Merge branch 'v1.5-dev' into licenses-streamlined

Author: stevespringett

.github/workflows/js.yml

@@ -0,0 +1,32 @@
+# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
+
+name: JS CI
+
+on: [push, pull_request, workflow_dispatch]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
+defaults:
+  run:
+    working-directory: tools/src/test/js
+
+jobs:
+  test:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v3
+      - name: Setup Node.js
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20.x'
+      - name: Install Depenencies
+        run: npm install
+      - name: Run test 
+        run: npm test

schema/bom-1.5.proto

@@ -29,7 +29,7 @@ message Bom {
   repeated ExternalReference external_references = 7;
   // Provides the ability to document dependency relationships.
   repeated Dependency dependencies = 8;
-  // Provides the ability to document aggregate completeness
+  // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.
   repeated Composition compositions = 9;
   // Vulnerabilities identified in components or services.
   repeated Vulnerability vulnerabilities = 10;
@@ -219,32 +219,36 @@ enum ExternalReferenceType {
   EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16;
   // An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format
   EXTERNAL_REFERENCE_TYPE_THREAT_MODEL = 17;
+  // The defined assumptions, goals, and capabilities of an adversary.
+  EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL = 18;
+  // Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.
+  EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT = 19;
   // The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary
-  EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 18;
+  EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 20;
   // A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product
-  EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 19;
+  EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 21;
   // A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization
-  EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 20;
+  EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 22;
   // Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test
-  EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 21;
+  EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 23;
   // SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code
-  EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 22;
+  EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 24;
   // Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations
-  EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 23;
+  EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 25;
   // Report generated by analyzing the call stack of a running application
-  EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 24;
+  EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 26;
   // Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis
-  EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 25;
+  EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 27;
   // Report containing a formal assessment of an organization, business unit, or team against a maturity model
-  EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 26;
+  EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 28;
   // Industry, regulatory, or other certification from an accredited (if applicable) certification body
-  EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 27;
+  EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 29;
   // Report or system in which quality metrics can be obtained
-  EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 28;
+  EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 30;
   // Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)
-  EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 29;
+  EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31;
   // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.
-  EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 30;
+  EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32;
 }
 
 enum HashAlg {
@@ -416,6 +420,36 @@ message Metadata {
   optional LicenseChoice licenses = 7;
   // Specifies optional, custom, properties
   repeated Property properties = 8;
+  // The product lifecycle(s) that this BOM represents.
+  repeated Lifecycles lifecycles = 9;
+}
+
+message Lifecycles {
+   oneof choice {
+     // A pre-defined phase in the product lifecycle.
+     LifecyclePhase phase = 1;
+     // The name of the lifecycle phase
+     string name = 2;
+   }
+   // The description of the lifecycle phase
+  optional string description = 2;
+}
+
+enum LifecyclePhase {
+  // BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.
+  LIFECYCLE_PHASE_DESIGN = 0;
+  // BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.
+  LIFECYCLE_PHASE_PRE_BUILD = 1;
+  // BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.
+  LIFECYCLE_PHASE_BUILD = 2;
+  // BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.
+  LIFECYCLE_PHASE_POST_BUILD = 3;
+  // BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.
+  LIFECYCLE_PHASE_OPERATIONS = 4;
+  // BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.
+  LIFECYCLE_PHASE_DISCOVERY = 5;
+  // BOM containing inventory that will be, or has been retired from operations.
+  LIFECYCLE_PHASE_DECOMMISSION = 6;
 }
 
 message OrganizationalContact {
@@ -557,18 +591,26 @@ message Property {
 }
 
 enum Aggregate {
-  // Default, no statement about the aggregate completeness is being made
+  // The relationship completeness is not specified.
   AGGREGATE_NOT_SPECIFIED = 0;
-  // The aggregate composition is complete
+  // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.
   AGGREGATE_COMPLETE = 1;
-  // The aggregate composition is incomplete
+  // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.
   AGGREGATE_INCOMPLETE = 2;
-  // The aggregate composition is incomplete for first party components, complete for third party components
+  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.
   AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3;
-  // The aggregate composition is incomplete for third party components, complete for first party components
+  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.
   AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4;
-  // The aggregate composition completeness is unknown
+  // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.
   AGGREGATE_UNKNOWN = 5;
+  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
+  AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6;
+  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
+  AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7;
+  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
+  AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8;
+  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
+  AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9;
 }
 
 message Composition {
@@ -578,6 +620,10 @@ message Composition {
   repeated string assemblies = 2;
   // The dependencies the aggregate completeness applies to
   repeated string dependencies = 3;
+  // The bom-ref identifiers of the vulnerabilities being described.
+  repeated string vulnerabilities = 4;
+  // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.
+  optional string bom_ref = 5;
 }
 
 message EvidenceCopyright {