CycloneDX
diff --git a/‎schema/bom-1.5.proto‎
Lines changed: 16 additions & 6 deletions b/‎schema/bom-1.5.proto‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎schema/bom-1.5.schema.json‎
Lines changed: 47 additions & 6 deletions b/‎schema/bom-1.5.schema.json‎
Lines changed: 47 additions & 6 deletions
diff --git a/‎schema/bom-1.5.xsd‎
Lines changed: 64 additions & 3 deletions b/‎schema/bom-1.5.xsd‎
Lines changed: 64 additions & 3 deletions
@@ -123,16 +123,24 @@ message Component {
   optional ReleaseNotes releaseNotes = 24;
 }
 
-// Specifies the data classification.
-message DataClassification {
+// Specifies the data flow.
+message DataFlow {
   // Specifies the flow direction of the data.
-  DataFlow flow = 1;
-  // SimpleContent value of element
+  DataFlowDirection flow = 1;
+  // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
   string value = 2;
+  // Name for the defined data
+  optional string name = 3;
+  // Short description of the data content and usage
+  optional string description = 4;
+  // The URI, URL, or BOM-Link of the components or services the data came in from
+  repeated string source = 5;
+  // The URI, URL, or BOM-Link of the components or services the data is sent to
+  repeated string destination = 6;
 }
 
 // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
-enum DataFlow {
+enum DataFlowDirection {
   DATA_FLOW_NULL = 0;
   DATA_FLOW_INBOUND = 1;
   DATA_FLOW_OUTBOUND = 2;
@@ -481,7 +489,7 @@ message Service {
   optional bool authenticated = 8;
   // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
   optional bool x_trust_boundary = 9;
-  repeated DataClassification data = 10;
+  repeated DataFlow data = 10;
   repeated LicenseChoice licenses = 11;
   // Provides the ability to document external references related to the service.
   repeated ExternalReference external_references = 12;
@@ -491,6 +499,8 @@ message Service {
   repeated Property properties = 14;
   // Specifies optional release notes.
   optional ReleaseNotes releaseNotes = 15;
+  // The name of the trust zone the service resides in.
+  optional string trustZone = 16;
 }
 
 message Swid {
 
@@ -1160,12 +1160,17 @@
           "title": "Crosses Trust Boundary",
           "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."
         },
+        "trustZone": {
+          "type": "string",
+          "title": "Trust Zone",
+          "description": "The name of the trust zone the service resides in."
+        },
         "data": {
           "type": "array",
           "additionalItems": false,
-          "items": {"$ref": "#/definitions/dataClassification"},
-          "title": "Data Classification",
-          "description": "Specifies the data classification."
+          "items": {"$ref": "#/definitions/dataFlow"},
+          "title": "Data",
+          "description": "Specifies the data flow, classification, and other relevant information."
         },
         "licenses": {
           "type": "array",
@@ -1207,7 +1212,7 @@
         }
       }
     },
-    "dataClassification": {
+    "dataFlow": {
       "type": "object",
       "title": "Hash Objects",
       "required": [
@@ -1217,18 +1222,54 @@
       "additionalProperties": false,
       "properties": {
         "flow": {
-          "$ref": "#/definitions/dataFlow",
+          "$ref": "#/definitions/dataFlowDirection",
           "title": "Directional Flow",
           "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known."
         },
         "classification": {
           "type": "string",
           "title": "Classification",
           "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."
+        },
+        "name": {
+          "type": "string",
+          "title": "Name",
+          "description": "Name for the defined data",
+          "examples": [
+            "Credit card reporting"
+          ]
+        },
+        "description": {
+          "type": "string",
+          "title": "Description",
+          "description": "Short description of the data content and usage",
+          "examples": [
+            "Credit card information being exchanged in between the web app and the database"
+          ]
+        },
+        "source": {
+          "type": "array",
+          "additionalItems": false,
+          "items": {
+            "type": "string",
+            "format": "iri-reference"
+          },
+          "title": "Source",
+          "description": "The URI, URL, or BOM-Link of the components or services the data came in from"
+        },
+        "destination": {
+          "type": "array",
+          "additionalItems": false,
+          "items": {
+            "type": "string",
+            "format": "iri-reference"
+          },
+          "title": "Destination",
+          "description": "The URI, URL, or BOM-Link of the components or services the data is sent to"
         }
       }
     },
-    "dataFlow": {
+    "dataFlowDirection": {
       "type": "string",
       "enum": [
         "inbound",
 
@@ -1620,15 +1620,76 @@ limitations under the License.
                         A value of false indicates that by using the service, a trust boundary is not crossed.</xs:documentation>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="trustZone" type="xs:string" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>The name of the trust zone the service resides in.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:element name="data" minOccurs="0" maxOccurs="1">
                 <xs:complexType>
-                    <xs:sequence minOccurs="0" maxOccurs="unbounded">
-                        <xs:element name="classification" type="bom:dataClassificationType">
+                    <xs:choice>
+                        <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                            <xs:element name="classification" type="bom:dataClassificationType">
+                                <xs:annotation>
+                                    <xs:documentation>DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead</xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                        </xs:sequence>
+                        <xs:element name="dataflow" minOccurs="0" maxOccurs="unbounded">
                             <xs:annotation>
                                 <xs:documentation>Specifies the data classification.</xs:documentation>
                             </xs:annotation>
+                            <xs:complexType>
+                                <xs:sequence>
+                                    <xs:element name="classification" type="bom:dataClassificationType" minOccurs="0" maxOccurs="1">
+                                        <xs:annotation>
+                                            <xs:documentation>Specifies the data classification.</xs:documentation>
+                                        </xs:annotation>
+                                    </xs:element>
+                                    <xs:element name="source" minOccurs="0" maxOccurs="1">
+                                        <xs:annotation>
+                                            <xs:documentation>The URI, URL, or BOM-Link of the components or services the data came in from.</xs:documentation>
+                                        </xs:annotation>
+                                        <xs:complexType>
+                                            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                                                <xs:element name="url" type="xs:anyURI"/>
+                                            </xs:sequence>
+                                        </xs:complexType>
+                                    </xs:element>
+                                    <xs:element name="destination" minOccurs="0" maxOccurs="1">
+                                        <xs:annotation>
+                                            <xs:documentation>The URI, URL, or BOM-Link of the components or services the data is sent to.</xs:documentation>
+                                        </xs:annotation>
+                                        <xs:complexType>
+                                            <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                                                <xs:element name="url" type="xs:anyURI"/>
+                                            </xs:sequence>
+                                        </xs:complexType>
+                                    </xs:element>
+                                </xs:sequence>
+                                <xs:attribute name="name" type="xs:string" use="optional">
+                                    <xs:annotation>
+                                        <xs:documentation>
+                                            Name for the defined data.
+                                        </xs:documentation>
+                                    </xs:annotation>
+                                </xs:attribute>
+                                <xs:attribute name="description" type="xs:string" use="optional">
+                                    <xs:annotation>
+                                        <xs:documentation>
+                                            Short description of the data content and usage.
+                                        </xs:documentation>
+                                    </xs:annotation>
+                                </xs:attribute>
+                                <xs:anyAttribute namespace="##any" processContents="lax">
+                                    <xs:annotation>
+                                        <xs:documentation>User-defined attributes may be used on this element as long as they
+                                            do not have the same name as an existing attribute used by the schema.</xs:documentation>
+                                    </xs:annotation>
+                                </xs:anyAttribute>
+                            </xs:complexType>
                         </xs:element>
-                    </xs:sequence>
+                    </xs:choice>
                 </xs:complexType>
             </xs:element>
             <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>