|
1 | 1 | { |
2 | 2 | "$schema": "https://json-schema.org/draft/2020-12/schema", |
3 | | - "$id": "http://localhost:8080/schema/2.0/cyclonedx-common-2.0.schema.json", |
| 3 | + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-common-2.0.schema.json", |
4 | 4 | "type": "null", |
5 | | - "title": "CycloneDX Transparency Expression Language: Common", |
6 | | - "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", |
| 5 | + "title": "CycloneDX Common Model", |
| 6 | + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", |
7 | 7 | "$defs": { |
8 | 8 | "refType": { |
9 | 9 | "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", |
|
391 | 391 | "examples": ["800-555-1212"] |
392 | 392 | } |
393 | 393 | } |
| 394 | + }, |
| 395 | + "organizationalEntityOrContact": { |
| 396 | + |
394 | 397 | }, |
395 | 398 | "properties": { |
396 | 399 | "type": "array", |
|
423 | 426 | }, |
424 | 427 | "extensibleProperties": { |
425 | 428 | "type": "object", |
426 | | - "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organisations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", |
427 | | - "examples": [ |
428 | | - "ext:<domain>:<name>", |
429 | | - "ext:acme.org:myExtension" |
430 | | - ], |
| 429 | + "title": "Extensible Properties", |
431 | 430 | "patternProperties": { |
432 | 431 | "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { |
| 432 | + "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", |
| 433 | + "examples": [ |
| 434 | + "ext:<domain>:<name>", |
| 435 | + "ext:example.org:myExtension" |
| 436 | + ], |
433 | 437 | "if": { |
434 | 438 | "type": ["object", "array"] |
435 | 439 | }, |
|
451 | 455 | }, |
452 | 456 | "additionalProperties": false |
453 | 457 | }, |
| 458 | + "baseObject": { |
| 459 | + "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", |
| 460 | + "allOf": [ |
| 461 | + { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/extensibleProperties" } |
| 462 | + ], |
| 463 | + "properties": { |
| 464 | + "properties": { |
| 465 | + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" |
| 466 | + }, |
| 467 | + "externalReferences": { |
| 468 | + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" |
| 469 | + } |
| 470 | + } |
| 471 | + }, |
454 | 472 | "timestamp": { |
455 | 473 | "type": "string", |
456 | 474 | "format": "date-time", |
457 | 475 | "title": "Timestamp", |
458 | 476 | "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", |
459 | 477 | "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." |
460 | 478 | }, |
461 | | - |
462 | | - |
463 | | - |
464 | | - |
465 | | - |
466 | | - |
| 479 | + "lifecycle": { |
| 480 | + "type": "object", |
| 481 | + "title": "Lifecycle", |
| 482 | + "description": "The product lifecycle(s) that this BOM represents.", |
| 483 | + "oneOf": [ |
| 484 | + { |
| 485 | + "$ref": "#/$defs/preDefinedLifecyclePhase" |
| 486 | + }, |
| 487 | + { |
| 488 | + "title": "Custom Lifecycle Phase", |
| 489 | + "required": ["name"], |
| 490 | + "additionalProperties": false, |
| 491 | + "properties": { |
| 492 | + "name": { |
| 493 | + "type": "string", |
| 494 | + "title": "Name", |
| 495 | + "description": "The name of the lifecycle phase" |
| 496 | + }, |
| 497 | + "description": { |
| 498 | + "type": "string", |
| 499 | + "title": "Description", |
| 500 | + "description": "The description of the lifecycle phase" |
| 501 | + } |
| 502 | + } |
| 503 | + } |
| 504 | + ] |
| 505 | + }, |
| 506 | + "lifecycles": { |
| 507 | + "type": "array", |
| 508 | + "title": "Lifecycles", |
| 509 | + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", |
| 510 | + "items": { "$ref": "#/$defs/lifecycle"} |
| 511 | + }, |
| 512 | + "preDefinedLifecyclePhase": { |
| 513 | + "title": "Pre-Defined Phase", |
| 514 | + "required": ["phase"], |
| 515 | + "additionalProperties": false, |
| 516 | + "properties": { |
| 517 | + "phase": { |
| 518 | + "type": "string", |
| 519 | + "title": "Phase", |
| 520 | + "description": "A pre-defined phase in the product lifecycle.", |
| 521 | + "enum": [ |
| 522 | + "design", |
| 523 | + "pre-build", |
| 524 | + "build", |
| 525 | + "post-build", |
| 526 | + "operations", |
| 527 | + "discovery", |
| 528 | + "decommission" |
| 529 | + ], |
| 530 | + "meta:enum": { |
| 531 | + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", |
| 532 | + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", |
| 533 | + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", |
| 534 | + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", |
| 535 | + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", |
| 536 | + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", |
| 537 | + "decommission": "BOM containing inventory that will be, or has been retired from operations." |
| 538 | + } |
| 539 | + } |
| 540 | + } |
| 541 | + }, |
| 542 | + "tags": { |
| 543 | + "type": "array", |
| 544 | + "items": { |
| 545 | + "type": "string" |
| 546 | + }, |
| 547 | + "title": "Tags", |
| 548 | + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", |
| 549 | + "examples": [ |
| 550 | + "json-parser", |
| 551 | + "object-persistence", |
| 552 | + "text-to-image", |
| 553 | + "translation", |
| 554 | + "object-detection" |
| 555 | + ] |
| 556 | + }, |
467 | 557 | "commit": { |
468 | 558 | "type": "object", |
469 | 559 | "title": "Commit", |
|
655 | 745 | "description": "The email address of the individual who performed the action" |
656 | 746 | } |
657 | 747 | } |
| 748 | + }, |
| 749 | + "locale": { |
| 750 | + "type": "string", |
| 751 | + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", |
| 752 | + "title": "Locale", |
| 753 | + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" |
| 754 | + }, |
| 755 | + "signature": { |
| 756 | + "$ref": "../jsf-0.82.schema.json#/definitions/signature", |
| 757 | + "title": "Signature", |
| 758 | + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." |
658 | 759 | } |
659 | 760 | } |
660 | 761 | } |
0 commit comments