "https://doi.org/10.17487/RFC8017" + }, + { + "name": "IEEE1363", + "url": "https://doi.org/10.1109/IEEESTD.2000.92290" + } + ], + "variant": [ + { + "pattern": "RSA-PKCS1-1.5[-{digestAlgorithm}][-{keyLength}]", + "primitive": "signature" + } + ] + }, + { + "family": "RSASSA-PSS", + "standard": [ + { + "name": "RFC8017", + "url": "https://doi.org/10.17487/RFC8017" + }, + { + "name": "IEEE1363A", + "url": "https://doi.org/10.1109/IEEESTD.2004.94612" + } + ], + "variant": [ + { + "pattern": "RSA-PSS[-{digestAlgorithm}][-{saltLength}][-{keyLength}]", + "primitive": "signature" + } + ] + }, + { + "family": "RSAES-PKCS1", + "standard": [ + { + "name": "RFC8017", + "url": "https://doi.org/10.17487/RFC8017" + } + ], + "variant": [ + { + "pattern": "RSA-PKCS1-1.5[-{keyLength}]", + "primitive": "pke" + } + ] + }, + { + "family": "RSAES-OAEP", + "standard": [ + { + "name": "RFC8017", + "url": "https://doi.org/10.17487/RFC8017" + } + ], + "variant": [ + { + "pattern": "RSA-OAEP[-{hashAlgorithm}][-{maskGenAlgorithm}][-{keyLength}]", + "primitive": "pke" + } + ] + }, + { + "family": "EdDSA", + "standard": [ + { + "name": "RFC8032", + "url": "https://doi.org/10.17487/RFC8032" + } + ], + "variant": [ + { + "pattern": "Ed(25519|448)[-(ph|ctx)]", + "primitive": "signature" + } + ] + }, + { + "family": "ECDSA", + "standard": [ + { + "name": "FIPS186-4", + "url": "https://doi.org/10.6028/NIST.FIPS.186-4" + }, + { + "name": "X9.62", + "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62" + } + ], + "variant": [ + { + "pattern": "ECDSA[-{ellipticCurve}][-{hash}]", + "primitive": "signature" + } + ] + }, + { + "family": "ECIES", + "standard": [ + { + "name": "SEC1", + "url": "https://www.secg.org/sec1-v2.pdf" + }, + { + "name": "ISO/IEC 18033-2", + "url": "https://www.iso.org/standard/37971.html" + } + ], + "variant": [ + { + "pattern": "ECIES[-{ellipticCurve}][-{kdf}][-{symmetricCipher}][-{mac}]", + "primitive": "pke" + } + ] + }, + { + "family": "MQV", + "standard": [ + { + "name": "SP800-56A", + "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ], + "variant": [ + { + "pattern": "FFMQV[-{namedGroup}]", + "primitive": "key-agree" + }, + { + "pattern": "ECMQV[-{ellipticCurve}]", + "primitive": "key-agree" + } + ] + }, + { + "family": "ElGamal", + "standard": [ + { + "name": "ISO/IEC 18033-2", + "url": "https://www.iso.org/standard/37971.html" + } + ], + "variant": [ + { + "pattern": "ElGamal[-{keyLength}]", + "primitive": "pke" + }, + { + "pattern": "EC-ElGamal[-{ellipticCurve}]", + "primitive": "pke" + } + ] + }, + { + "family": "DSA", + "standard": [ + { + "name": "FIPS186-4", + "url": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ], + "variant": [ + { + "pattern": "DSA[-{length}][-{hash}]", + "primitive": "signature" + } + ] + }, + { + "family": "ECDH", + "standard": [ + { + "name": "SP800-56A", + "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + }, + { + "name": "IEEE1363", + "url": "https://doi.org/10.1109/IEEESTD.2000.92290" + }, + { + "name": "X9.63", + "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017" + } + ], + "variant": [ + { + "pattern": "ECDH[E][-{ellipticCurve}]", + "primitive": "key-agree" + }, + { + "pattern": "x25519|x448", + "primitive": "key-agree" + } + ] + }, + { + "family": "FFDH", + "standard": [ + { + "name": "RFC7919", + "url": "https://doi.org/10.17487/RFC7919" + }, + { + "name": "SP800-56A", + "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ], + "variant": [ + { + "pattern": "FFDH(E)[-{namedGroup}]", + "primitive": "key-agree" + } + ] + }, + { + "family": "SHA-1", + "standard": [ + { + "name": "FIPS180-4", + "url": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ], + "variant": [ + { + "pattern": "SHA-1", + "primitive": "hash" + } + ] + }, + { + "family": "SHA-2", + "standard": [ + { + "name": "FIPS180-4", + "url": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ], + "variant": [ + { + "pattern": "SHA-(224|256|384|512|512/224|512/256)", + "primitive": "hash" + } + ] + }, + { + "family": "SHA-3", + "standard": [ + { + "name": "FIPS202", + "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf" + }, + { + "name": "SP800-185", + "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf" + } + ], + "variant": [ + { + "pattern": "SHA-3-(224|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "SHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "cSHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "KMAC(128|256)", + "primitive": "mac" + }, + { + "pattern": "HMACXOF(128|256)", + "primitive": "mac" + }, + { + "pattern": "TupleHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "TupleHashXOF(128|256)", + "primitive": "xof" + }, + { + "pattern": "ParallelHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "ParallelHashXOF(128|256)", + "primitive": "xof" + } + ] + }, + { + "family": "AES", + "standard": [ + { + "name": "FIPS197", + "url": "https://doi.org/10.6028/NIST.FIPS.197-upd1" + }, + { + "name": "SP800-38{A-G}", + "url": "https://doi.org/10.6028/NIST.SP.800-38A" + }, + { + "name": "RFC 5116", + "url": "https://doi.org/10.17487/RFC5116" + } + ], + "variant": [ + { + "pattern": "AES[-(128|192|256)][-(ECB|CBC|CFB(1|8|64|128)|OFB|CTR|XTS|CTS)][-{padding}][-{ivlen}]", + "primitive": "block-cipher" + }, + { + "standard": [ + { + "name": "SP800-38D", + "url": "https://doi.org/10.6028/NIST.SP.800-38D" + }, + { + "name": "RFC 3610", + "url": "https://doi.org/10.17487/RFC5116" + } + ], + "pattern": "AES[-(128|192|256)][-(GCM|CCM)][-{tagLength}][-{ivLength}]", + "primitive": "ae" + }, + { + "standard": [ + { + "name": "RFC5649", + "url": "https://doi.org/10.17487/RFC5649" + } + ], + "pattern": "AES[-(128|192|256)]-Wrap[-(PAD|KWP|PKCS7)]", + "primitive": "key-wrap" + }, + { + "pattern": "AES[-(128|192|256)][-(GMAC|CMAC)]", + "primitive": "mac" + }, + { + "pattern": "AES[-(128|192|256)][-(XCBC_MAC[_96])]", + "primitive": "mac" + } + ] + }, + { + "family": "HKDF", + "standard": [ + { + "name": "RFC5869", + "url": "https://doi.org/10.17487/RFC5869" + } + ], + "variant": [ + { + "pattern": "HKDF[-{hashFunction}]", + "primitive": "kdf" + } + ] + }, + { + "family": "HMAC", + "standard": [ + { + "name": "SP800-224", + "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd" + }, + { + "name": "RFC2104", + "url": "https://doi.org/10.17487/RFC2104" + } + ], + "variant": [ + { + "pattern": "HMAC[-{hashFunction}][-{tagLength}]", + "primitive": "mac" + } + ] + }, + { + "family": "CMAC", + "standard": [ + { + "name": "SP800-38B", + "url": "https://doi.org/10.6028/NIST.SP.800-38B" + } + ], + "variant": [ + { + "pattern": "CMAC[-{cipherAlgorithm}][-{length}]", + "primitive": "mac" + } + ] + }, + { + "family": "KMAC", + "standard": [ + { + "name": "SP800-108r1", + "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1" + } + ], + "variant": [ + { + "pattern": "KMAC[-(128|256)]", + "primitive": "mac" + } + ] + }, + { + "family": "ChaCha", + "standard": [ + { + "name": "RFC8439", + "url": "https://doi.org/10.17487/RFC8439" + } + ], + "variant": [ + { + "pattern": "ChaCha20[-(AES|{otherBlockCipher})]", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "Poly1305", + "standard": [ + { + "name": "RFC8439", + "url": "https://doi.org/10.17487/RFC8439" + } + ], + "variant": [ + { + "pattern": "Poly1305", + "primitive": "mac" + } + ] + }, + { + "family": "ChaCha20", + "standard": [ + { + "name": "RFC8439", + "url": "https://doi.org/10.17487/RFC8439" + } + ], + "variant": [ + { + "pattern": "ChaCha20", + "primitive": "stream-cipher" + }, + { + "pattern": "ChaCha20-Poly1305", + "primitive": "ae" + } + ] + }, + { + "family": "Salsa20", + "standard": [ + { + "name": "The Salsa20 Family of Stream Ciphers", + "url": "https://doi.org/10.1007/978-3-540-68351-3_8" + } + ], + "variant": [ + { + "pattern": "Salsa20", + "primitive": "stream-cipher" + }, + { + "pattern": "Salsa20-Poly1305", + "primitive": "ae" + } + ] + }, + { + "family": "MD5", + "standard": [ + { + "name": "RFC1321", + "url": "https://doi.org/10.17487/RFC1321" + } + ], + "variant": [ + { + "pattern": "MD5", + "primitive": "hash" + } + ] + }, + { + "family": "MD4", + "standard": [ + { + "name": "RFC1320", + "url": "https://doi.org/10.17487/RFC1320" + } + ], + "variant": [ + { + "pattern": "MD4", + "primitive": "hash" + } + ] + }, + { + "family": "RC4", + "standard": [ + { + "name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", + "url": "https://dl.acm.org/doi/book/10.5555/572932" + } + ], + "variant": [ + { + "pattern": "RC4[-{keyLength}]", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "3DES", + "standard": [ + { + "name": "RFC1851", + "url": "https://doi.org/10.17487/RFC1851" + }, + { + "name": "FIPS PUB 46-3", + "url": "https://csrc.nist.gov/pubs/fips/46-3/final" + } + ], + "variant": [ + { + "pattern": "3DES[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "DES", + "standard": [ + { + "name": "FIPS PUB 46-3", + "url": "https://csrc.nist.gov/pubs/fips/46-3/final" + }, + { + "name": "ANSI INCITS 92-1981", + "url": "https://csrc.nist.gov/pubs/fips/46-3/final" + } + ], + "variant": [ + { + "pattern": "DES[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "IDEA", + "standard": [ + { + "name": "A Proposal for a New Block Encryption Standard", + "url": "https://doi.org/10.1007%2F3-540-46877-3_35" + } + ], + "variant": [ + { + "pattern": "IDEA[-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "RC2", + "standard": [ + { + "name": "RFC2268", + "url": "https://doi.org/10.17487/RFC2268" + } + ], + "variant": [ + { + "pattern": "RC2[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "ML-DSA", + "standard": [ + { + "name": "FIPS 204", + "url": "https://doi.org/10.6028/NIST.FIPS.204" + } + ], + "variant": [ + { + "pattern": "ML-DSA-(44|65|87)", + "primitive": "signature" + }, + { + "pattern": "HashML-DSA-(44|65|87)[-{hashFunction}]", + "primitive": "signature" + } + ] + }, + { + "family": "SLH-DSA", + "standard": [ + { + "name": "FIPS 205", + "url": "https://doi.org/10.6028/NIST.FIPS.205" + } + ], + "variant": [ + { + "pattern": "SLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)", + "primitive": "signature" + }, + { + "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)[-{hashFunction}]", + "primitive": "signature" + } + ] + }, + { + "family": "XMSS", + "standard": [ + { + "name": "SP800-208", + "url": "https://doi.org/10.6028/NIST.SP.800-208" + }, + { + "name": "RFC8391", + "url": "https://doi.org/10.17487/RFC8391" + } + ], + "variant": [ + { + "pattern": "XMSS-(SHA2|SHAKE)[_{h}][_{nbits}]", + "primitive": "signature" + }, + { + "pattern": "XMSSMT-(SHA2|SHAKE)[_{h}/{d}][_{nbits}]", + "primitive": "signature" + }, + { + "pattern": "WOTSP-(SHA2|SHAKE)[_{nbits}]", + "primitive": "signature" + } + ] + }, + { + "family": "LMS", + "standard": [ + { + "name": "SP800-208", + "url": "https://doi.org/10.6028/NIST.SP.800-208" + }, + { + "name": "RFC8554", + "url": "https://doi.org/10.17487/RFC8554" + } + ], + "variant": [ + { + "pattern": "LMS[_{hashFunction}][_M{bytesPerNode}][_H{treeHeight}]", + "primitive": "signature" + }, + { + "pattern": "LMOTS[_{hashfun}][_N{bytespernode}][_H{treeheight}]", + "primitive": "signature" + } + ] + }, + { + "family": "ML-KEM", + "standard": [ + { + "name": "FIPS 203", + "url": "https://doi.org/10.6028/NIST.FIPS.203" + } + ], + "variant": [ + { + "pattern": "ML-KEM-(512|768|1024)", + "primitive": "kem" + } + ] + }, + { + "family": "IKE-PRF", + "standard": [ + { + "name": "RFC2409", + "url": "https://doi.org/10.17487/RFC2409" + }, + { + "name": "RFC5996", + "url": "https://doi.org/10.17487/RFC5996" + } + ], + "variant": [ + { + "pattern": "IKE_PRF_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE1_(PRF|Extended)_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE2_PRF_PLUS_DERIVE", + "primitive": "key-agree" + } + ] + }, + { + "family": "GOST", + "variant": [ + { + "standard": [ + { + "name": "RFC4357", + "url": "https://doi.org/10.17487/RFC4357" + } + ], + "pattern": "GOSTR3410", + "primitive": "signature" + }, + { + "standard": [ + { + "name": "RFC4357", + "url": "https://doi.org/10.17487/RFC4357" + } + ], + "pattern": "GOSTR3411", + "primitive": "hash" + }, + { + "standard": [ + { + "name": "RFC4357", + "url": "https://doi.org/10.17487/RFC4357" + } + ], + "pattern": "GOSTR3411_HMAC", + "primitive": "mac" + }, + { + "standard": [ + { + "name": "RFC4357", + "url": "https://doi.org/10.17487/RFC4357" + } + ], + "pattern": "GOST38147[-{mode}][-{padding}]", + "primitive": "block-cipher" + }, + { + "standard": [ + { + "name": "RFC4357", + "url": "https://doi.org/10.17487/RFC4357" + } + ], + "pattern": "GOST38147_MAC", + "primitive": "mac" + } + ] + }, + { + "family": "SEED", + "standard": [ + { + "name": "RFC4269", + "url": "https://doi.org/10.17487/RFC4269" + }, + { + "name": "RFC5669", + "url": "https://doi.org/10.17487/RFC5669" + } + ], + "variant": [ + { + "pattern": "SEED-128[-{mode}][-{padding}]", + "primitive": "block-cipher" + }, + { + "pattern": "SEED-128[-{mode}][-{padding}]-HMAC[-{hashFunction}][-{tagLength}]", + "primitive": "ae" + }, + { + "pattern": "SEED-128-(CCM|GCM)", + "primitive": "ae" + } + ] + }, + { + "family": "ARIA", + "standard": [ + { + "name": "RFC5794", + "url": "https://doi.org/10.17487/RFC5794" + } + ], + "variant": [ + { + "pattern": "ARIA-(128|192|256)[-{mode}][-{padding}]", + "primitive": "block-cipher" + }, + { + "pattern": "ARIA-(128|192|256)[-{authmode}][-{padding}]", + "primitive": "ae" + } + ] + }, + { + "family": "CAMELLIA", + "standard": [ + { + "name": "RFC3713", + "url": "https://doi.org/10.17487/RFC3713" + } + ], + "variant": [ + { + "pattern": "CAMELLIA-(128|192|256)[-{mode}][-{padding}]", + "primitive": "block-cipher" + }, + { + "pattern": "CAMELLIA-(128|192|256)[-{authmode}][-{padding}]", + "primitive": "ae" + } + ] + }, + { + "family": "Twofish", + "standard": [ + { + "name": "Twofish: A 128-Bit Block Cipher", + "url": "https://www.schneier.com/academic/twofish/" + } + ], + "variant": [ + { + "pattern": "Twofish-(128|192|256)[-{mode}][-{padding}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "Blowfish", + "standard": [ + { + "name": "Description of a new variable-length key, 64-bit block cipher (Blowfish)", + "url": "https://doi.org/10.1007/3-540-58108-1_24" + } + ], + "variant": [ + { + "pattern": "Blowfish[-{keyLength}][-{mode}][-{padding}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "Skipjack", + "standard": [ + { + "name": "Escrowed Encryption Standard (EES)", + "url": "https://doi.org/10.6028/NIST.FIPS.185" + } + ], + "variant": [ + { + "pattern": "Skipjack[-{mode}][-{padding}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "SP800-108", + "standard": [ + { + "name": "SP800-108", + "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1" + } + ], + "variant": [ + { + "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)[-{prfFunction}][-{dkmLength}]", + "primitive": "key-derive" + } + ] + }, + { + "family": "BLAKE2", + "standard": [ + { + "name": "RFC7693", + "url": "https://doi.org/10.17487/RFC7693" + } + ], + "variant": [ + { + "pattern": "BLAKE2b-(160|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "BLAKE2b-(160|256|384|512)-HMAC", + "primitive": "mac" + }, + { + "pattern": "BLAKE2s-(160|256)", + "primitive": "hash" + }, + { + "pattern": "BLAKE2b-(160|256|384|512)-HMAC", + "primitive": "mac" + } + ] + }, + { + "family": "BLAKE3", + "standard": [ + { + "name": "BLAKE3 Spec", + "url": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf" + } + ], + "variant": [ + { + "pattern": "BLAKE3[-{outputLength}]", + "primitive": "hash" + } + ] + }, + { + "family": "X3DH", + "standard": [ + { + "name": "The X3DH Key Agreement Protocol", + "url": "https://signal.org/docs/specifications/x3dh/" + } + ], + "variant": [ + { + "pattern": "X3DH[-{hashFunction}]", + "primitive": "key-agree" + } + ] + }, + { + "family": "BLS", + "standard": [ + { + "name": "Short Signatures from the Weil Pairing", + "url": "https://dx.doi.org/10.1007/3-540-45682-1_30" + } + ], + "variant": [ + { + "pattern": "BLS(13-381|13-377|BN254)", + "primitive": "signature" + }, + { + "pattern": "BLS[-{ellipticCurve}]", + "primitive": "signature" + } + ] + }, + { + "family": "MILENAGE", + "standard": [ + { + "name": "3GPP TS 35.206", + "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.206/35206-i00.zip" + } + ], + "variant": [ + { + "pattern": "MILENAGE[-MAC]", + "primitive": "mac" + }, + { + "pattern": "MILENAGE[-KDF]", + "primitive": "kdf" + } + ] + }, + { + "family": "TUAK", + "standard": [ + { + "name": "SHA-3 based authentication algorithm (3GPP TS 35.231)", + "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.231/35231-i00.zip" + } + ], + "variant": [ + { + "pattern": "TUAC[-MAC]", + "primitive": "mac" + }, + { + "pattern": "TUAC[-KDF]", + "primitive": "kdf" + } + ] + }, + { + "family": "ZUC", + "standard": [ + { + "name": "3GPP TS 35.221", + "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.221/35221-i00.zip" + } + ], + "variant": [ + { + "pattern": "128-EEA3", + "primitive": "stream-cipher" + }, + { + "pattern": "128-EIA3", + "primitive": "mac" + } + ] + }, + { + "family": "SNOW3G", + "standard": [ + { + "name": "3GPP TS 35.216", + "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.216/35216-i00.zip" + } + ], + "variant": [ + { + "pattern": "128-EEA1", + "primitive": "stream-cipher" + }, + { + "pattern": "128-EIA1", + "primitive": "mac" + } + ] + }, + { + "family": "3GPP-XOR", + "standard": [ + { + "name": "Legacy XOR-based AV generation algorithm (3GPP TS 35.201)", + "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.201/35201-i00.zip" + } + ], + "variant": [ + { + "pattern": "3GPP-XOR[-MAC]", + "primitive": "mac" + }, + { + "pattern": "3GPP-XOR[-KDF]", + "primitive": "kdf" + } + ] + }, + { + "family": "MD2", + "standard": [ + { + "name": "RFC1319", + "url": "https://doi.org/10.17487/RFC1319" + } + ], + "variant": [ + { + "pattern": "MD2", + "primitive": "hash" + } + ] + }, + { + "family": "MD4", + "standard": [ + { + "name": "RFC1320", + "url": "https://doi.org/10.17487/RFC1320" + } + ], + "variant": [ + { + "pattern": "MD4", + "primitive": "hash" + } + ] + }, + { + "family": "MD5", + "standard": [ + { + "name": "RFC1321", + "url": "https://doi.org/10.17487/RFC1321" + } + ], + "variant": [ + { + "pattern": "MD5", + "primitive": "hash" + } + ] + }, + { + "family": "RIPEMD", + "standard": [ + { + "name": "ISO10118-3", + "url": "https://www.iso.org/standard/67116.html" + } + ], + "variant": [ + { + "pattern": "RIPEMD-(128|160|256|320)", + "primitive": "hash" + } + ] + }, + { + "family": "Whirlpool", + "standard": [ + { + "name": "ISO10118-3", + "url": "https://www.iso.org/standard/67116.html" + }, + { + "name": "NESSIE", + "url": "https://www.cosic.esat.kuleuven.be/nessie/" + } + ], + "variant": [ + { + "pattern": "Whirlpool", + "primitive": "hash" + } + ] + }, + { + "family": "Serpent", + "standard": [ + { + "name": "AES Finalist", + "url": "https://www.cl.cam.ac.uk/~rja14/serpent.html" + } + ], + "variant": [ + { + "pattern": "Serpent-(128|192|256)[-{mode}][-{padding}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "CAST5", + "standard": [ + { + "name": "RFC2144", + "url": "https://doi.org/10.17487/RFC2144" + } + ], + "variant": [ + { + "pattern": "CAST5[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "CAST6", + "standard": [ + { + "name": "RFC2612", + "url": "https://doi.org/10.17487/RFC2612" + } + ], + "variant": [ + { + "pattern": "CAST6[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "RC5", + "standard": [ + { + "name": "RFC2040", + "url": "https://doi.org/10.17487/RFC2040" + } + ], + "variant": [ + { + "pattern": "RC5[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "RC6", + "standard": [ + { + "name": "The RC6 Block Cipher", + "url": "https://web.archive.org/web/20181223080309/http://people.csail.mit.edu/rivest/rc6.pdf" + } + ], + "variant": [ + { + "pattern": "RC6[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "HC", + "standard": [ + { + "name": "eSTREAM", + "url": "https://www.ecrypt.eu.org/stream/" + } + ], + "variant": [ + { + "pattern": "HC-128", + "primitive": "stream-cipher" + }, + { + "pattern": "HC-256", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "RABBIT", + "standard": [ + { + "name": "RFC4503", + "url": "https://doi.org/10.17487/RFC4503" + }, + { + "name": "eSTREAM", + "url": "https://www.ecrypt.eu.org/stream/" + } + ], + "variant": [ + { + "pattern": "RABBIT", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "Ascon", + "standard": [ + { + "name": "NIST SP 800-232", + "url": "https://doi.org/10.6028/NIST.SP.800-232" + } + ], + "variant": [ + { + "pattern": "Ascon-AEAD128", + "primitive": "ae" + }, + { + "pattern": "Ascon-Hash256", + "primitive": "hash" + }, + { + "pattern": "Ascon-XOF128", + "primitive": "xof" + }, + { + "pattern": "Ascon-CXOF128", + "primitive": "xof" + } + ] + }, + { + "family": "SipHash", + "standard": [ + { + "name": "SipHash Spec", + "url": "https://131002.net/siphash/" + } + ], + "variant": [ + { + "pattern": "SipHash[-{compressionRounds}-{finalizationRounds}]", + "primitive": "hash" + } + ] + }, + { + "family": "PBKDF1", + "standard": [ + { + "name": "RFC8018", + "url": "https://doi.org/10.17487/RFC8018" + } + ], + "variant": [ + { + "pattern": "PBKDF1[-{hashFunction}][-{iterations}][-{dkLen}]", + "primitive": "kdf" + } + ] + }, + { + "family": "PBKDF2", + "standard": [ + { + "name": "RFC8018", + "url": "https://doi.org/10.17487/RFC8018" + }, + { + "name": "SP800-132", + "url": "https://doi.org/10.6028/NIST.SP.800-132" + } + ], + "variant": [ + { + "pattern": "PBKDF2[-{hashFunction}][-{iterations}][-{dkLen}]", + "primitive": "kdf" + } + ] + }, + { + "family": "PBES1", + "standard": [ + { + "name": "RFC8018", + "url": "https://doi.org/10.17487/RFC8018" + } + ], + "variant": [ + { + "pattern": "PBES1[-{encryptionAlgorithm}][-{kdf}][-{dkLen}][-{iterations}]", + "primitive": "other" + } + ] + }, + { + "family": "PBES2", + "standard": [ + { + "name": "RFC8018", + "url": "https://doi.org/10.17487/RFC8018" + } + ], + "variant": [ + { + "pattern": "PBES2[-{encryptionAlgorithm}][-{kdf}][-{dkLen}][-{iterations}]", + "primitive": "other" + } + ] + }, + { + "family": "PBMAC1", + "standard": [ + { + "name": "RFC8018", + "url": "https://doi.org/10.17487/RFC8018" + } + ], + "variant": [ + { + "pattern": "PBMAC1[-{macAlgorithm}][-{hashFunction}][-{iterations}][-{dkLen}]", + "primitive": "mac" + } + ] + }, + { + "family": "bcrypt", + "standard": [ + { + "name": "A Future-Adaptable Password Scheme", + "url": "https://www.usenix.org/legacy/events/usenix99/provos/provos.pdf" + } + ], + "variant": [ + { + "pattern": "bcrypt[-{cost)]", + "primitive": "hash" + } + ] + }, + { + "family": "A5/1", + "variant": [ + { + "pattern": "A5/1", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "A5/2", + "standard": [ + { + "name": "ETSI ETR 278", + "url": "https://www.etsi.org/deliver/etsi_etr/200_299/278/01_60/etr_278e01p.pdf" + } + ], + "variant": [ + { + "pattern": "A5/2", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "CMEA", + "standard": [ + { + "name": "TIA TR45.0.A", + "url": "" + } + ], + "variant": [ + { + "pattern": "CMEA", + "primitive": "block-cipher" + } + ] + }, + { + "family": "Fortuna", + "standard": [ + { + "name": "Fortuna - A secure pseudorandom number generator", + "url": "https://www.schneier.com/academic/fortuna" + } + ], + "variant": [ + { + "pattern": "Fortuna[-{blockCipher}][-{hashFunction}]", + "primitive": "drbg" + } + ] + }, + { + "family": "Yarrow", + "standard": [ + { + "name": "Yarrow - A secure pseudorandom number generator", + "url": "https://www.schneier.com/academic/yarrow" + } + ], + "variant": [ + { + "pattern": "Yarrow[-{blockCipher}][-{hashFunction}]", + "primitive": "drbg" + } + ] + } + ], + "ellipticCurves": [ + { + "name": "anssi", + "description": "Agence nationale de la s\u00e9curit\u00e9 des syst\u00e8mes d'information: Publication d'un param\u00e9trage de courbe elliptique visant des applications de passeport \u00e9lectronique et de l'administration \u00e9lectronique fran\u00e7aise. 21 November 2011", + "curves": [ + { + "name": "FRP256v1", + "description": null, + "oid": "1.2.250.1.223.101.256.1", + "form": "Weierstrass" + } + ] + }, + { + "name": "bls", + "description": "BLS curves. A family of pairing friendly curves, with embedding degree = 12 or 24.", + "curves": [ + { + "name": "BLS12-377", + "description": "Curve from Zexe paper: https://eprint.iacr.org/2018/962, params taken from: https://eips.ethereum.org/EIPS/eip-2539 where they are explicitly listed.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-381", + "description": "Curve from https://electriccoin.co/blog/new-snark-curve/. As used in ZCash.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-446", + "description": "Curve from https://github.com/relic-toolkit/relic.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-455", + "description": "Curve from https://github.com/relic-toolkit/relic.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-638", + "description": "Curve from https://github.com/relic-toolkit/relic. Also in https://eprint.iacr.org/2012/232.pdf.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS24-477", + "description": "Curve from https://github.com/relic-toolkit/relic. Also in https://eprint.iacr.org/2012/232.pdf.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Bandersnatch", + "description": "Curve from https://ethresear.ch/t/introducing-bandersnatch-a-fast-elliptic-curve-built-over-the-bls12-381-scalar-field/9957", + "oid": null, + "form": "TwistedEdwards" + } + ] + }, + { + "name": "bn", + "description": "BN (Barreto, Naehrig curves) from: A Family of Implementation-Friendly BN Elliptic Curves - .", + "curves": [ + { + "name": "bn158", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn190", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn222", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn254", + "description": null, + "oid": null, + "form": "Weierstrass", + "aliases": [ + { + "category": "other", + "name": "Fp254BNb" + } + ] + }, + { + "name": "bn286", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn318", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn350", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn382", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn414", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn446", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn478", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn510", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn542", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn574", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn606", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn638", + "description": null, + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "brainpool", + "description": "ECC Brainpool Standard Curves and Curve Generation v. 1.0 19.10.2005", + "curves": [ + { + "name": "brainpoolP160r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.1", + "form": "Weierstrass" + }, + { + "name": "brainpoolP160t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.2", + "form": "Weierstrass" + }, + { + "name": "brainpoolP192r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.3", + "form": "Weierstrass" + }, + { + "name": "brainpoolP192t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.4", + "form": "Weierstrass" + }, + { + "name": "brainpoolP224r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.5", + "form": "Weierstrass" + }, + { + "name": "brainpoolP224t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.6", + "form": "Weierstrass" + }, + { + "name": "brainpoolP256r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.7", + "form": "Weierstrass" + }, + { + "name": "brainpoolP256t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.8", + "form": "Weierstrass" + }, + { + "name": "brainpoolP320r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.9", + "form": "Weierstrass" + }, + { + "name": "brainpoolP320t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.10", + "form": "Weierstrass" + }, + { + "name": "brainpoolP384r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.11", + "form": "Weierstrass" + }, + { + "name": "brainpoolP384t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.12", + "form": "Weierstrass" + }, + { + "name": "brainpoolP512r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.13", + "form": "Weierstrass" + }, + { + "name": "brainpoolP512t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.14", + "form": "Weierstrass" + } + ] + }, + { + "name": "gost", + "description": "GOST R 34.10-2001: RFC5832, GOST R 34.10-2012: RFC7836", + "curves": [ + { + "name": "gost256", + "description": "RFC5832", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "gost512", + "description": "RFC5832", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-GostR3410-2001-CryptoPro-A-ParamSet", + "description": "RFC4357", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-GostR3410-2001-CryptoPro-B-ParamSet", + "description": "RFC4357", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-GostR3410-2001-CryptoPro-C-ParamSet", + "description": "RFC4357", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-tc26-gost-3410-12-512-paramSetA", + "description": "RFC7836", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-tc26-gost-3410-12-512-paramSetB", + "description": "RFC7836", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-tc26-gost-3410-2012-256-paramSetA", + "description": "RFC5832", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "id-tc26-gost-3410-2012-512-paramSetC", + "description": "RFC5832", + "oid": null, + "form": "TwistedEdwards" + } + ] + }, + { + "name": "mnt", + "description": "MNT (Miyaji, Nakabayashi, and Takano curves) example curves from: New explicit conditions of elliptic curve traces for FR-reduction - https://dspace.jaist.ac.jp/dspace/bitstream/10119/4432/1/73-48.pdf.", + "curves": [ + { + "name": "mnt1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt2/1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt2/2", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt3/1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt3/2", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt3/3", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt4", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt5/1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt5/2", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt5/3", + "description": null, + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "nist", + "description": "RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE July 1999", + "curves": [ + { + "name": "B-163", + "description": null, + "oid": "1.3.132.0.15", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163r2" + }, + { + "category": "x963", + "name": "ansit163r2" + } + ] + }, + { + "name": "B-233", + "description": null, + "oid": "1.3.132.0.27", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233r1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls11" + }, + { + "category": "x963", + "name": "ansit233r1" + } + ] + }, + { + "name": "B-283", + "description": null, + "oid": "1.3.132.0.17", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect283r1" + }, + { + "category": "x963", + "name": "ansit283r1" + } + ] + }, + { + "name": "B-409", + "description": null, + "oid": "1.3.132.0.37", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect409r1" + }, + { + "category": "x963", + "name": "ansit409r1" + } + ] + }, + { + "name": "B-571", + "description": null, + "oid": "1.3.132.0.39", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect571r1" + }, + { + "category": "x963", + "name": "ansit571r1" + } + ] + }, + { + "name": "K-163", + "description": "Koblitz curve.", + "oid": "1.3.132.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163k1" + }, + { + "category": "x963", + "name": "ansit163k1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls3" + } + ] + }, + { + "name": "K-233", + "description": "Koblitz curve.", + "oid": "1.3.132.0.26", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233k1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls10" + }, + { + "category": "x963", + "name": "ansit233k1" + } + ] + }, + { + "name": "K-283", + "description": "Koblitz curve.", + "oid": "1.3.132.0.16", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect283k1" + }, + { + "category": "x963", + "name": "ansit283k1" + } + ] + }, + { + "name": "K-409", + "description": "Koblitz curve.", + "oid": "1.3.132.0.36", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect409k1" + }, + { + "category": "x963", + "name": "ansit409k1" + } + ] + }, + { + "name": "K-571", + "description": "Koblitz curve.", + "oid": "1.3.132.0.38", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect571k1" + }, + { + "category": "x963", + "name": "ansit571k1" + } + ] + }, + { + "name": "P-192", + "description": null, + "oid": "1.2.840.10045.3.1.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp192r1" + }, + { + "category": "x962", + "name": "prime192v1" + } + ] + }, + { + "name": "P-224", + "description": null, + "oid": "1.3.132.0.33", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp224r1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls12" + }, + { + "category": "x963", + "name": "ansip224r1" + } + ] + }, + { + "name": "P-256", + "description": null, + "oid": "1.2.840.10045.3.1.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp256r1" + }, + { + "category": "x962", + "name": "prime256v1" + } + ] + }, + { + "name": "P-384", + "description": null, + "oid": "1.3.132.0.34", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp384r1" + }, + { + "category": "x963", + "name": "ansip384r1" + } + ] + }, + { + "name": "P-521", + "description": null, + "oid": "1.3.132.0.35", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp521r1" + }, + { + "category": "x963", + "name": "ansip521r1" + } + ] + } + ] + }, + { + "name": "nums", + "description": "Microsoft Nothing Up My Sleeve (NUMS) curves from: and ", + "curves": [ + { + "name": "ed-254-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-255-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-256-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-382-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-383-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-384-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-510-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-511-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-512-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "numsp256d1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "numsp256t1", + "description": null, + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "numsp384d1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "numsp384t1", + "description": null, + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "numsp512d1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "numsp512t1", + "description": null, + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "w-254-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-255-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-256-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-382-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-383-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-384-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-510-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-511-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-512-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "oakley", + "description": "Oakley groups from and ", + "curves": [ + { + "name": "192-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "224-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "256-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "384-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "521-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Oakley Group 3", + "description": "Defined in IETF in RFC2409, no generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Oakley Group 4", + "description": "Defined in IETF in RFC2409, no generator present.", + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "oscaa", + "description": "http://gmssl.org/english.html", + "curves": [ + { + "name": "SM2", + "description": null, + "oid": "1.2.156.10197.1.301", + "form": "Weierstrass" + } + ] + }, + { + "name": "other", + "description": "An assortment of some other curves.", + "curves": [ + { + "name": "BADA55-R-256", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VPR-224", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VPR2-224", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VR-224", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VR-256", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VR-384", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve1174", + "description": "Curve from https://eprint.iacr.org/2013/325.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve22103", + "description": "Curve from https://github.com/relic-toolkit/relic", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve25519", + "description": "Curve from https://cr.yp.to/ecdh.html", + "oid": null, + "form": "Montgomery" + }, + { + "name": "Curve383187", + "description": null, + "oid": null, + "form": "Montgomery" + }, + { + "name": "Curve41417", + "description": "Curve from https://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Curve4417", + "description": "Curve from https://github.com/relic-toolkit/relic", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve448", + "description": "Curve from https://datatracker.ietf.org/doc/html/rfc7748", + "oid": null, + "form": "Montgomery" + }, + { + "name": "Curve67254", + "description": "Curve from https://github.com/relic-toolkit/relic", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "E-222", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Edwards" + }, + { + "name": "E-382", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Edwards" + }, + { + "name": "E-521", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Edwards" + }, + { + "name": "Ed25519", + "description": "Curve from https://ed25519.cr.yp.to", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Ed448", + "description": "Curve from https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-23", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Ed448-Goldilocks", + "description": "Curve from https://eprint.iacr.org/2015/625.pdf", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "FourQ", + "description": "Curve used in https://eprint.iacr.org/2015/565.pdf", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Fp224BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp254BNa", + "description": "Curve used in: https://eprint.iacr.org/2010/354.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp254BNb", + "description": "Curve used in https://www.iacr.org/archive/eurocrypt2011/66320047/66320047.pdf", + "oid": null, + "form": "Weierstrass", + "aliases": [ + { + "category": "bn", + "name": "bn254" + } + ] + }, + { + "name": "Fp254n2BNa", + "description": "Curve used in: https://eprint.iacr.org/2010/354.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp256BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp384BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp512BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "JubJub", + "description": "JubJub curve from .", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "M-221", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Montgomery" + }, + { + "name": "M-383", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Montgomery" + }, + { + "name": "M-511", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Montgomery" + }, + { + "name": "MDC201601", + "description": "The Million Dollar Curve", + "oid": null, + "form": "Edwards" + }, + { + "name": "Pallas", + "description": "Pallas curve from the [Pasta curves](https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/).", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tom-256", + "description": "Tom-256 curve from https://eprint.iacr.org/2021/1183.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tom-384", + "description": "Tom-384 curve from https://eprint.iacr.org/2021/1183.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tom-521", + "description": "Tom-521 curve from https://eprint.iacr.org/2021/1183.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tweedledee", + "description": "Tweedledee pairing friendly curve from .", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tweedledum", + "description": "Tweedledum pairing friendly curve from .", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Vesta", + "description": "Vesta curve from the [Pasta curves](https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/).", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-160", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-192", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-224", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-256", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-288", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-320", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-384", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-512", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "secg", + "description": "SEC 2: Recommended Elliptic Curve Domain Parameters version 2.0 January 27, 2010", + "curves": [ + { + "name": "secp112r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.6", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls6" + } + ] + }, + { + "name": "secp112r2", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.7", + "form": "Weierstrass" + }, + { + "name": "secp128r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.28", + "form": "Weierstrass" + }, + { + "name": "secp128r2", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.29", + "form": "Weierstrass" + }, + { + "name": "secp160k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.9", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip160k1" + } + ] + }, + { + "name": "secp160r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.8", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls7" + }, + { + "category": "x963", + "name": "ansip160r1" + } + ] + }, + { + "name": "secp160r2", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.30", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip160r2" + } + ] + }, + { + "name": "secp192k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.31", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip192k1" + } + ] + }, + { + "name": "secp192r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.2.840.10045.3.1.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-192" + }, + { + "category": "x962", + "name": "prime192v1" + } + ] + }, + { + "name": "secp224k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.32", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip224k1" + } + ] + }, + { + "name": "secp224r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.33", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-224" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls12" + }, + { + "category": "x963", + "name": "ansip224r1" + } + ] + }, + { + "name": "secp256k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.10", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip256k1" + } + ] + }, + { + "name": "secp256r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.2.840.10045.3.1.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-256" + }, + { + "category": "x962", + "name": "prime256v1" + } + ] + }, + { + "name": "secp384r1", + "description": null, + "oid": "1.3.132.0.34", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-384" + }, + { + "category": "x963", + "name": "ansip384r1" + } + ] + }, + { + "name": "secp521r1", + "description": null, + "oid": "1.3.132.0.35", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-521" + }, + { + "category": "x963", + "name": "ansip521r1" + } + ] + }, + { + "name": "sect113r1", + "description": null, + "oid": "1.3.132.0.4", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls4" + } + ] + }, + { + "name": "sect113r2", + "description": null, + "oid": "1.3.132.0.5", + "form": "Weierstrass" + }, + { + "name": "sect131r1", + "description": null, + "oid": "1.3.132.0.22", + "form": "Weierstrass" + }, + { + "name": "sect131r2", + "description": null, + "oid": "1.3.132.0.23", + "form": "Weierstrass" + }, + { + "name": "sect163k1", + "description": null, + "oid": "1.3.132.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-163" + }, + { + "category": "x963", + "name": "ansit163k1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls3" + } + ] + }, + { + "name": "sect163r1", + "description": "A randomly generated curve, using the SECG/X9.62 method. 'However for historical reasons the method used to generate E from S differs slightly from the method described in ANSI X9.62 [X9.62]. Specifically the coefficient b produced from S is the reverse of the coefficient that would have been produced by the method described in ANSI X9.62.'", + "oid": "1.3.132.0.2", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit163r1" + } + ] + }, + { + "name": "sect163r2", + "description": "A randomly generated curve. 'E was selected from S as specified in ANSI X9.62 [X9.62] in normal basis representation and converted into polynomial basis representation.'", + "oid": "1.3.132.0.15", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-163" + }, + { + "category": "x963", + "name": "ansit163r2" + } + ] + }, + { + "name": "sect193r1", + "description": null, + "oid": "1.3.132.0.24", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit193r1" + } + ] + }, + { + "name": "sect193r2", + "description": null, + "oid": "1.3.132.0.25", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit193r2" + } + ] + }, + { + "name": "sect233k1", + "description": null, + "oid": "1.3.132.0.26", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-233" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls10" + }, + { + "category": "x963", + "name": "ansit233k1" + } + ] + }, + { + "name": "sect233r1", + "description": null, + "oid": "1.3.132.0.27", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-233" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls11" + }, + { + "category": "x963", + "name": "ansit233r1" + } + ] + }, + { + "name": "sect239k1", + "description": null, + "oid": "1.3.132.0.3", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit239k1" + } + ] + }, + { + "name": "sect283k1", + "description": null, + "oid": "1.3.132.0.16", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-283" + }, + { + "category": "x963", + "name": "ansit283k1" + } + ] + }, + { + "name": "sect283r1", + "description": null, + "oid": "1.3.132.0.17", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-283" + }, + { + "category": "x963", + "name": "ansit283r1" + } + ] + }, + { + "name": "sect409k1", + "description": null, + "oid": "1.3.132.0.36", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-409" + }, + { + "category": "x963", + "name": "ansit409k1" + } + ] + }, + { + "name": "sect409r1", + "description": null, + "oid": "1.3.132.0.37", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-409" + }, + { + "category": "x963", + "name": "ansit409r1" + } + ] + }, + { + "name": "sect571k1", + "description": null, + "oid": "1.3.132.0.38", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-571" + }, + { + "category": "x963", + "name": "ansit571k1" + } + ] + }, + { + "name": "sect571r1", + "description": null, + "oid": "1.3.132.0.39", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-571" + }, + { + "category": "x963", + "name": "ansit571r1" + } + ] + } + ] + }, + { + "name": "wtls", + "description": "Wireless Application Protocol - Wireless Transport Layer Security (WAP-WTLS) curves: ", + "curves": [ + { + "name": "wap-wsg-idm-ecid-wtls1", + "description": null, + "oid": "2.23.43.1.4.1", + "form": "Weierstrass" + }, + { + "name": "wap-wsg-idm-ecid-wtls10", + "description": null, + "oid": "2.23.43.1.4.10", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233k1" + }, + { + "category": "nist", + "name": "K-233" + }, + { + "category": "x963", + "name": "ansit233k1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls11", + "description": null, + "oid": "2.23.43.1.4.11", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233r1" + }, + { + "category": "nist", + "name": "B-233" + }, + { + "category": "x963", + "name": "ansit233r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls12", + "description": null, + "oid": "2.23.43.1.4.12", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp224r1" + }, + { + "category": "nist", + "name": "P-224" + }, + { + "category": "x963", + "name": "ansip224r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls3", + "description": null, + "oid": "2.23.43.1.4.3", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-163" + }, + { + "category": "secg", + "name": "sect163k1" + }, + { + "category": "x963", + "name": "ansit163k1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls4", + "description": null, + "oid": "2.23.43.1.4.4", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect113r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls5", + "description": null, + "oid": "2.23.43.1.4.5", + "form": "Weierstrass", + "aliases": [ + { + "category": "x962", + "name": "c2pnb163v1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls6", + "description": null, + "oid": "2.23.43.1.4.6", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp112r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls7", + "description": null, + "oid": "2.23.43.1.4.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160r1" + }, + { + "category": "x963", + "name": "ansip160r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls8", + "description": null, + "oid": "2.23.43.1.4.8", + "form": "Weierstrass" + }, + { + "name": "wap-wsg-idm-ecid-wtls9", + "description": null, + "oid": "2.23.43.1.4.9", + "form": "Weierstrass" + } + ] + }, + { + "name": "x962", + "description": "ANSI x9.62 example curves.", + "curves": [ + { + "name": "c2onb191v4", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.8", + "form": "Weierstrass" + }, + { + "name": "c2onb191v5", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.9", + "form": "Weierstrass" + }, + { + "name": "c2onb239v4", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.14", + "form": "Weierstrass" + }, + { + "name": "c2onb239v5", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.15", + "form": "Weierstrass" + }, + { + "name": "c2pnb163v1", + "description": null, + "oid": "1.2.840.10045.3.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls5" + } + ] + }, + { + "name": "c2pnb163v2", + "description": null, + "oid": "1.2.840.10045.3.0.2", + "form": "Weierstrass" + }, + { + "name": "c2pnb163v3", + "description": null, + "oid": "1.2.840.10045.3.0.3", + "form": "Weierstrass" + }, + { + "name": "c2pnb176w1", + "description": null, + "oid": "1.2.840.10045.3.0.4", + "form": "Weierstrass" + }, + { + "name": "c2pnb208w1", + "description": null, + "oid": "1.2.840.10045.3.0.10", + "form": "Weierstrass" + }, + { + "name": "c2pnb272w1", + "description": null, + "oid": "1.2.840.10045.3.0.16", + "form": "Weierstrass" + }, + { + "name": "c2pnb304w1", + "description": null, + "oid": "1.2.840.10045.3.0.17", + "form": "Weierstrass" + }, + { + "name": "c2pnb368w1", + "description": null, + "oid": "1.2.840.10045.3.0.19", + "form": "Weierstrass" + }, + { + "name": "c2tnb191v1", + "description": null, + "oid": "1.2.840.10045.3.0.5", + "form": "Weierstrass" + }, + { + "name": "c2tnb191v2", + "description": null, + "oid": "1.2.840.10045.3.0.6", + "form": "Weierstrass" + }, + { + "name": "c2tnb191v3", + "description": null, + "oid": "1.2.840.10045.3.0.7", + "form": "Weierstrass" + }, + { + "name": "c2tnb239v1", + "description": null, + "oid": "1.2.840.10045.3.0.11", + "form": "Weierstrass" + }, + { + "name": "c2tnb239v2", + "description": null, + "oid": "1.2.840.10045.3.0.12", + "form": "Weierstrass" + }, + { + "name": "c2tnb239v3", + "description": null, + "oid": "1.2.840.10045.3.0.13", + "form": "Weierstrass" + }, + { + "name": "c2tnb359v1", + "description": null, + "oid": "1.2.840.10045.3.0.18", + "form": "Weierstrass" + }, + { + "name": "c2tnb431r1", + "description": null, + "oid": "1.2.840.10045.3.0.20", + "form": "Weierstrass" + }, + { + "name": "prime192v1", + "description": null, + "oid": "1.2.840.10045.3.1.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp192r1" + }, + { + "category": "nist", + "name": "P-192" + } + ] + }, + { + "name": "prime192v2", + "description": null, + "oid": "1.2.840.10045.3.1.2", + "form": "Weierstrass" + }, + { + "name": "prime192v3", + "description": null, + "oid": "1.2.840.10045.3.1.3", + "form": "Weierstrass" + }, + { + "name": "prime239v1", + "description": null, + "oid": "1.2.840.10045.3.1.4", + "form": "Weierstrass" + }, + { + "name": "prime239v2", + "description": null, + "oid": "1.2.840.10045.3.1.5", + "form": "Weierstrass" + }, + { + "name": "prime239v3", + "description": null, + "oid": "1.2.840.10045.3.1.6", + "form": "Weierstrass" + }, + { + "name": "prime256v1", + "description": null, + "oid": "1.2.840.10045.3.1.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp256r1" + }, + { + "category": "nist", + "name": "P-256" + } + ] + } + ] + }, + { + "name": "x963", + "description": "ANSI x9.63 example curves.", + "curves": [ + { + "name": "ansip160k1", + "description": null, + "oid": "1.3.132.0.9", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160k1" + } + ] + }, + { + "name": "ansip160r1", + "description": null, + "oid": "1.3.132.0.8", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160r1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls7" + } + ] + }, + { + "name": "ansip160r2", + "description": null, + "oid": "1.3.132.0.30", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160r2" + } + ] + }, + { + "name": "ansip192k1", + "description": null, + "oid": "1.3.132.0.31", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp192k1" + } + ] + }, + { + "name": "ansip224k1", + "description": null, + "oid": "1.3.132.0.32", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp224k1" + } + ] + }, + { + "name": "ansip224r1", + "description": null, + "oid": "1.3.132.0.33", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls12" + }, + { + "category": "nist", + "name": "P-224" + }, + { + "category": "secg", + "name": "secp224r1" + } + ] + }, + { + "name": "ansip256k1", + "description": null, + "oid": "1.3.132.0.10", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp256k1" + } + ] + }, + { + "name": "ansip384r1", + "description": null, + "oid": "1.3.132.0.34", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp384r1" + }, + { + "category": "nist", + "name": "P-384" + } + ] + }, + { + "name": "ansip521r1", + "description": null, + "oid": "1.3.132.0.35", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp521r1" + }, + { + "category": "nist", + "name": "P-521" + } + ] + }, + { + "name": "ansit163k1", + "description": null, + "oid": "1.3.132.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163k1" + }, + { + "category": "nist", + "name": "k-163" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls3" + } + ] + }, + { + "name": "ansit163r1", + "description": null, + "oid": "1.3.132.0.2", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163r1" + } + ] + }, + { + "name": "ansit163r2", + "description": null, + "oid": "1.3.132.0.15", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163r2" + }, + { + "category": "nist", + "name": "B-163" + } + ] + }, + { + "name": "ansit193r1", + "description": null, + "oid": "1.3.132.0.24", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect193r1" + } + ] + }, + { + "name": "ansit193r2", + "description": null, + "oid": "1.3.132.0.25", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect193r2" + } + ] + }, + { + "name": "ansit233k1", + "description": null, + "oid": "1.3.132.0.26", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233k1" + }, + { + "category": "nist", + "name": "K-233" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls10" + } + ] + }, + { + "name": "ansit233r1", + "description": null, + "oid": "1.3.132.0.27", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls11" + }, + { + "category": "nist", + "name": "B-233" + }, + { + "category": "secg", + "name": "sect233r1" + } + ] + }, + { + "name": "ansit239k1", + "description": null, + "oid": "1.3.132.0.3", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect239k1" + } + ] + }, + { + "name": "ansit283k1", + "description": null, + "oid": "1.3.132.0.16", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-283" + }, + { + "category": "secg", + "name": "sect283k1" + } + ] + }, + { + "name": "ansit283r1", + "description": null, + "oid": "1.3.132.0.17", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-283" + }, + { + "category": "secg", + "name": "sect283r1" + } + ] + }, + { + "name": "ansit409k1", + "description": null, + "oid": "1.3.132.0.36", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-409" + }, + { + "category": "secg", + "name": "sect409k1" + } + ] + }, + { + "name": "ansit409r1", + "description": null, + "oid": "1.3.132.0.37", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-409" + }, + { + "category": "secg", + "name": "sect409r1" + } + ] + }, + { + "name": "ansit571k1", + "description": null, + "oid": "1.3.132.0.38", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-571" + }, + { + "category": "secg", + "name": "sect571k1" + } + ] + }, + { + "name": "ansit571r1", + "description": null, + "oid": "1.3.132.0.39", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-571" + }, + { + "category": "secg", + "name": "sect571r1" + } + ] + } + ] + } + ] +} diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json new file mode 100644 index 0000000..1f06fdf --- /dev/null +++ b/schema/cryptography-defs.schema.json @@ -0,0 +1,576 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "$comment": "2025-09-07T11:12:52Z", + "title": "Cryptographic Algorithm Family Definitions", + "description": "Enumerates cryptographic algorithm families and their specific metadata.", + "type": "object", + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the data was last updated." + }, + "algorithms": { + "type": "array", + "title": "Algorithm Families", + "description": "An array of cryptographic algorithm family definitions.", + "items": { + "type": "object", + "title": "Algorithm Family", + "description": "Defines a cryptographic algorithm family and its metadata.", + "additionalProperties": false, + "properties": { + "family": { + "type": "string", + "title": "Algorithm Family", + "description": "The name of the cryptographic algorithm family." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm family.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": [ + "name", + "url" + ] + } + }, + "variant": { + "type": "array", + "title": "Variants", + "description": "Defines algorithm variants by a naming pattern and the corresponding cryptographic primitive.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "pattern": { + "type": "string", + "title": "Standard Name", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm variant.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": [ + "name", + "url" + ] + } + } + }, + "required": [ + "pattern", + "primitive" + ] + } + } + }, + "required": [ + "family", + "variant" + ] + } + }, + "ellipticCurves": { + "type": "array", + "title": "Elliptic Curves", + "description": "An array of elliptic curve family definitions.", + "items": { + "type": "object", + "title": "Elliptic Curve Family", + "description": "Defines an elliptic curve family and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Family Name", + "description": "The name of the elliptic curve family." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve family." + }, + "curves": { + "type": "array", + "title": "Curves", + "description": "List of curves in this family.", + "items": { + "type": "object", + "title": "Curve", + "description": "Defines a specific elliptic curve and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Name", + "description": "The name of the elliptic curve." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve." + }, + "oid": { + "type": [ + "string", + "null" + ], + "title": "OID", + "description": "The Object Identifier (OID) of the elliptic curve." + }, + "form": { + "type": "string", + "title": "Form", + "description": "The form of the elliptic curve.", + "enum": [ + "Weierstrass", + "Edwards", + "TwistedEdwards", + "Montgomery" + ] + }, + "aliases": { + "type": "array", + "title": "Aliases", + "description": "List of aliases for this curve.", + "items": { + "type": "object", + "title": "Alias", + "description": "An alias for the curve.", + "additionalProperties": false, + "properties": { + "category": { + "type": "string", + "title": "Category", + "description": "The category of the alias." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the alias." + } + }, + "required": [ + "category", + "name" + ] + } + } + }, + "required": [ + "name", + "description", + "oid", + "form" + ] + } + } + }, + "required": [ + "name", + "description", + "curves" + ] + } + } + }, + "required": [ + "lastUpdated", + "algorithms", + "ellipticCurves" + ], + "definitions": { + "algorithmFamiliesEnum": { + "type": "string", + "title": "Algorithm Families", + "description": "An enum for the algorithm families.", + "enum": [ + "3DES", + "3GPP-XOR", + "A5/1", + "A5/2", + "AES", + "ARIA", + "Ascon", + "BLAKE2", + "BLAKE3", + "BLS", + "Blowfish", + "CAMELLIA", + "CAST5", + "CAST6", + "CMAC", + "CMEA", + "ChaCha", + "ChaCha20", + "DES", + "DSA", + "ECDH", + "ECDSA", + "ECIES", + "EdDSA", + "ElGamal", + "FFDH", + "Fortuna", + "GOST", + "HC", + "HKDF", + "HMAC", + "IDEA", + "IKE-PRF", + "KMAC", + "LMS", + "MD2", + "MD4", + "MD5", + "MILENAGE", + "ML-DSA", + "ML-KEM", + "MQV", + "PBES1", + "PBES2", + "PBKDF1", + "PBKDF2", + "PBMAC1", + "Poly1305", + "RABBIT", + "RC2", + "RC4", + "RC5", + "RC6", + "RIPEMD", + "RSAES-OAEP", + "RSAES-PKCS1", + "RSASSA-PKCS1", + "RSASSA-PSS", + "SEED", + "SHA-1", + "SHA-2", + "SHA-3", + "SLH-DSA", + "SNOW3G", + "SP800-108", + "Salsa20", + "Serpent", + "SipHash", + "Skipjack", + "TUAK", + "Twofish", + "Whirlpool", + "X3DH", + "XMSS", + "Yarrow", + "ZUC", + "bcrypt" + ] + }, + "ellipticCurvesEnum": { + "type": "string", + "enum": [ + "anssi/FRP256v1", + "bls/BLS12-377", + "bls/BLS12-381", + "bls/BLS12-446", + "bls/BLS12-455", + "bls/BLS12-638", + "bls/BLS24-477", + "bls/Bandersnatch", + "bn/bn158", + "bn/bn190", + "bn/bn222", + "bn/bn254", + "bn/bn286", + "bn/bn318", + "bn/bn350", + "bn/bn382", + "bn/bn414", + "bn/bn446", + "bn/bn478", + "bn/bn510", + "bn/bn542", + "bn/bn574", + "bn/bn606", + "bn/bn638", + "brainpool/brainpoolP160r1", + "brainpool/brainpoolP160t1", + "brainpool/brainpoolP192r1", + "brainpool/brainpoolP192t1", + "brainpool/brainpoolP224r1", + "brainpool/brainpoolP224t1", + "brainpool/brainpoolP256r1", + "brainpool/brainpoolP256t1", + "brainpool/brainpoolP320r1", + "brainpool/brainpoolP320t1", + "brainpool/brainpoolP384r1", + "brainpool/brainpoolP384t1", + "brainpool/brainpoolP512r1", + "brainpool/brainpoolP512t1", + "gost/gost256", + "gost/gost512", + "gost/id-GostR3410-2001-CryptoPro-A-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-B-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-C-ParamSet", + "gost/id-tc26-gost-3410-12-512-paramSetA", + "gost/id-tc26-gost-3410-12-512-paramSetB", + "gost/id-tc26-gost-3410-2012-256-paramSetA", + "gost/id-tc26-gost-3410-2012-512-paramSetC", + "mnt/mnt1", + "mnt/mnt2/1", + "mnt/mnt2/2", + "mnt/mnt3/1", + "mnt/mnt3/2", + "mnt/mnt3/3", + "mnt/mnt4", + "mnt/mnt5/1", + "mnt/mnt5/2", + "mnt/mnt5/3", + "nist/B-163", + "nist/B-233", + "nist/B-283", + "nist/B-409", + "nist/B-571", + "nist/K-163", + "nist/K-233", + "nist/K-283", + "nist/K-409", + "nist/K-571", + "nist/P-192", + "nist/P-224", + "nist/P-256", + "nist/P-384", + "nist/P-521", + "nums/ed-254-mont", + "nums/ed-255-mers", + "nums/ed-256-mont", + "nums/ed-382-mont", + "nums/ed-383-mers", + "nums/ed-384-mont", + "nums/ed-510-mont", + "nums/ed-511-mers", + "nums/ed-512-mont", + "nums/numsp256d1", + "nums/numsp256t1", + "nums/numsp384d1", + "nums/numsp384t1", + "nums/numsp512d1", + "nums/numsp512t1", + "nums/w-254-mont", + "nums/w-255-mers", + "nums/w-256-mont", + "nums/w-382-mont", + "nums/w-383-mers", + "nums/w-384-mont", + "nums/w-510-mont", + "nums/w-511-mers", + "nums/w-512-mont", + "oakley/192-bit Random ECP Group", + "oakley/224-bit Random ECP Group", + "oakley/256-bit Random ECP Group", + "oakley/384-bit Random ECP Group", + "oakley/521-bit Random ECP Group", + "oakley/Oakley Group 3", + "oakley/Oakley Group 4", + "oscaa/SM2", + "other/BADA55-R-256", + "other/BADA55-VPR-224", + "other/BADA55-VPR2-224", + "other/BADA55-VR-224", + "other/BADA55-VR-256", + "other/BADA55-VR-384", + "other/Curve1174", + "other/Curve22103", + "other/Curve25519", + "other/Curve383187", + "other/Curve41417", + "other/Curve4417", + "other/Curve448", + "other/Curve67254", + "other/E-222", + "other/E-382", + "other/E-521", + "other/Ed25519", + "other/Ed448", + "other/Ed448-Goldilocks", + "other/FourQ", + "other/Fp224BN", + "other/Fp254BNa", + "other/Fp254BNb", + "other/Fp254n2BNa", + "other/Fp256BN", + "other/Fp384BN", + "other/Fp512BN", + "other/JubJub", + "other/M-221", + "other/M-383", + "other/M-511", + "other/MDC201601", + "other/Pallas", + "other/Tom-256", + "other/Tom-384", + "other/Tom-521", + "other/Tweedledee", + "other/Tweedledum", + "other/Vesta", + "other/ssc-160", + "other/ssc-192", + "other/ssc-224", + "other/ssc-256", + "other/ssc-288", + "other/ssc-320", + "other/ssc-384", + "other/ssc-512", + "secg/secp112r1", + "secg/secp112r2", + "secg/secp128r1", + "secg/secp128r2", + "secg/secp160k1", + "secg/secp160r1", + "secg/secp160r2", + "secg/secp192k1", + "secg/secp192r1", + "secg/secp224k1", + "secg/secp224r1", + "secg/secp256k1", + "secg/secp256r1", + "secg/secp384r1", + "secg/secp521r1", + "secg/sect113r1", + "secg/sect113r2", + "secg/sect131r1", + "secg/sect131r2", + "secg/sect163k1", + "secg/sect163r1", + "secg/sect163r2", + "secg/sect193r1", + "secg/sect193r2", + "secg/sect233k1", + "secg/sect233r1", + "secg/sect239k1", + "secg/sect283k1", + "secg/sect283r1", + "secg/sect409k1", + "secg/sect409r1", + "secg/sect571k1", + "secg/sect571r1", + "wtls/wap-wsg-idm-ecid-wtls1", + "wtls/wap-wsg-idm-ecid-wtls10", + "wtls/wap-wsg-idm-ecid-wtls11", + "wtls/wap-wsg-idm-ecid-wtls12", + "wtls/wap-wsg-idm-ecid-wtls3", + "wtls/wap-wsg-idm-ecid-wtls4", + "wtls/wap-wsg-idm-ecid-wtls5", + "wtls/wap-wsg-idm-ecid-wtls6", + "wtls/wap-wsg-idm-ecid-wtls7", + "wtls/wap-wsg-idm-ecid-wtls8", + "wtls/wap-wsg-idm-ecid-wtls9", + "x962/c2onb191v4", + "x962/c2onb191v5", + "x962/c2onb239v4", + "x962/c2onb239v5", + "x962/c2pnb163v1", + "x962/c2pnb163v2", + "x962/c2pnb163v3", + "x962/c2pnb176w1", + "x962/c2pnb208w1", + "x962/c2pnb272w1", + "x962/c2pnb304w1", + "x962/c2pnb368w1", + "x962/c2tnb191v1", + "x962/c2tnb191v2", + "x962/c2tnb191v3", + "x962/c2tnb239v1", + "x962/c2tnb239v2", + "x962/c2tnb239v3", + "x962/c2tnb359v1", + "x962/c2tnb431r1", + "x962/prime192v1", + "x962/prime192v2", + "x962/prime192v3", + "x962/prime239v1", + "x962/prime239v2", + "x962/prime239v3", + "x962/prime256v1", + "x963/ansip160k1", + "x963/ansip160r1", + "x963/ansip160r2", + "x963/ansip192k1", + "x963/ansip224k1", + "x963/ansip224r1", + "x963/ansip256k1", + "x963/ansip384r1", + "x963/ansip521r1", + "x963/ansit163k1", + "x963/ansit163r1", + "x963/ansit163r2", + "x963/ansit193r1", + "x963/ansit193r2", + "x963/ansit233k1", + "x963/ansit233r1", + "x963/ansit239k1", + "x963/ansit283k1", + "x963/ansit283r1", + "x963/ansit409k1", + "x963/ansit409r1", + "x963/ansit571k1", + "x963/ansit571r1" + ] + } + } +} \ No newline at end of file diff --git a/schema/ext/bom-descriptor-0.9.xsd b/schema/ext/bom-descriptor-0.9.xsd new file mode 100644 index 0000000..605df12 --- /dev/null +++ b/schema/ext/bom-descriptor-0.9.xsd @@ -0,0 +1,175 @@ + + + + + + + CycloneDX BOM Descriptor Extension + https://cyclonedx.org/ext/bom-descriptor + Apache License, Version 2.0 + + Steve Springett + + + + + + + + + Specifies the name of the software the BOM describes. + + + + + Specifies the version of the software the BOM describes. + + + + + Specifies the edition of the software the BOM describes. + + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + An optional copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (PURL). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + The organization that manufactured the software for which the BOM describes. + + + + + The organization that supplied the software for which the BOM describes. The + supplier may often be the manufacture, but may also be a distributor or repackager. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the person + + + + + The email address of the person. Multiple email addresses are allowed. + + + + + The phone number of the person. Multiple phone numbers are allowed. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Provides additional information about a BOM. + + + + diff --git a/schema/ext/bom-descriptor-1.0.xsd b/schema/ext/bom-descriptor-1.0.xsd new file mode 100644 index 0000000..013f550 --- /dev/null +++ b/schema/ext/bom-descriptor-1.0.xsd @@ -0,0 +1,183 @@ + + + + + + + CycloneDX BOM Descriptor Extension + https://cyclonedx.org/ext/bom-descriptor + Apache License, Version 2.0 + + Steve Springett + + + + + + + + + + + The date and time (timestamp) when the document was created. + + + + + The tool used to create the BOM. + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacture, but may also be a distributor or repackager. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies a tool (manual or automated). + + + + + The vendor of the tool used to create the BOM. + + + + + The name of the tool used to create the BOM. + + + + + The version of the tool used to create the BOM. + + + + + + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the person + + + + + The email address of the person. Multiple email addresses are allowed. + + + + + The phone number of the person. Multiple phone numbers are allowed. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Provides additional information about a BOM. + + + + diff --git a/schema/ext/dependency-graph-1.0.xsd b/schema/ext/dependency-graph-1.0.xsd new file mode 100644 index 0000000..ddcb536 --- /dev/null +++ b/schema/ext/dependency-graph-1.0.xsd @@ -0,0 +1,70 @@ + + + + + + + CycloneDX Dependency Graph Extension + https://cyclonedx.org/ext/dependency-graph + Apache License, Version 2.0 + + Steve Springett + + + + + + + + + + + References a component by the components bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Components that do not have their own dependencies MUST be declared as empty + elements within the graph. Components that are not represented in the dependency graph MAY + have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque + and not an indicator of a component being dependency-free. + + + + + + + diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json new file mode 100644 index 0000000..378bd49 --- /dev/null +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -0,0 +1,182 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json", + "type": "object", + "title": "CycloneDX Vulnerability Extension", + "$comment" : "CycloneDX Vulnerability Extension for JSON Schema is published under the terms of the Apache License 2.0.", + "properties": { + "vulnerabilities": { + "$id": "#/properties/vulnerabilities", + "type": "array", + "items": {"$ref": "#/definitions/vulnerability"}, + "title": "Vulnerabilities", + "description": "Defines a list of vulnerabilities." + } + }, + "definitions": { + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the risk analysis method. If an other risk analysis method is used other than whats defined in scoreSourceType, the user is expected to translate appropriately to match with an element value below.", + "enum": [ + "None", + "Low", + "Medium", + "High", + "Critical", + "Unknown" + ] + }, + "scoreValue": { + "type": "number", + "title": "Score", + "description": "Numerical representation of the vulnerability score. Must be a number between 0 - 10 (maps to lowest severity - highest severity)", + "multipleOf": 0.1, + "examples": [7.9, 10.0] + }, + "scoreSource": { + "type": "string", + "title": "Source", + "description": "Specifies the risk scoring methodology/standard used.", + "enum": [ + "CVSSv2", + "CVSSv3", + "OWASP Risk", + "Open FAIR", + "Other" + ] + }, + "score": { + "type": "object", + "title": "Score", + "description": "Defines the numerical risk score of a vulnerability", + "properties": { + "base": { + "type": "number", + "title": "Base Score", + "description": "The base score of the security vulnerability (Refer CVSS standard for example)", + "multipleOf": 0.1, + "examples": [2.9, 7.2] + }, + "impact": { + "type": "number", + "title": "Impact Score", + "description": "The impact subscore of the security vulnerability (Refer CVSS standard for example)", + "multipleOf": 0.1, + "examples": [2.9, 7.2] + }, + "exploitability": { + "type": "number", + "title": "Exploitability Score", + "description": "The exploitability subscore of the security vulnerability (Refer CVSS standard for example)", + "multipleOf": 0.1, + "examples": [2.9, 7.2] + } + } + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the risk rating of a vulnerability.", + "properties": { + "score": { + "$ref": "#/definitions/score" + }, + "severity": { + "$ref": "#/definitions/severity" + }, + "method": { + "$ref": "#/definitions/scoreSource" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability see attack vector in https://www.first.org/cvss/v3.1/specification-document" + } + } + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the vulnerability where it is documented. Usually the name of the organization publishing vulnerability information", + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2019-15842" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", "National Vulnerability Database", "OSS Index", "VulnDB", "NPM Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines the structure of a vulnerability.", + "properties": { + "ref": { + "type": "string", + "format": "string", + "title": "Reference", + "description": "References a component by the components bom-ref attribute" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The id of the vulnerability as defined by the risk scoring methodology. For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)" + }, + "source": { + "$ref": "#/definitions/source" + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", + "items": {"$ref": "#/definitions/rating"} + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "items": {"$ref": "#/definitions/cwe"} + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the vulnerability as provided by the source organization" + }, + "recommendations": { + "type": "array", + "title": "Recommendations", + "description": "List of recommendations of how the particular vulnerability can be avoided/mitigated.", + "items": { + "type": "string" + } + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "items": { + "type": "string" + } + } + } + } + } +} diff --git a/schema/ext/vulnerability-1.0.xsd b/schema/ext/vulnerability-1.0.xsd new file mode 100644 index 0000000..2d68474 --- /dev/null +++ b/schema/ext/vulnerability-1.0.xsd @@ -0,0 +1,291 @@ + + + + + + + CycloneDX Vulnerability Extension + https://cyclonedx.org/ext/vulnerability + Apache License, Version 2.0 + + + + + + + Textual representation of the severity of the vulnerability adopted by the risk analysis method. + If an other risk analysis method is used other than whats defined in scoreSourceType, + the user is expected to translate appropriately to match with an element value below. + + + + + + + + + + + + + + + + Numerical representation of the vulnerability score. + Must be a number between 0 - 10 (maps to lowest severity - highest severity) + + + + + + + + + + + + + Specifies the risk scoring methodology/standard used. + + + + + + + The rating is based on CVSS v2 standard + https://www.first.org/cvss/v2/guide + + + + + + + The rating is based on CVSS v3 standard + https://www.first.org/cvss/v3.1/specification-document + + + + + + + The rating is based on OWASP Risk Rating + https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology + + + + + + + The rating is based on Open FAIR specification + http://www.opengroup.org/subjectareas/security/risk + + + + + + + Use this if the risk scoring methodology is not based on any of the options above + + + + + + + + + + Defines the numerical risk score of a vulnerability + + + + + + + + + + The base score of the security vulnerability (Refer CVSS standard for example) + + + + + + + The impact subscore of the security vulnerability (Refer CVSS standard for example) + + + + + + + The exploitability subscore of the security vulnerability (Refer CVSS standard for + example) + + + + + + + + + + + + Textual representation of the metric values used to score the vulnerability + see attack vector in https://www.first.org/cvss/v3.1/specification-document + + + + + + + + + + Defines the structure of a vulnerability. + + + + + + + The id of the vulnerability as defined by the risk scoring methodology + For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842) + + + + + + + + The source of the vulnerability where it is documented. + Usually the name of the organization publishing vulnerability information + + + + + + + The url of the vulnerability documentation as provided by the source + For example https://nvd.nist.gov/vuln/detail/CVE-2019-15842 + + + + + + + + The name of the source. For example "National Vulnerability Database" + + + + + + + + + List of the vulnerability ratings as defined by various risk rating methodologies. + + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + + Description of the vulnerability as provided by the source organization + + + + + + + + The remediation options for the vulnerability if available + + + + + + + A recommendation of how the particular vulnerability can be avoided/mitigated. + + + + + + + + + + + Published advisories of the vulnerability if provided + + + + + + + + + + + References a component by the components bom-ref attribute + + + + + + + + Defines a list of vulnerabilities. + Vulnerabilities are intended to be used inside the BOM component element. + Extending a component ability to declare associated vulnerability information. + Each component element optionally can add a vulnerabilities element. + + + + + + + + + diff --git a/schema/jsf-0.82.schema.json b/schema/jsf-0.82.schema.json new file mode 100644 index 0000000..f46bfb1 --- /dev/null +++ b/schema/jsf-0.82.schema.json @@ -0,0 +1,240 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/jsf-0.82.schema.json", + "type": "object", + "title": "JSON Signature Format (JSF) standard", + "$comment" : "JSON Signature Format schema is published under the terms of the Apache License 2.0. JSF was developed by Anders Rundgren (anders.rundgren.net@gmail.com) as a part of the OpenKeyStore project. This schema supports the entirely of the JSF standard excluding 'extensions'.", + "definitions": { + "signature": { + "type": "object", + "title": "Signature", + "oneOf": [ + { + "additionalProperties": false, + "properties": { + "signers": { + "type": "array", + "title": "Signature", + "description": "Unique top level property for Multiple Signatures. (multisignature)", + "items": {"$ref": "#/definitions/signer"} + } + } + }, + { + "additionalProperties": false, + "properties": { + "chain": { + "type": "array", + "title": "Signature", + "description": "Unique top level property for Signature Chains. (signaturechain)", + "items": {"$ref": "#/definitions/signer"} + } + } + }, + { + "title": "Signature", + "description": "Unique top level property for simple signatures. (signaturecore)", + "$ref": "#/definitions/signer" + } + ] + }, + "signer": { + "type": "object", + "title": "Signature", + "required": [ + "algorithm", + "value" + ], + "additionalProperties": false, + "properties": { + "algorithm": { + "oneOf": [ + { + "type": "string", + "title": "Algorithm", + "description": "Signature algorithm. The currently recognized JWA [RFC7518] and RFC8037 [RFC8037] asymmetric key algorithms. Note: Unlike RFC8037 [RFC8037] JSF requires explicit Ed* algorithm names instead of \"EdDSA\".", + "enum": [ + "RS256", + "RS384", + "RS512", + "PS256", + "PS384", + "PS512", + "ES256", + "ES384", + "ES512", + "Ed25519", + "Ed448", + "HS256", + "HS384", + "HS512" + ] + }, + { + "type": "string", + "title": "Algorithm", + "description": "Signature algorithm. Note: If proprietary signature algorithms are added, they must be expressed as URIs.", + "format": "uri" + } + ] + }, + "keyId": { + "type": "string", + "title": "Key ID", + "description": "Optional. Application specific string identifying the signature key." + }, + "publicKey": { + "title": "Public key", + "description": "Optional. Public key object.", + "$ref": "#/definitions/publicKey" + }, + "certificatePath": { + "type": "array", + "title": "Certificate path", + "description": "Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the signature certificate. The certificate path must be contiguous but is not required to be complete.", + "items": { + "type": "string" + } + }, + "excludes": { + "type": "array", + "title": "Excludes", + "description": "Optional. Array holding the names of one or more application level properties that must be excluded from the signature process. Note that the \"excludes\" property itself, must also be excluded from the signature process. Since both the \"excludes\" property and the associated data it points to are unsigned, a conforming JSF implementation must provide options for specifying which properties to accept.", + "items": { + "type": "string" + } + }, + "value": { + "type": "string", + "title": "Signature", + "description": "The signature data. Note that the binary representation must follow the JWA [RFC7518] specifications." + } + } + }, + "keyType": { + "type": "string", + "title": "Key type", + "description": "Key type indicator.", + "enum": [ + "EC", + "OKP", + "RSA" + ] + }, + "publicKey": { + "title": "Public key", + "description": "Optional. Public key object.", + "type": "object", + "required": [ + "kty" + ], + "additionalProperties": true, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + } + }, + "allOf": [ + { + "if": { + "properties": { "kty": { "const": "EC" } } + }, + "then": { + "required": [ + "kty", + "crv", + "x", + "y" + ], + "additionalProperties": false, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + }, + "crv": { + "type": "string", + "title": "Curve name", + "description": "EC curve name.", + "enum": [ + "P-256", + "P-384", + "P-521" + ] + }, + "x": { + "type": "string", + "title": "Coordinate", + "description": "EC curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-521\", the decoded argument must be 66 bytes." + }, + "y": { + "type": "string", + "title": "Coordinate", + "description": "EC curve point Y. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-256\", the decoded argument must be 32 bytes." + } + } + } + }, + { + "if": { + "properties": { "kty": { "const": "OKP" } } + }, + "then": { + "required": [ + "kty", + "crv", + "x" + ], + "additionalProperties": false, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + }, + "crv": { + "type": "string", + "title": "Curve name", + "description": "EdDSA curve name.", + "enum": [ + "Ed25519", + "Ed448" + ] + }, + "x": { + "type": "string", + "title": "Coordinate", + "description": "EdDSA curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"Ed25519\", the decoded argument must be 32 bytes." + } + } + } + }, + { + "if": { + "properties": { "kty": { "const": "RSA" } } + }, + "then": { + "required": [ + "kty", + "n", + "e" + ], + "additionalProperties": false, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + }, + "n": { + "type": "string", + "title": "Modulus", + "description": "RSA modulus." + }, + "e": { + "type": "string", + "title": "Exponent", + "description": "RSA exponent." + } + } + } + } + ] + } + } +} diff --git a/schema/spdx.schema.json b/schema/spdx.schema.json new file mode 100644 index 0000000..1e49a6d --- /dev/null +++ b/schema/spdx.schema.json @@ -0,0 +1,786 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/spdx.schema.json", + "$comment": "v1.0-3.27.0", + "type": "string", + "enum": [ + "0BSD", + "3D-Slicer-1.0", + "AAL", + "Abstyles", + "AdaCore-doc", + "Adobe-2006", + "Adobe-Display-PostScript", + "Adobe-Glyph", + "Adobe-Utopia", + "ADSL", + "AFL-1.1", + "AFL-1.2", + "AFL-2.0", + "AFL-2.1", + "AFL-3.0", + "Afmparse", + "AGPL-1.0", + "AGPL-1.0-only", + "AGPL-1.0-or-later", + "AGPL-3.0", + "AGPL-3.0-only", + "AGPL-3.0-or-later", + "Aladdin", + "AMD-newlib", + "AMDPLPA", + "AML", + "AML-glslang", + "AMPAS", + "ANTLR-PD", + "ANTLR-PD-fallback", + "any-OSI", + "any-OSI-perl-modules", + "Apache-1.0", + "Apache-1.1", + "Apache-2.0", + "APAFML", + "APL-1.0", + "App-s2p", + "APSL-1.0", + "APSL-1.1", + "APSL-1.2", + "APSL-2.0", + "Arphic-1999", + "Artistic-1.0", + "Artistic-1.0-cl8", + "Artistic-1.0-Perl", + "Artistic-2.0", + "Artistic-dist", + "Aspell-RU", + "ASWF-Digital-Assets-1.0", + "ASWF-Digital-Assets-1.1", + "Baekmuk", + "Bahyph", + "Barr", + "bcrypt-Solar-Designer", + "Beerware", + "Bitstream-Charter", + "Bitstream-Vera", + "BitTorrent-1.0", + "BitTorrent-1.1", + "blessing", + "BlueOak-1.0.0", + "Boehm-GC", + "Boehm-GC-without-fee", + "Borceux", + "Brian-Gladman-2-Clause", + "Brian-Gladman-3-Clause", + "BSD-1-Clause", + "BSD-2-Clause", + "BSD-2-Clause-Darwin", + "BSD-2-Clause-first-lines", + "BSD-2-Clause-FreeBSD", + "BSD-2-Clause-NetBSD", + "BSD-2-Clause-Patent", + "BSD-2-Clause-pkgconf-disclaimer", + "BSD-2-Clause-Views", + "BSD-3-Clause", + "BSD-3-Clause-acpica", + "BSD-3-Clause-Attribution", + "BSD-3-Clause-Clear", + "BSD-3-Clause-flex", + "BSD-3-Clause-HP", + "BSD-3-Clause-LBNL", + "BSD-3-Clause-Modification", + "BSD-3-Clause-No-Military-License", + "BSD-3-Clause-No-Nuclear-License", + "BSD-3-Clause-No-Nuclear-License-2014", + "BSD-3-Clause-No-Nuclear-Warranty", + "BSD-3-Clause-Open-MPI", + "BSD-3-Clause-Sun", + "BSD-4-Clause", + "BSD-4-Clause-Shortened", + "BSD-4-Clause-UC", + "BSD-4.3RENO", + "BSD-4.3TAHOE", + "BSD-Advertising-Acknowledgement", + "BSD-Attribution-HPND-disclaimer", + "BSD-Inferno-Nettverk", + "BSD-Protection", + "BSD-Source-beginning-file", + "BSD-Source-Code", + "BSD-Systemics", + "BSD-Systemics-W3Works", + "BSL-1.0", + "BUSL-1.1", + "bzip2-1.0.5", + "bzip2-1.0.6", + "C-UDA-1.0", + "CAL-1.0", + "CAL-1.0-Combined-Work-Exception", + "Caldera", + "Caldera-no-preamble", + "Catharon", + "CATOSL-1.1", + "CC-BY-1.0", + "CC-BY-2.0", + "CC-BY-2.5", + "CC-BY-2.5-AU", + "CC-BY-3.0", + "CC-BY-3.0-AT", + "CC-BY-3.0-AU", + "CC-BY-3.0-DE", + "CC-BY-3.0-IGO", + "CC-BY-3.0-NL", + "CC-BY-3.0-US", + "CC-BY-4.0", + "CC-BY-NC-1.0", + "CC-BY-NC-2.0", + "CC-BY-NC-2.5", + "CC-BY-NC-3.0", + "CC-BY-NC-3.0-DE", + "CC-BY-NC-4.0", + "CC-BY-NC-ND-1.0", + "CC-BY-NC-ND-2.0", + "CC-BY-NC-ND-2.5", + "CC-BY-NC-ND-3.0", + "CC-BY-NC-ND-3.0-DE", + "CC-BY-NC-ND-3.0-IGO", + "CC-BY-NC-ND-4.0", + "CC-BY-NC-SA-1.0", + "CC-BY-NC-SA-2.0", + "CC-BY-NC-SA-2.0-DE", + "CC-BY-NC-SA-2.0-FR", + "CC-BY-NC-SA-2.0-UK", + "CC-BY-NC-SA-2.5", + "CC-BY-NC-SA-3.0", + "CC-BY-NC-SA-3.0-DE", + "CC-BY-NC-SA-3.0-IGO", + "CC-BY-NC-SA-4.0", + "CC-BY-ND-1.0", + "CC-BY-ND-2.0", + "CC-BY-ND-2.5", + "CC-BY-ND-3.0", + "CC-BY-ND-3.0-DE", + "CC-BY-ND-4.0", + "CC-BY-SA-1.0", + "CC-BY-SA-2.0", + "CC-BY-SA-2.0-UK", + "CC-BY-SA-2.1-JP", + "CC-BY-SA-2.5", + "CC-BY-SA-3.0", + "CC-BY-SA-3.0-AT", + "CC-BY-SA-3.0-DE", + "CC-BY-SA-3.0-IGO", + "CC-BY-SA-4.0", + "CC-PDDC", + "CC-PDM-1.0", + "CC-SA-1.0", + "CC0-1.0", + "CDDL-1.0", + "CDDL-1.1", + "CDL-1.0", + "CDLA-Permissive-1.0", + "CDLA-Permissive-2.0", + "CDLA-Sharing-1.0", + "CECILL-1.0", + "CECILL-1.1", + "CECILL-2.0", + "CECILL-2.1", + "CECILL-B", + "CECILL-C", + "CERN-OHL-1.1", + "CERN-OHL-1.2", + "CERN-OHL-P-2.0", + "CERN-OHL-S-2.0", + "CERN-OHL-W-2.0", + "CFITSIO", + "check-cvs", + "checkmk", + "ClArtistic", + "Clips", + "CMU-Mach", + "CMU-Mach-nodoc", + "CNRI-Jython", + "CNRI-Python", + "CNRI-Python-GPL-Compatible", + "COIL-1.0", + "Community-Spec-1.0", + "Condor-1.1", + "copyleft-next-0.3.0", + "copyleft-next-0.3.1", + "Cornell-Lossless-JPEG", + "CPAL-1.0", + "CPL-1.0", + "CPOL-1.02", + "Cronyx", + "Crossword", + "CryptoSwift", + "CrystalStacker", + "CUA-OPL-1.0", + "Cube", + "curl", + "cve-tou", + "D-FSL-1.0", + "DEC-3-Clause", + "diffmark", + "DL-DE-BY-2.0", + "DL-DE-ZERO-2.0", + "DOC", + "DocBook-DTD", + "DocBook-Schema", + "DocBook-Stylesheet", + "DocBook-XML", + "Dotseqn", + "DRL-1.0", + "DRL-1.1", + "DSDP", + "dtoa", + "dvipdfm", + "ECL-1.0", + "ECL-2.0", + "eCos-2.0", + "EFL-1.0", + "EFL-2.0", + "eGenix", + "Elastic-2.0", + "Entessa", + "EPICS", + "EPL-1.0", + "EPL-2.0", + "ErlPL-1.1", + "etalab-2.0", + "EUDatagrid", + "EUPL-1.0", + "EUPL-1.1", + "EUPL-1.2", + "Eurosym", + "Fair", + "FBM", + "FDK-AAC", + "Ferguson-Twofish", + "Frameworx-1.0", + "FreeBSD-DOC", + "FreeImage", + "FSFAP", + "FSFAP-no-warranty-disclaimer", + "FSFUL", + "FSFULLR", + "FSFULLRSD", + "FSFULLRWD", + "FSL-1.1-ALv2", + "FSL-1.1-MIT", + "FTL", + "Furuseth", + "fwlw", + "Game-Programming-Gems", + "GCR-docs", + "GD", + "generic-xts", + "GFDL-1.1", + "GFDL-1.1-invariants-only", + "GFDL-1.1-invariants-or-later", + "GFDL-1.1-no-invariants-only", + "GFDL-1.1-no-invariants-or-later", + "GFDL-1.1-only", + "GFDL-1.1-or-later", + "GFDL-1.2", + "GFDL-1.2-invariants-only", + "GFDL-1.2-invariants-or-later", + "GFDL-1.2-no-invariants-only", + "GFDL-1.2-no-invariants-or-later", + "GFDL-1.2-only", + "GFDL-1.2-or-later", + "GFDL-1.3", + "GFDL-1.3-invariants-only", + "GFDL-1.3-invariants-or-later", + "GFDL-1.3-no-invariants-only", + "GFDL-1.3-no-invariants-or-later", + "GFDL-1.3-only", + "GFDL-1.3-or-later", + "Giftware", + "GL2PS", + "Glide", + "Glulxe", + "GLWTPL", + "gnuplot", + "GPL-1.0", + "GPL-1.0+", + "GPL-1.0-only", + "GPL-1.0-or-later", + "GPL-2.0", + "GPL-2.0+", + "GPL-2.0-only", + "GPL-2.0-or-later", + "GPL-2.0-with-autoconf-exception", + "GPL-2.0-with-bison-exception", + "GPL-2.0-with-classpath-exception", + "GPL-2.0-with-font-exception", + "GPL-2.0-with-GCC-exception", + "GPL-3.0", + "GPL-3.0+", + "GPL-3.0-only", + "GPL-3.0-or-later", + "GPL-3.0-with-autoconf-exception", + "GPL-3.0-with-GCC-exception", + "Graphics-Gems", + "gSOAP-1.3b", + "gtkbook", + "Gutmann", + "HaskellReport", + "HDF5", + "hdparm", + "HIDAPI", + "Hippocratic-2.1", + "HP-1986", + "HP-1989", + "HPND", + "HPND-DEC", + "HPND-doc", + "HPND-doc-sell", + "HPND-export-US", + "HPND-export-US-acknowledgement", + "HPND-export-US-modify", + "HPND-export2-US", + "HPND-Fenneberg-Livingston", + "HPND-INRIA-IMAG", + "HPND-Intel", + "HPND-Kevlin-Henney", + "HPND-Markus-Kuhn", + "HPND-merchantability-variant", + "HPND-MIT-disclaimer", + "HPND-Netrek", + "HPND-Pbmplus", + "HPND-sell-MIT-disclaimer-xserver", + "HPND-sell-regexpr", + "HPND-sell-variant", + "HPND-sell-variant-MIT-disclaimer", + "HPND-sell-variant-MIT-disclaimer-rev", + "HPND-UC", + "HPND-UC-export-US", + "HTMLTIDY", + "IBM-pibs", + "ICU", + "IEC-Code-Components-EULA", + "IJG", + "IJG-short", + "ImageMagick", + "iMatix", + "Imlib2", + "Info-ZIP", + "Inner-Net-2.0", + "InnoSetup", + "Intel", + "Intel-ACPI", + "Interbase-1.0", + "IPA", + "IPL-1.0", + "ISC", + "ISC-Veillard", + "Jam", + "JasPer-2.0", + "jove", + "JPL-image", + "JPNIC", + "JSON", + "Kastrup", + "Kazlib", + "Knuth-CTAN", + "LAL-1.2", + "LAL-1.3", + "Latex2e", + "Latex2e-translated-notice", + "Leptonica", + "LGPL-2.0", + "LGPL-2.0+", + "LGPL-2.0-only", + "LGPL-2.0-or-later", + "LGPL-2.1", + "LGPL-2.1+", + "LGPL-2.1-only", + "LGPL-2.1-or-later", + "LGPL-3.0", + "LGPL-3.0+", + "LGPL-3.0-only", + "LGPL-3.0-or-later", + "LGPLLR", + "Libpng", + "libpng-1.6.35", + "libpng-2.0", + "libselinux-1.0", + "libtiff", + "libutil-David-Nugent", + "LiLiQ-P-1.1", + "LiLiQ-R-1.1", + "LiLiQ-Rplus-1.1", + "Linux-man-pages-1-para", + "Linux-man-pages-copyleft", + "Linux-man-pages-copyleft-2-para", + "Linux-man-pages-copyleft-var", + "Linux-OpenIB", + "LOOP", + "LPD-document", + "LPL-1.0", + "LPL-1.02", + "LPPL-1.0", + "LPPL-1.1", + "LPPL-1.2", + "LPPL-1.3a", + "LPPL-1.3c", + "lsof", + "Lucida-Bitmap-Fonts", + "LZMA-SDK-9.11-to-9.20", + "LZMA-SDK-9.22", + "Mackerras-3-Clause", + "Mackerras-3-Clause-acknowledgment", + "magaz", + "mailprio", + "MakeIndex", + "man2html", + "Martin-Birgmeier", + "McPhee-slideshow", + "metamail", + "Minpack", + "MIPS", + "MirOS", + "MIT", + "MIT-0", + "MIT-advertising", + "MIT-Click", + "MIT-CMU", + "MIT-enna", + "MIT-feh", + "MIT-Festival", + "MIT-Khronos-old", + "MIT-Modern-Variant", + "MIT-open-group", + "MIT-testregex", + "MIT-Wu", + "MITNFA", + "MMIXware", + "Motosoto", + "MPEG-SSG", + "mpi-permissive", + "mpich2", + "MPL-1.0", + "MPL-1.1", + "MPL-2.0", + "MPL-2.0-no-copyleft-exception", + "mplus", + "MS-LPL", + "MS-PL", + "MS-RL", + "MTLL", + "MulanPSL-1.0", + "MulanPSL-2.0", + "Multics", + "Mup", + "NAIST-2003", + "NASA-1.3", + "Naumen", + "NBPL-1.0", + "NCBI-PD", + "NCGL-UK-2.0", + "NCL", + "NCSA", + "Net-SNMP", + "NetCDF", + "Newsletr", + "NGPL", + "ngrep", + "NICTA-1.0", + "NIST-PD", + "NIST-PD-fallback", + "NIST-Software", + "NLOD-1.0", + "NLOD-2.0", + "NLPL", + "Nokia", + "NOSL", + "Noweb", + "NPL-1.0", + "NPL-1.1", + "NPOSL-3.0", + "NRL", + "NTIA-PD", + "NTP", + "NTP-0", + "Nunit", + "O-UDA-1.0", + "OAR", + "OCCT-PL", + "OCLC-2.0", + "ODbL-1.0", + "ODC-By-1.0", + "OFFIS", + "OFL-1.0", + "OFL-1.0-no-RFN", + "OFL-1.0-RFN", + "OFL-1.1", + "OFL-1.1-no-RFN", + "OFL-1.1-RFN", + "OGC-1.0", + "OGDL-Taiwan-1.0", + "OGL-Canada-2.0", + "OGL-UK-1.0", + "OGL-UK-2.0", + "OGL-UK-3.0", + "OGTSL", + "OLDAP-1.1", + "OLDAP-1.2", + "OLDAP-1.3", + "OLDAP-1.4", + "OLDAP-2.0", + "OLDAP-2.0.1", + "OLDAP-2.1", + "OLDAP-2.2", + "OLDAP-2.2.1", + "OLDAP-2.2.2", + "OLDAP-2.3", + "OLDAP-2.4", + "OLDAP-2.5", + "OLDAP-2.6", + "OLDAP-2.7", + "OLDAP-2.8", + "OLFL-1.3", + "OML", + "OpenPBS-2.3", + "OpenSSL", + "OpenSSL-standalone", + "OpenVision", + "OPL-1.0", + "OPL-UK-3.0", + "OPUBL-1.0", + "OSET-PL-2.1", + "OSL-1.0", + "OSL-1.1", + "OSL-2.0", + "OSL-2.1", + "OSL-3.0", + "PADL", + "Parity-6.0.0", + "Parity-7.0.0", + "PDDL-1.0", + "PHP-3.0", + "PHP-3.01", + "Pixar", + "pkgconf", + "Plexus", + "pnmstitch", + "PolyForm-Noncommercial-1.0.0", + "PolyForm-Small-Business-1.0.0", + "PostgreSQL", + "PPL", + "PSF-2.0", + "psfrag", + "psutils", + "Python-2.0", + "Python-2.0.1", + "python-ldap", + "Qhull", + "QPL-1.0", + "QPL-1.0-INRIA-2004", + "radvd", + "Rdisc", + "RHeCos-1.1", + "RPL-1.1", + "RPL-1.5", + "RPSL-1.0", + "RSA-MD", + "RSCPL", + "Ruby", + "Ruby-pty", + "SAX-PD", + "SAX-PD-2.0", + "Saxpath", + "SCEA", + "SchemeReport", + "Sendmail", + "Sendmail-8.23", + "Sendmail-Open-Source-1.1", + "SGI-B-1.0", + "SGI-B-1.1", + "SGI-B-2.0", + "SGI-OpenGL", + "SGP4", + "SHL-0.5", + "SHL-0.51", + "SimPL-2.0", + "SISSL", + "SISSL-1.2", + "SL", + "Sleepycat", + "SMAIL-GPL", + "SMLNJ", + "SMPPL", + "SNIA", + "snprintf", + "SOFA", + "softSurfer", + "Soundex", + "Spencer-86", + "Spencer-94", + "Spencer-99", + "SPL-1.0", + "ssh-keyscan", + "SSH-OpenSSH", + "SSH-short", + "SSLeay-standalone", + "SSPL-1.0", + "StandardML-NJ", + "SugarCRM-1.1.3", + "SUL-1.0", + "Sun-PPP", + "Sun-PPP-2000", + "SunPro", + "SWL", + "swrule", + "Symlinks", + "TAPR-OHL-1.0", + "TCL", + "TCP-wrappers", + "TermReadKey", + "TGPPL-1.0", + "ThirdEye", + "threeparttable", + "TMate", + "TORQUE-1.1", + "TOSL", + "TPDL", + "TPL-1.0", + "TrustedQSL", + "TTWL", + "TTYP0", + "TU-Berlin-1.0", + "TU-Berlin-2.0", + "Ubuntu-font-1.0", + "UCAR", + "UCL-1.0", + "ulem", + "UMich-Merit", + "Unicode-3.0", + "Unicode-DFS-2015", + "Unicode-DFS-2016", + "Unicode-TOU", + "UnixCrypt", + "Unlicense", + "Unlicense-libtelnet", + "Unlicense-libwhirlpool", + "UPL-1.0", + "URT-RLE", + "Vim", + "VOSTROM", + "VSL-1.0", + "W3C", + "W3C-19980720", + "W3C-20150513", + "w3m", + "Watcom-1.0", + "Widget-Workshop", + "Wsuipa", + "WTFPL", + "wwl", + "wxWindows", + "X11", + "X11-distribute-modifications-variant", + "X11-swapped", + "Xdebug-1.03", + "Xerox", + "Xfig", + "XFree86-1.1", + "xinetd", + "xkeyboard-config-Zinoviev", + "xlock", + "Xnet", + "xpp", + "XSkat", + "xzoom", + "YPL-1.0", + "YPL-1.1", + "Zed", + "Zeeff", + "Zend-2.0", + "Zimbra-1.3", + "Zimbra-1.4", + "Zlib", + "zlib-acknowledgement", + "ZPL-1.1", + "ZPL-2.0", + "ZPL-2.1", + "389-exception", + "Asterisk-exception", + "Asterisk-linking-protocols-exception", + "Autoconf-exception-2.0", + "Autoconf-exception-3.0", + "Autoconf-exception-generic", + "Autoconf-exception-generic-3.0", + "Autoconf-exception-macro", + "Bison-exception-1.24", + "Bison-exception-2.2", + "Bootloader-exception", + "CGAL-linking-exception", + "Classpath-exception-2.0", + "CLISP-exception-2.0", + "cryptsetup-OpenSSL-exception", + "Digia-Qt-LGPL-exception-1.1", + "DigiRule-FOSS-exception", + "eCos-exception-2.0", + "erlang-otp-linking-exception", + "Fawkes-Runtime-exception", + "FLTK-exception", + "fmt-exception", + "Font-exception-2.0", + "freertos-exception-2.0", + "GCC-exception-2.0", + "GCC-exception-2.0-note", + "GCC-exception-3.1", + "Gmsh-exception", + "GNAT-exception", + "GNOME-examples-exception", + "GNU-compiler-exception", + "gnu-javamail-exception", + "GPL-3.0-389-ds-base-exception", + "GPL-3.0-interface-exception", + "GPL-3.0-linking-exception", + "GPL-3.0-linking-source-exception", + "GPL-CC-1.0", + "GStreamer-exception-2005", + "GStreamer-exception-2008", + "harbour-exception", + "i2p-gpl-java-exception", + "Independent-modules-exception", + "KiCad-libraries-exception", + "LGPL-3.0-linking-exception", + "libpri-OpenH323-exception", + "Libtool-exception", + "Linux-syscall-note", + "LLGPL", + "LLVM-exception", + "LZMA-exception", + "mif-exception", + "mxml-exception", + "Nokia-Qt-exception-1.1", + "OCaml-LGPL-linking-exception", + "OCCT-exception-1.0", + "OpenJDK-assembly-exception-1.0", + "openvpn-openssl-exception", + "PCRE2-exception", + "polyparse-exception", + "PS-or-PDF-font-exception-20170817", + "QPL-1.0-INRIA-2004-exception", + "Qt-GPL-exception-1.0", + "Qt-LGPL-exception-1.1", + "Qwt-exception-1.0", + "romic-exception", + "RRDtool-FLOSS-exception-2.0", + "SANE-exception", + "SHL-2.0", + "SHL-2.1", + "stunnel-exception", + "SWI-exception", + "Swift-exception", + "Texinfo-exception", + "u-boot-exception-2.0", + "UBDL-exception", + "Universal-FOSS-exception-1.0", + "vsftpd-openssl-exception", + "WxWindows-exception-3.1", + "x11vnc-openssl-exception" + ] +} diff --git a/schema/spdx.xsd b/schema/spdx.xsd new file mode 100644 index 0000000..41a27b0 --- /dev/null +++ b/schema/spdx.xsd @@ -0,0 +1,3904 @@ + + + + + + + + + BSD Zero Clause License + + + + + 3D Slicer License v1.0 + + + + + Attribution Assurance License + + + + + Abstyles License + + + + + AdaCore Doc License + + + + + Adobe Systems Incorporated Source Code License Agreement + + + + + Adobe Display PostScript License + + + + + Adobe Glyph List License + + + + + Adobe Utopia Font License + + + + + Amazon Digital Services License + + + + + Academic Free License v1.1 + + + + + Academic Free License v1.2 + + + + + Academic Free License v2.0 + + + + + Academic Free License v2.1 + + + + + Academic Free License v3.0 + + + + + Afmparse License + + + + + Affero General Public License v1.0 + + + + + Affero General Public License v1.0 only + + + + + Affero General Public License v1.0 or later + + + + + GNU Affero General Public License v3.0 + + + + + GNU Affero General Public License v3.0 only + + + + + GNU Affero General Public License v3.0 or later + + + + + Aladdin Free Public License + + + + + AMD newlib License + + + + + AMD's plpa_map.c License + + + + + Apple MIT License + + + + + AML glslang variant License + + + + + Academy of Motion Picture Arts and Sciences BSD + + + + + ANTLR Software Rights Notice + + + + + ANTLR Software Rights Notice with license fallback + + + + + Any OSI License + + + + + Any OSI License - Perl Modules + + + + + Apache License 1.0 + + + + + Apache License 1.1 + + + + + Apache License 2.0 + + + + + Adobe Postscript AFM License + + + + + Adaptive Public License 1.0 + + + + + App::s2p License + + + + + Apple Public Source License 1.0 + + + + + Apple Public Source License 1.1 + + + + + Apple Public Source License 1.2 + + + + + Apple Public Source License 2.0 + + + + + Arphic Public License + + + + + Artistic License 1.0 + + + + + Artistic License 1.0 w/clause 8 + + + + + Artistic License 1.0 (Perl) + + + + + Artistic License 2.0 + + + + + Artistic License 1.0 (dist) + + + + + Aspell Russian License + + + + + ASWF Digital Assets License version 1.0 + + + + + ASWF Digital Assets License 1.1 + + + + + Baekmuk License + + + + + Bahyph License + + + + + Barr License + + + + + bcrypt Solar Designer License + + + + + Beerware License + + + + + Bitstream Charter Font License + + + + + Bitstream Vera Font License + + + + + BitTorrent Open Source License v1.0 + + + + + BitTorrent Open Source License v1.1 + + + + + SQLite Blessing + + + + + Blue Oak Model License 1.0.0 + + + + + Boehm-Demers-Weiser GC License + + + + + Boehm-Demers-Weiser GC License (without fee) + + + + + Borceux license + + + + + Brian Gladman 2-Clause License + + + + + Brian Gladman 3-Clause License + + + + + BSD 1-Clause License + + + + + BSD 2-Clause "Simplified" License + + + + + BSD 2-Clause - Ian Darwin variant + + + + + BSD 2-Clause - first lines requirement + + + + + BSD 2-Clause FreeBSD License + + + + + BSD 2-Clause NetBSD License + + + + + BSD-2-Clause Plus Patent License + + + + + BSD 2-Clause pkgconf disclaimer variant + + + + + BSD 2-Clause with views sentence + + + + + BSD 3-Clause "New" or "Revised" License + + + + + BSD 3-Clause acpica variant + + + + + BSD with attribution + + + + + BSD 3-Clause Clear License + + + + + BSD 3-Clause Flex variant + + + + + Hewlett-Packard BSD variant license + + + + + Lawrence Berkeley National Labs BSD variant license + + + + + BSD 3-Clause Modification + + + + + BSD 3-Clause No Military License + + + + + BSD 3-Clause No Nuclear License + + + + + BSD 3-Clause No Nuclear License 2014 + + + + + BSD 3-Clause No Nuclear Warranty + + + + + BSD 3-Clause Open MPI variant + + + + + BSD 3-Clause Sun Microsystems + + + + + BSD 4-Clause "Original" or "Old" License + + + + + BSD 4 Clause Shortened + + + + + BSD-4-Clause (University of California-Specific) + + + + + BSD 4.3 RENO License + + + + + BSD 4.3 TAHOE License + + + + + BSD Advertising Acknowledgement License + + + + + BSD with Attribution and HPND disclaimer + + + + + BSD-Inferno-Nettverk + + + + + BSD Protection License + + + + + BSD Source Code Attribution - beginning of file variant + + + + + BSD Source Code Attribution + + + + + Systemics BSD variant license + + + + + Systemics W3Works BSD variant license + + + + + Boost Software License 1.0 + + + + + Business Source License 1.1 + + + + + bzip2 and libbzip2 License v1.0.5 + + + + + bzip2 and libbzip2 License v1.0.6 + + + + + Computational Use of Data Agreement v1.0 + + + + + Cryptographic Autonomy License 1.0 + + + + + Cryptographic Autonomy License 1.0 (Combined Work Exception) + + + + + Caldera License + + + + + Caldera License (without preamble) + + + + + Catharon License + + + + + Computer Associates Trusted Open Source License 1.1 + + + + + Creative Commons Attribution 1.0 Generic + + + + + Creative Commons Attribution 2.0 Generic + + + + + Creative Commons Attribution 2.5 Generic + + + + + Creative Commons Attribution 2.5 Australia + + + + + Creative Commons Attribution 3.0 Unported + + + + + Creative Commons Attribution 3.0 Austria + + + + + Creative Commons Attribution 3.0 Australia + + + + + Creative Commons Attribution 3.0 Germany + + + + + Creative Commons Attribution 3.0 IGO + + + + + Creative Commons Attribution 3.0 Netherlands + + + + + Creative Commons Attribution 3.0 United States + + + + + Creative Commons Attribution 4.0 International + + + + + Creative Commons Attribution Non Commercial 1.0 Generic + + + + + Creative Commons Attribution Non Commercial 2.0 Generic + + + + + Creative Commons Attribution Non Commercial 2.5 Generic + + + + + Creative Commons Attribution Non Commercial 3.0 Unported + + + + + Creative Commons Attribution Non Commercial 3.0 Germany + + + + + Creative Commons Attribution Non Commercial 4.0 International + + + + + Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic + + + + + Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic + + + + + Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic + + + + + Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported + + + + + Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany + + + + + Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO + + + + + Creative Commons Attribution Non Commercial No Derivatives 4.0 International + + + + + Creative Commons Attribution Non Commercial Share Alike 1.0 Generic + + + + + Creative Commons Attribution Non Commercial Share Alike 2.0 Generic + + + + + Creative Commons Attribution Non Commercial Share Alike 2.0 Germany + + + + + Creative Commons Attribution-NonCommercial-ShareAlike 2.0 France + + + + + Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales + + + + + Creative Commons Attribution Non Commercial Share Alike 2.5 Generic + + + + + Creative Commons Attribution Non Commercial Share Alike 3.0 Unported + + + + + Creative Commons Attribution Non Commercial Share Alike 3.0 Germany + + + + + Creative Commons Attribution Non Commercial Share Alike 3.0 IGO + + + + + Creative Commons Attribution Non Commercial Share Alike 4.0 International + + + + + Creative Commons Attribution No Derivatives 1.0 Generic + + + + + Creative Commons Attribution No Derivatives 2.0 Generic + + + + + Creative Commons Attribution No Derivatives 2.5 Generic + + + + + Creative Commons Attribution No Derivatives 3.0 Unported + + + + + Creative Commons Attribution No Derivatives 3.0 Germany + + + + + Creative Commons Attribution No Derivatives 4.0 International + + + + + Creative Commons Attribution Share Alike 1.0 Generic + + + + + Creative Commons Attribution Share Alike 2.0 Generic + + + + + Creative Commons Attribution Share Alike 2.0 England and Wales + + + + + Creative Commons Attribution Share Alike 2.1 Japan + + + + + Creative Commons Attribution Share Alike 2.5 Generic + + + + + Creative Commons Attribution Share Alike 3.0 Unported + + + + + Creative Commons Attribution Share Alike 3.0 Austria + + + + + Creative Commons Attribution Share Alike 3.0 Germany + + + + + Creative Commons Attribution-ShareAlike 3.0 IGO + + + + + Creative Commons Attribution Share Alike 4.0 International + + + + + Creative Commons Public Domain Dedication and Certification + + + + + Creative Commons Public Domain Mark 1.0 Universal + + + + + Creative Commons Share Alike 1.0 Generic + + + + + Creative Commons Zero v1.0 Universal + + + + + Common Development and Distribution License 1.0 + + + + + Common Development and Distribution License 1.1 + + + + + Common Documentation License 1.0 + + + + + Community Data License Agreement Permissive 1.0 + + + + + Community Data License Agreement Permissive 2.0 + + + + + Community Data License Agreement Sharing 1.0 + + + + + CeCILL Free Software License Agreement v1.0 + + + + + CeCILL Free Software License Agreement v1.1 + + + + + CeCILL Free Software License Agreement v2.0 + + + + + CeCILL Free Software License Agreement v2.1 + + + + + CeCILL-B Free Software License Agreement + + + + + CeCILL-C Free Software License Agreement + + + + + CERN Open Hardware Licence v1.1 + + + + + CERN Open Hardware Licence v1.2 + + + + + CERN Open Hardware Licence Version 2 - Permissive + + + + + CERN Open Hardware Licence Version 2 - Strongly Reciprocal + + + + + CERN Open Hardware Licence Version 2 - Weakly Reciprocal + + + + + CFITSIO License + + + + + check-cvs License + + + + + Checkmk License + + + + + Clarified Artistic License + + + + + Clips License + + + + + CMU Mach License + + + + + CMU Mach - no notices-in-documentation variant + + + + + CNRI Jython License + + + + + CNRI Python License + + + + + CNRI Python Open Source GPL Compatible License Agreement + + + + + Copyfree Open Innovation License + + + + + Community Specification License 1.0 + + + + + Condor Public License v1.1 + + + + + copyleft-next 0.3.0 + + + + + copyleft-next 0.3.1 + + + + + Cornell Lossless JPEG License + + + + + Common Public Attribution License 1.0 + + + + + Common Public License 1.0 + + + + + Code Project Open License 1.02 + + + + + Cronyx License + + + + + Crossword License + + + + + CryptoSwift License + + + + + CrystalStacker License + + + + + CUA Office Public License v1.0 + + + + + Cube License + + + + + curl License + + + + + Common Vulnerability Enumeration ToU License + + + + + Deutsche Freie Software Lizenz + + + + + DEC 3-Clause License + + + + + diffmark license + + + + + Data licence Germany – attribution – version 2.0 + + + + + Data licence Germany – zero – version 2.0 + + + + + DOC License + + + + + DocBook DTD License + + + + + DocBook Schema License + + + + + DocBook Stylesheet License + + + + + DocBook XML License + + + + + Dotseqn License + + + + + Detection Rule License 1.0 + + + + + Detection Rule License 1.1 + + + + + DSDP License + + + + + David M. Gay dtoa License + + + + + dvipdfm License + + + + + Educational Community License v1.0 + + + + + Educational Community License v2.0 + + + + + eCos license version 2.0 + + + + + Eiffel Forum License v1.0 + + + + + Eiffel Forum License v2.0 + + + + + eGenix.com Public License 1.1.0 + + + + + Elastic License 2.0 + + + + + Entessa Public License v1.0 + + + + + EPICS Open License + + + + + Eclipse Public License 1.0 + + + + + Eclipse Public License 2.0 + + + + + Erlang Public License v1.1 + + + + + Etalab Open License 2.0 + + + + + EU DataGrid Software License + + + + + European Union Public License 1.0 + + + + + European Union Public License 1.1 + + + + + European Union Public License 1.2 + + + + + Eurosym License + + + + + Fair License + + + + + Fuzzy Bitmap License + + + + + Fraunhofer FDK AAC Codec Library + + + + + Ferguson Twofish License + + + + + Frameworx Open License 1.0 + + + + + FreeBSD Documentation License + + + + + FreeImage Public License v1.0 + + + + + FSF All Permissive License + + + + + FSF All Permissive License (without Warranty) + + + + + FSF Unlimited License + + + + + FSF Unlimited License (with License Retention) + + + + + FSF Unlimited License (with License Retention and Short Disclaimer) + + + + + FSF Unlimited License (With License Retention and Warranty Disclaimer) + + + + + Functional Source License, Version 1.1, ALv2 Future License + + + + + Functional Source License, Version 1.1, MIT Future License + + + + + Freetype Project License + + + + + Furuseth License + + + + + fwlw License + + + + + Game Programming Gems License + + + + + Gnome GCR Documentation License + + + + + GD License + + + + + Generic XTS License + + + + + GNU Free Documentation License v1.1 + + + + + GNU Free Documentation License v1.1 only - invariants + + + + + GNU Free Documentation License v1.1 or later - invariants + + + + + GNU Free Documentation License v1.1 only - no invariants + + + + + GNU Free Documentation License v1.1 or later - no invariants + + + + + GNU Free Documentation License v1.1 only + + + + + GNU Free Documentation License v1.1 or later + + + + + GNU Free Documentation License v1.2 + + + + + GNU Free Documentation License v1.2 only - invariants + + + + + GNU Free Documentation License v1.2 or later - invariants + + + + + GNU Free Documentation License v1.2 only - no invariants + + + + + GNU Free Documentation License v1.2 or later - no invariants + + + + + GNU Free Documentation License v1.2 only + + + + + GNU Free Documentation License v1.2 or later + + + + + GNU Free Documentation License v1.3 + + + + + GNU Free Documentation License v1.3 only - invariants + + + + + GNU Free Documentation License v1.3 or later - invariants + + + + + GNU Free Documentation License v1.3 only - no invariants + + + + + GNU Free Documentation License v1.3 or later - no invariants + + + + + GNU Free Documentation License v1.3 only + + + + + GNU Free Documentation License v1.3 or later + + + + + Giftware License + + + + + GL2PS License + + + + + 3dfx Glide License + + + + + Glulxe License + + + + + Good Luck With That Public License + + + + + gnuplot License + + + + + GNU General Public License v1.0 only + + + + + GNU General Public License v1.0 or later + + + + + GNU General Public License v1.0 only + + + + + GNU General Public License v1.0 or later + + + + + GNU General Public License v2.0 only + + + + + GNU General Public License v2.0 or later + + + + + GNU General Public License v2.0 only + + + + + GNU General Public License v2.0 or later + + + + + GNU General Public License v2.0 w/Autoconf exception + + + + + GNU General Public License v2.0 w/Bison exception + + + + + GNU General Public License v2.0 w/Classpath exception + + + + + GNU General Public License v2.0 w/Font exception + + + + + GNU General Public License v2.0 w/GCC Runtime Library exception + + + + + GNU General Public License v3.0 only + + + + + GNU General Public License v3.0 or later + + + + + GNU General Public License v3.0 only + + + + + GNU General Public License v3.0 or later + + + + + GNU General Public License v3.0 w/Autoconf exception + + + + + GNU General Public License v3.0 w/GCC Runtime Library exception + + + + + Graphics Gems License + + + + + gSOAP Public License v1.3b + + + + + gtkbook License + + + + + Gutmann License + + + + + Haskell Language Report License + + + + + HDF5 License + + + + + hdparm License + + + + + HIDAPI License + + + + + Hippocratic License 2.1 + + + + + Hewlett-Packard 1986 License + + + + + Hewlett-Packard 1989 License + + + + + Historical Permission Notice and Disclaimer + + + + + Historical Permission Notice and Disclaimer - DEC variant + + + + + Historical Permission Notice and Disclaimer - documentation variant + + + + + Historical Permission Notice and Disclaimer - documentation sell variant + + + + + HPND with US Government export control warning + + + + + HPND with US Government export control warning and acknowledgment + + + + + HPND with US Government export control warning and modification rqmt + + + + + HPND with US Government export control and 2 disclaimers + + + + + Historical Permission Notice and Disclaimer - Fenneberg-Livingston variant + + + + + Historical Permission Notice and Disclaimer - INRIA-IMAG variant + + + + + Historical Permission Notice and Disclaimer - Intel variant + + + + + Historical Permission Notice and Disclaimer - Kevlin Henney variant + + + + + Historical Permission Notice and Disclaimer - Markus Kuhn variant + + + + + Historical Permission Notice and Disclaimer - merchantability variant + + + + + Historical Permission Notice and Disclaimer with MIT disclaimer + + + + + Historical Permission Notice and Disclaimer - Netrek variant + + + + + Historical Permission Notice and Disclaimer - Pbmplus variant + + + + + Historical Permission Notice and Disclaimer - sell xserver variant with MIT disclaimer + + + + + Historical Permission Notice and Disclaimer - sell regexpr variant + + + + + Historical Permission Notice and Disclaimer - sell variant + + + + + HPND sell variant with MIT disclaimer + + + + + HPND sell variant with MIT disclaimer - reverse + + + + + Historical Permission Notice and Disclaimer - University of California variant + + + + + Historical Permission Notice and Disclaimer - University of California, US export warning + + + + + HTML Tidy License + + + + + IBM PowerPC Initialization and Boot Software + + + + + ICU License + + + + + IEC Code Components End-user licence agreement + + + + + Independent JPEG Group License + + + + + Independent JPEG Group License - short + + + + + ImageMagick License + + + + + iMatix Standard Function Library Agreement + + + + + Imlib2 License + + + + + Info-ZIP License + + + + + Inner Net License v2.0 + + + + + Inno Setup License + + + + + Intel Open Source License + + + + + Intel ACPI Software License Agreement + + + + + Interbase Public License v1.0 + + + + + IPA Font License + + + + + IBM Public License v1.0 + + + + + ISC License + + + + + ISC Veillard variant + + + + + Jam License + + + + + JasPer License + + + + + Jove License + + + + + JPL Image Use Policy + + + + + Japan Network Information Center License + + + + + JSON License + + + + + Kastrup License + + + + + Kazlib License + + + + + Knuth CTAN License + + + + + Licence Art Libre 1.2 + + + + + Licence Art Libre 1.3 + + + + + Latex2e License + + + + + Latex2e with translated notice permission + + + + + Leptonica License + + + + + GNU Library General Public License v2 only + + + + + GNU Library General Public License v2 or later + + + + + GNU Library General Public License v2 only + + + + + GNU Library General Public License v2 or later + + + + + GNU Lesser General Public License v2.1 only + + + + + GNU Lesser General Public License v2.1 or later + + + + + GNU Lesser General Public License v2.1 only + + + + + GNU Lesser General Public License v2.1 or later + + + + + GNU Lesser General Public License v3.0 only + + + + + GNU Lesser General Public License v3.0 or later + + + + + GNU Lesser General Public License v3.0 only + + + + + GNU Lesser General Public License v3.0 or later + + + + + Lesser General Public License For Linguistic Resources + + + + + libpng License + + + + + PNG Reference Library License v1 (for libpng 0.5 through 1.6.35) + + + + + PNG Reference Library version 2 + + + + + libselinux public domain notice + + + + + libtiff License + + + + + libutil David Nugent License + + + + + Licence Libre du Québec – Permissive version 1.1 + + + + + Licence Libre du Québec – Réciprocité version 1.1 + + + + + Licence Libre du Québec – Réciprocité forte version 1.1 + + + + + Linux man-pages - 1 paragraph + + + + + Linux man-pages Copyleft + + + + + Linux man-pages Copyleft - 2 paragraphs + + + + + Linux man-pages Copyleft Variant + + + + + Linux Kernel Variant of OpenIB.org license + + + + + Common Lisp LOOP License + + + + + LPD Documentation License + + + + + Lucent Public License Version 1.0 + + + + + Lucent Public License v1.02 + + + + + LaTeX Project Public License v1.0 + + + + + LaTeX Project Public License v1.1 + + + + + LaTeX Project Public License v1.2 + + + + + LaTeX Project Public License v1.3a + + + + + LaTeX Project Public License v1.3c + + + + + lsof License + + + + + Lucida Bitmap Fonts License + + + + + LZMA SDK License (versions 9.11 to 9.20) + + + + + LZMA SDK License (versions 9.22 and beyond) + + + + + Mackerras 3-Clause License + + + + + Mackerras 3-Clause - acknowledgment variant + + + + + magaz License + + + + + mailprio License + + + + + MakeIndex License + + + + + man2html License + + + + + Martin Birgmeier License + + + + + McPhee Slideshow License + + + + + metamail License + + + + + Minpack License + + + + + MIPS License + + + + + The MirOS Licence + + + + + MIT License + + + + + MIT No Attribution + + + + + Enlightenment License (e16) + + + + + MIT Click License + + + + + CMU License + + + + + enna License + + + + + feh License + + + + + MIT Festival Variant + + + + + MIT Khronos - old variant + + + + + MIT License Modern Variant + + + + + MIT Open Group variant + + + + + MIT testregex Variant + + + + + MIT Tom Wu Variant + + + + + MIT +no-false-attribs license + + + + + MMIXware License + + + + + Motosoto License + + + + + MPEG Software Simulation + + + + + mpi Permissive License + + + + + mpich2 License + + + + + Mozilla Public License 1.0 + + + + + Mozilla Public License 1.1 + + + + + Mozilla Public License 2.0 + + + + + Mozilla Public License 2.0 (no copyleft exception) + + + + + mplus Font License + + + + + Microsoft Limited Public License + + + + + Microsoft Public License + + + + + Microsoft Reciprocal License + + + + + Matrix Template Library License + + + + + Mulan Permissive Software License, Version 1 + + + + + Mulan Permissive Software License, Version 2 + + + + + Multics License + + + + + Mup License + + + + + Nara Institute of Science and Technology License (2003) + + + + + NASA Open Source Agreement 1.3 + + + + + Naumen Public License + + + + + Net Boolean Public License v1 + + + + + NCBI Public Domain Notice + + + + + Non-Commercial Government Licence + + + + + NCL Source Code License + + + + + University of Illinois/NCSA Open Source License + + + + + Net-SNMP License + + + + + NetCDF license + + + + + Newsletr License + + + + + Nethack General Public License + + + + + ngrep License + + + + + NICTA Public Software License, Version 1.0 + + + + + NIST Public Domain Notice + + + + + NIST Public Domain Notice with license fallback + + + + + NIST Software License + + + + + Norwegian Licence for Open Government Data (NLOD) 1.0 + + + + + Norwegian Licence for Open Government Data (NLOD) 2.0 + + + + + No Limit Public License + + + + + Nokia Open Source License + + + + + Netizen Open Source License + + + + + Noweb License + + + + + Netscape Public License v1.0 + + + + + Netscape Public License v1.1 + + + + + Non-Profit Open Software License 3.0 + + + + + NRL License + + + + + NTIA Public Domain Notice + + + + + NTP License + + + + + NTP No Attribution + + + + + Nunit License + + + + + Open Use of Data Agreement v1.0 + + + + + OAR License + + + + + Open CASCADE Technology Public License + + + + + OCLC Research Public License 2.0 + + + + + Open Data Commons Open Database License v1.0 + + + + + Open Data Commons Attribution License v1.0 + + + + + OFFIS License + + + + + SIL Open Font License 1.0 + + + + + SIL Open Font License 1.0 with no Reserved Font Name + + + + + SIL Open Font License 1.0 with Reserved Font Name + + + + + SIL Open Font License 1.1 + + + + + SIL Open Font License 1.1 with no Reserved Font Name + + + + + SIL Open Font License 1.1 with Reserved Font Name + + + + + OGC Software License, Version 1.0 + + + + + Taiwan Open Government Data License, version 1.0 + + + + + Open Government Licence - Canada + + + + + Open Government Licence v1.0 + + + + + Open Government Licence v2.0 + + + + + Open Government Licence v3.0 + + + + + Open Group Test Suite License + + + + + Open LDAP Public License v1.1 + + + + + Open LDAP Public License v1.2 + + + + + Open LDAP Public License v1.3 + + + + + Open LDAP Public License v1.4 + + + + + Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B) + + + + + Open LDAP Public License v2.0.1 + + + + + Open LDAP Public License v2.1 + + + + + Open LDAP Public License v2.2 + + + + + Open LDAP Public License v2.2.1 + + + + + Open LDAP Public License 2.2.2 + + + + + Open LDAP Public License v2.3 + + + + + Open LDAP Public License v2.4 + + + + + Open LDAP Public License v2.5 + + + + + Open LDAP Public License v2.6 + + + + + Open LDAP Public License v2.7 + + + + + Open LDAP Public License v2.8 + + + + + Open Logistics Foundation License Version 1.3 + + + + + Open Market License + + + + + OpenPBS v2.3 Software License + + + + + OpenSSL License + + + + + OpenSSL License - standalone + + + + + OpenVision License + + + + + Open Public License v1.0 + + + + + United Kingdom Open Parliament Licence v3.0 + + + + + Open Publication License v1.0 + + + + + OSET Public License version 2.1 + + + + + Open Software License 1.0 + + + + + Open Software License 1.1 + + + + + Open Software License 2.0 + + + + + Open Software License 2.1 + + + + + Open Software License 3.0 + + + + + PADL License + + + + + The Parity Public License 6.0.0 + + + + + The Parity Public License 7.0.0 + + + + + Open Data Commons Public Domain Dedication & License 1.0 + + + + + PHP License v3.0 + + + + + PHP License v3.01 + + + + + Pixar License + + + + + pkgconf License + + + + + Plexus Classworlds License + + + + + pnmstitch License + + + + + PolyForm Noncommercial License 1.0.0 + + + + + PolyForm Small Business License 1.0.0 + + + + + PostgreSQL License + + + + + Peer Production License + + + + + Python Software Foundation License 2.0 + + + + + psfrag License + + + + + psutils License + + + + + Python License 2.0 + + + + + Python License 2.0.1 + + + + + Python ldap License + + + + + Qhull License + + + + + Q Public License 1.0 + + + + + Q Public License 1.0 - INRIA 2004 variant + + + + + radvd License + + + + + Rdisc License + + + + + Red Hat eCos Public License v1.1 + + + + + Reciprocal Public License 1.1 + + + + + Reciprocal Public License 1.5 + + + + + RealNetworks Public Source License v1.0 + + + + + RSA Message-Digest License + + + + + Ricoh Source Code Public License + + + + + Ruby License + + + + + Ruby pty extension license + + + + + Sax Public Domain Notice + + + + + Sax Public Domain Notice 2.0 + + + + + Saxpath License + + + + + SCEA Shared Source License + + + + + Scheme Language Report License + + + + + Sendmail License + + + + + Sendmail License 8.23 + + + + + Sendmail Open Source License v1.1 + + + + + SGI Free Software License B v1.0 + + + + + SGI Free Software License B v1.1 + + + + + SGI Free Software License B v2.0 + + + + + SGI OpenGL License + + + + + SGP4 Permission Notice + + + + + Solderpad Hardware License v0.5 + + + + + Solderpad Hardware License, Version 0.51 + + + + + Simple Public License 2.0 + + + + + Sun Industry Standards Source License v1.1 + + + + + Sun Industry Standards Source License v1.2 + + + + + SL License + + + + + Sleepycat License + + + + + SMAIL General Public License + + + + + Standard ML of New Jersey License + + + + + Secure Messaging Protocol Public License + + + + + SNIA Public License 1.1 + + + + + snprintf License + + + + + SOFA Software License + + + + + softSurfer License + + + + + Soundex License + + + + + Spencer License 86 + + + + + Spencer License 94 + + + + + Spencer License 99 + + + + + Sun Public License v1.0 + + + + + ssh-keyscan License + + + + + SSH OpenSSH license + + + + + SSH short notice + + + + + SSLeay License - standalone + + + + + Server Side Public License, v 1 + + + + + Standard ML of New Jersey License + + + + + SugarCRM Public License v1.1.3 + + + + + Sustainable Use License v1.0 + + + + + Sun PPP License + + + + + Sun PPP License (2000) + + + + + SunPro License + + + + + Scheme Widget Library (SWL) Software License Agreement + + + + + swrule License + + + + + Symlinks License + + + + + TAPR Open Hardware License v1.0 + + + + + TCL/TK License + + + + + TCP Wrappers License + + + + + TermReadKey License + + + + + Transitive Grace Period Public Licence 1.0 + + + + + ThirdEye License + + + + + threeparttable License + + + + + TMate Open Source License + + + + + TORQUE v2.5+ Software License v1.1 + + + + + Trusster Open Source License + + + + + Time::ParseDate License + + + + + THOR Public License 1.0 + + + + + TrustedQSL License + + + + + Text-Tabs+Wrap License + + + + + TTYP0 License + + + + + Technische Universitaet Berlin License 1.0 + + + + + Technische Universitaet Berlin License 2.0 + + + + + Ubuntu Font Licence v1.0 + + + + + UCAR License + + + + + Upstream Compatibility License v1.0 + + + + + ulem License + + + + + Michigan/Merit Networks License + + + + + Unicode License v3 + + + + + Unicode License Agreement - Data Files and Software (2015) + + + + + Unicode License Agreement - Data Files and Software (2016) + + + + + Unicode Terms of Use + + + + + UnixCrypt License + + + + + The Unlicense + + + + + Unlicense - libtelnet variant + + + + + Unlicense - libwhirlpool variant + + + + + Universal Permissive License v1.0 + + + + + Utah Raster Toolkit Run Length Encoded License + + + + + Vim License + + + + + VOSTROM Public License for Open Source + + + + + Vovida Software License v1.0 + + + + + W3C Software Notice and License (2002-12-31) + + + + + W3C Software Notice and License (1998-07-20) + + + + + W3C Software Notice and Document License (2015-05-13) + + + + + w3m License + + + + + Sybase Open Watcom Public License 1.0 + + + + + Widget Workshop License + + + + + Wsuipa License + + + + + Do What The F*ck You Want To Public License + + + + + WWL License + + + + + wxWindows Library License + + + + + X11 License + + + + + X11 License Distribution Modification Variant + + + + + X11 swapped final paragraphs + + + + + Xdebug License v 1.03 + + + + + Xerox License + + + + + Xfig License + + + + + XFree86 License 1.1 + + + + + xinetd License + + + + + xkeyboard-config Zinoviev License + + + + + xlock License + + + + + X.Net License + + + + + XPP License + + + + + XSkat License + + + + + xzoom License + + + + + Yahoo! Public License v1.0 + + + + + Yahoo! Public License v1.1 + + + + + Zed License + + + + + Zeeff License + + + + + Zend License v2.0 + + + + + Zimbra Public License v1.3 + + + + + Zimbra Public License v1.4 + + + + + zlib License + + + + + zlib/libpng License with Acknowledgement + + + + + Zope Public License 1.1 + + + + + Zope Public License 2.0 + + + + + Zope Public License 2.1 + + + + + + 389 Directory Server Exception + + + + + Asterisk exception + + + + + Asterisk linking protocols exception + + + + + Autoconf exception 2.0 + + + + + Autoconf exception 3.0 + + + + + Autoconf generic exception + + + + + Autoconf generic exception for GPL-3.0 + + + + + Autoconf macro exception + + + + + Bison exception 1.24 + + + + + Bison exception 2.2 + + + + + Bootloader Distribution Exception + + + + + CGAL Linking Exception + + + + + Classpath exception 2.0 + + + + + CLISP exception 2.0 + + + + + cryptsetup OpenSSL exception + + + + + Digia Qt LGPL Exception version 1.1 + + + + + DigiRule FOSS License Exception + + + + + eCos exception 2.0 + + + + + Erlang/OTP Linking Exception + + + + + Fawkes Runtime Exception + + + + + FLTK exception + + + + + fmt exception + + + + + Font exception 2.0 + + + + + FreeRTOS Exception 2.0 + + + + + GCC Runtime Library exception 2.0 + + + + + GCC Runtime Library exception 2.0 - note variant + + + + + GCC Runtime Library exception 3.1 + + + + + Gmsh exception + + + + + GNAT exception + + + + + GNOME examples exception + + + + + GNU Compiler Exception + + + + + GNU JavaMail exception + + + + + GPL-3.0 389 DS Base Exception + + + + + GPL-3.0 Interface Exception + + + + + GPL-3.0 Linking Exception + + + + + GPL-3.0 Linking Exception (with Corresponding Source) + + + + + GPL Cooperation Commitment 1.0 + + + + + GStreamer Exception (2005) + + + + + GStreamer Exception (2008) + + + + + harbour exception + + + + + i2p GPL+Java Exception + + + + + Independent Module Linking exception + + + + + KiCad Libraries Exception + + + + + LGPL-3.0 Linking Exception + + + + + libpri OpenH323 exception + + + + + Libtool Exception + + + + + Linux Syscall Note + + + + + LLGPL Preamble + + + + + LLVM Exception + + + + + LZMA exception + + + + + Macros and Inline Functions Exception + + + + + mxml Exception + + + + + Nokia Qt LGPL exception 1.1 + + + + + OCaml LGPL Linking Exception + + + + + Open CASCADE Exception 1.0 + + + + + OpenJDK Assembly exception 1.0 + + + + + OpenVPN OpenSSL Exception + + + + + PCRE2 exception + + + + + Polyparse Exception + + + + + PS/PDF font exception (2017-08-17) + + + + + INRIA QPL 1.0 2004 variant exception + + + + + Qt GPL exception 1.0 + + + + + Qt LGPL exception 1.1 + + + + + Qwt exception 1.0 + + + + + Romic Exception + + + + + RRDtool FLOSS exception 2.0 + + + + + SANE Exception + + + + + Solderpad Hardware License v2.0 + + + + + Solderpad Hardware License v2.1 + + + + + stunnel Exception + + + + + SWI exception + + + + + Swift Exception + + + + + Texinfo exception + + + + + U-Boot exception 2.0 + + + + + Unmodified Binary Distribution exception + + + + + Universal FOSS Exception, Version 1.0 + + + + + vsftpd OpenSSL exception + + + + + WxWindows Library Exception 3.1 + + + + + x11vnc OpenSSL Exception + + + + + + \ No newline at end of file diff --git a/schema/xmlcatalog.xml b/schema/xmlcatalog.xml new file mode 100644 index 0000000..e250aa7 --- /dev/null +++ b/schema/xmlcatalog.xml @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sig/cyclonedx/ruby.rbs b/sig/cyclonedx/ruby.rbs new file mode 100644 index 0000000..87df4e5 --- /dev/null +++ b/sig/cyclonedx/ruby.rbs @@ -0,0 +1,6 @@ +module Cyclonedx + module Ruby + VERSION: String + # See the writing guide of rbs: https://github.com/ruby/rbs#guides + end +end diff --git a/spec/bom_helpers_spec.rb b/spec/bom_helpers_spec.rb deleted file mode 100644 index 75adec2..0000000 --- a/spec/bom_helpers_spec.rb +++ /dev/null @@ -1,10 +0,0 @@ -require 'spec_helper' -require 'bom_helpers' - -RSpec.describe 'helper methods' do - context '#purl' do - it 'builds a purl' do - expect(purl('activesupport', '7.0.1')).to eq("pkg:gem/activesupport@7.0.1") - end - end -end diff --git a/spec/bom_component_spec.rb b/spec/cyclonedx/bom_component_spec.rb similarity index 88% rename from spec/bom_component_spec.rb rename to spec/cyclonedx/bom_component_spec.rb index e02f4d5..127572d 100644 --- a/spec/bom_component_spec.rb +++ b/spec/cyclonedx/bom_component_spec.rb @@ -1,7 +1,6 @@ -require 'spec_helper' -require 'bom_component' +# frozen_string_literal: true -RSpec.shared_examples "a valid hash_val result for gem" do +RSpec.shared_examples 'a valid hash_val result for gem' do it { expect(result.count).to eq(1) } it { expect(result[0][:type]).to eq('library') } it { expect(result[0][:name]).to eq(gem.name) } @@ -13,7 +12,7 @@ it { expect(result[0][:hashes][0][:content]).to eq(gem.hash) } end -RSpec.describe BomComponent do +RSpec.describe Cyclonedx::BomComponent do context '#hash_val' do let(:base_gem) do OpenStruct.new( @@ -25,11 +24,11 @@ ) end - let(:gem) do + let(:gem) do base_gem end - subject(:result) { BomComponent.new(gem).hash_val } + subject(:result) { Cyclonedx::BomComponent.new(gem).hash_val } context 'with a gem without a license' do include_examples 'a valid hash_val result for gem' diff --git a/spec/cyclonedx/bom_helpers_spec.rb b/spec/cyclonedx/bom_helpers_spec.rb new file mode 100644 index 0000000..6a58128 --- /dev/null +++ b/spec/cyclonedx/bom_helpers_spec.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +RSpec.describe Cyclonedx::BomHelpers do + context '#purl' do + context 'when legacy method is called' do + it 'builds a purl' do + skip('Deprecated in favor of Cyclonedx::BomHelpers.purl') unless defined?(purl) + expect(purl('activesupport', '7.0.1')).to eq('pkg:gem/activesupport@7.0.1') + end + end + + it 'builds a purl' do + expect(described_class.purl('activesupport', '7.0.1')).to eq('pkg:gem/activesupport@7.0.1') + end + end +end diff --git a/spec/cyclonedx/component_enrichment_spec.rb b/spec/cyclonedx/component_enrichment_spec.rb new file mode 100644 index 0000000..b876f27 --- /dev/null +++ b/spec/cyclonedx/component_enrichment_spec.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +require 'json' +require 'nokogiri' +require_relative '../../lib/cyclonedx/bom_helpers' + +RSpec.describe 'component enrichment' do + let(:spec_version) { '1.7' } + let(:gem_obj) do + # Use OpenStruct-like object by simple Struct for deterministic methods + Struct.new(:name, :version, :description, :hash, :purl, :author, :license_id, :license_name) + .new('sample', '1.0.0', 'desc', 'abc123', 'pkg:gem/sample@1.0.0', 'Alice, Bob', nil, nil) + end + + it 'adds bom-ref and publisher for JSON when include_enrichment is true' do + json = Cyclonedx::BomHelpers.build_json_bom([gem_obj], spec_version, include_enrichment: true) + data = JSON.parse(json) + comp = data['components'].first + expect(comp['bom-ref']).to eq('pkg:gem/sample@1.0.0') + expect(comp['publisher']).to eq('Alice') + end + + it 'does not add enrichment fields when flag is false' do + json = Cyclonedx::BomHelpers.build_json_bom([gem_obj], spec_version, include_enrichment: false) + data = JSON.parse(json) + comp = data['components'].first + expect(comp).not_to have_key('bom-ref') + expect(comp).not_to have_key('publisher') + end + + it 'adds bom-ref attribute and publisher element for XML when include_enrichment is true' do + xml = Cyclonedx::BomHelpers.build_bom_xml([gem_obj], spec_version, include_enrichment: true) + doc = Nokogiri::XML(xml) + ns = { 'c' => Cyclonedx::BomHelpers.cyclonedx_xml_namespace(spec_version) } + comp = doc.at_xpath('/c:bom/c:components/c:component', ns) + expect(comp['bom-ref']).to eq('pkg:gem/sample@1.0.0') + expect(doc.at_xpath('/c:bom/c:components/c:component/c:publisher', ns)&.text).to eq('Alice') + end + + it 'omits enrichment fields in XML when flag is false' do + xml = Cyclonedx::BomHelpers.build_bom_xml([gem_obj], spec_version, include_enrichment: false) + doc = Nokogiri::XML(xml) + ns = { 'c' => Cyclonedx::BomHelpers.cyclonedx_xml_namespace(spec_version) } + comp = doc.at_xpath('/c:bom/c:components/c:component', ns) + expect(comp['bom-ref']).to be_nil + expect(doc.at_xpath('/c:bom/c:components/c:component/c:publisher', ns)).to be_nil + end +end + diff --git a/spec/cyclonedx/metadata_tools_spec.rb b/spec/cyclonedx/metadata_tools_spec.rb new file mode 100644 index 0000000..4497f49 --- /dev/null +++ b/spec/cyclonedx/metadata_tools_spec.rb @@ -0,0 +1,41 @@ +# frozen_string_literal: true + +require 'json' +require 'nokogiri' +require_relative '../../lib/cyclonedx/bom_helpers' +require_relative '../../lib/cyclonedx/ruby/version' + +RSpec.describe 'metadata.tools emission' do + let(:spec_version) { '1.7' } + + it 'adds metadata.tools in JSON when include_metadata is true and spec >= 1.2' do + json = Cyclonedx::BomHelpers.build_json_bom([], spec_version, include_metadata: true) + data = JSON.parse(json) + expect(data['metadata']).to be_a(Hash) + expect(data['metadata']['tools']).to be_a(Array) + expect(data['metadata']['tools'].first['vendor']).to eq('CycloneDX') + expect(data['metadata']['tools'].first['name']).to eq('cyclonedx-ruby') + end + + it 'does not add metadata when include_metadata is false' do + json = Cyclonedx::BomHelpers.build_json_bom([], spec_version, include_metadata: false) + data = JSON.parse(json) + expect(data).not_to have_key('metadata') + end + + it 'adds metadata.tools in XML when include_metadata is true and spec >= 1.2' do + xml = Cyclonedx::BomHelpers.build_bom_xml([], spec_version, include_metadata: true) + doc = Nokogiri::XML(xml) + ns = { 'c' => Cyclonedx::BomHelpers.cyclonedx_xml_namespace(spec_version) } + expect(doc.at_xpath('/c:bom/c:metadata/c:tools/c:tool/c:vendor', ns)&.text).to eq('CycloneDX') + expect(doc.at_xpath('/c:bom/c:metadata/c:tools/c:tool/c:name', ns)&.text).to eq('cyclonedx-ruby') + end + + it 'omits metadata in XML when flag is false' do + xml = Cyclonedx::BomHelpers.build_bom_xml([], spec_version, include_metadata: false) + doc = Nokogiri::XML(xml) + ns = { 'c' => Cyclonedx::BomHelpers.cyclonedx_xml_namespace(spec_version) } + expect(doc.at_xpath('/c:bom/c:metadata', ns)).to be_nil + end +end + diff --git a/spec/cyclonedx/ruby_spec.rb b/spec/cyclonedx/ruby_spec.rb new file mode 100644 index 0000000..b945b9e --- /dev/null +++ b/spec/cyclonedx/ruby_spec.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +RSpec.describe Cyclonedx::Ruby do + it 'has a version number' do + expect(Cyclonedx::Ruby::VERSION).not_to be nil + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 24b4245..a41b751 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,8 +1,19 @@ -# Copied from https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/spec/spec_helper.rb -# Licensed under MIT - https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/LICENSE +# frozen_string_literal: true -$LOAD_PATH << File.expand_path('../lib', __dir__) +RSpec.configure do |config| + # Enable flags like --only-failures and --next-failure + config.example_status_persistence_file_path = '.rspec_status' + # Disable RSpec exposing methods globally on `Module` and `main` + config.disable_monkey_patching! + + config.expect_with :rspec do |c| + c.syntax = :expect + end +end + +# Copied from https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/spec/spec_helper.rb +# Licensed under MIT - https://github.com/cucumber/aruba/blob/3b1a6cea6e3ba55370c3396eef0a955aeb40f287/LICENSE unless RUBY_PLATFORM.include?('java') require 'simplecov' SimpleCov.command_name 'RSpec' @@ -10,7 +21,10 @@ # Run simplecov by default SimpleCov.start unless ENV.key? 'ARUBA_NO_COVERAGE' end +# End copied from Aruba -# Loading support files -Dir.glob(File.expand_path('support/*.rb', __dir__)).sort.each { |f| require_relative f } -Dir.glob(File.expand_path('support/**/*.rb', __dir__)).sort.each { |f| require_relative f } +mimic_next_major = ENV.fetch('MIMIC_NEXT_MAJOR_VERSION', 'false') +# Require via legacy path until v2.0.0, and unless testing functionality in preparation for next major release +require 'bom_builder' if mimic_next_major.casecmp?('false') +# Modern path is already covered by the legacy path, but doesn't hurt to include it twice +require 'cyclonedx/ruby'