Merge branch 'v1.5-dev' into v1.5-dev-adversary-risk-extref

Author: stevespringett

schema/bom-1.5.proto

@@ -44,8 +44,18 @@
       ]
     }
   ],
+  "vulnerabilities": [
+    {
+      "bom-ref": "vulnerability-1",
+      "id": "ACME-12345",
+      "source": {
+        "name": "Acme Inc"
+      }
+    }
+  ],
   "compositions": [
     {
+      "bom-ref": "composition-1",
       "aggregate": "complete",
       "assemblies": [
         "pkg:maven/partner/[email protected]"
@@ -59,6 +69,12 @@
       "assemblies": [
         "pkg:maven/acme/[email protected]"
       ]
+    },
+    {
+      "aggregate": "incomplete_first_party_only",
+      "vulnerabilities": [
+        "vulnerability-1"
+      ]
     }
   ]
 }

schema/bom-1.5.schema.json

@@ -39,6 +39,7 @@ dependencies {
   }
 }
 compositions {
+  bom_ref: "composition-1"
   aggregate: AGGREGATE_COMPLETE
   assemblies: "pkg:maven/partner/[email protected]"
   dependencies: "acme-application-1.0"
@@ -47,3 +48,14 @@ compositions {
   aggregate: AGGREGATE_UNKNOWN
   assemblies: "pkg:maven/acme/[email protected]"
 }
+compositions {
+  aggregate: AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY,
+  vulnerabilities: "vulnerability-1"
+}
+vulnerabilities {
+  bom_ref: "vulnerability-1"
+  id: "ACME-12345"
+  source: {
+    name: "Acme Inc"
+  }
+}

schema/bom-1.5.xsd

@@ -32,7 +32,7 @@
         </dependency>
     </dependencies>
     <compositions>
-        <composition>
+        <composition bom-ref="composition-1">
             <aggregate>complete</aggregate>
             <assemblies>
                 <assembly ref="pkg:maven/partner/[email protected]"/>
@@ -47,5 +47,19 @@
                 <assembly ref="pkg:maven/acme/[email protected]"/>
             </assemblies>
         </composition>
+        <composition>
+            <aggregate>incomplete_first_party_only</aggregate>
+            <assemblies>
+                <assembly ref="vulnerability-1"/>
+            </assemblies>
+        </composition>
     </compositions>
+    <vulnerabilities>
+        <vulnerability bom-ref="vulnerability-1">
+            <id>ACME-12345</id>
+            <source>
+                <name>Acme Inc</name>
+            </source>
+        </vulnerability>
+    </vulnerabilities>
 </bom>

tools/src/test/resources/1.5/valid-compositions-1.5.json

@@ -0,0 +1,63 @@
+spec_version: "1.5"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+  type: CLASSIFICATION_MACHINE_LEARNING_MODEL
+  bom_ref: "component-a"
+  group: "CompVis"
+  name: "stable-diffusion"
+  version: "1.4"
+  modelCard: {
+    modelParameters: {
+      approach: {
+        type: MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED
+      }
+      task: "task goes here"
+      architectureFamily: "the architecture family goes here"
+      modelArchitecture: "The architecture of the model."
+      datasets: {
+        dataset: {
+          type: COMPONENT_DATA_TYPE_DATASET
+          name: "Training Data"
+          contents: {
+            url: "https://example.com/path/to/dataset"
+          }
+          classification: "public"
+        }
+      }
+      inputs: {
+        format: "string"
+      }
+      outputs: {
+        format: "string"
+      }
+    }
+    quantitativeAnalysis: {
+      performanceMetrics: {
+        type: "The type of performance metric"
+        value: "The value of the performance metric"
+        slice: "The name of the slice this metric was computed on. By default, assume this metric is not sliced"
+        confidenceInterval: {
+          lowerBound: "The lower bound of the confidence interval"
+          upperBound: "The upper bound of the confidence interval"
+        }
+      }
+    }
+    considerations: {
+      users: "Who are the intended users of the model?"
+      useCases: "Who are the intended users of the model?"
+      technicalLimitations: "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?"
+      performanceTradeoffs: "What are the known tradeoffs in accuracy/performance of the model?"
+      ethicalConsiderations: {
+        name: "The name of the risk"
+        mitigationStrategy: "Strategy used to address this risk"
+      }
+      fairnessAssessments: {
+        groupAtRisk: "The groups or individuals at risk of being systematically disadvantaged by the model"
+        benefits: "Expected benefits to the identified groups"
+        harms: "Expected harms to the identified groups"
+        mitigationStrategy: "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."
+      }
+    }
+  }
+}

tools/src/test/resources/1.5/valid-compositions-1.5.textproto

@@ -0,0 +1,21 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [
+      {
+        "phase": "build"
+      },
+      {
+        "phase": "post-build"
+      },
+      {
+        "name": "platform-integration-testing",
+        "description": "Integration testing specific to the runtime platform"
+      }
+    ]
+  },
+  "components": []
+}