Updated json and xml schemas to account for tool usage in vulnerability objects. Updated vulnerability examples with new structure.

stevespringett · stevespringett · commit 6de0ebef538f · 2023-03-24T17:11:35.000-05:00
Signed-off-by: Steve Springett &lt;steve@springett.us&gt;
diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json
@@ -1763,35 +1763,39 @@
           }
         },
         "tools": {
-          "type": "array",
-          "title": "Creation Tools",
-          "description": "The tool(s) used to identify, confirm, or score the vulnerability.",
-          "additionalItems": false,
-          "items": {
-            "properties": {
-              "component": {
-                "$ref": "#/definitions/component"
-              },
-              "service": {
-                "$ref": "#/definitions/service"
-              },
-              "tool": {
-                "description": "[Deprecated - Use `component` and `service` instead]",
-                "$ref": "#/definitions/tool"
+          "oneOf": [
+            {
+              "type": "object",
+              "title": "Tools",
+              "description": "The tool(s) used to identify, confirm, or score the vulnerability.",
+              "additionalProperties": false,
+              "properties": {
+                "components": {
+                  "type": "array",
+                  "additionalItems": false,
+                  "items": {"$ref": "#/definitions/component"},
+                  "uniqueItems": true,
+                  "title": "Components",
+                  "description": "A list of software and hardware components used as tools"
+                },
+                "services": {
+                  "type": "array",
+                  "additionalItems": false,
+                  "items": {"$ref": "#/definitions/service"},
+                  "uniqueItems": true,
+                  "title": "Services",
+                  "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."
+                }
               }
             },
-            "oneOf":[
-              {
-                "required": ["component"]
-              },
-              {
-                "required": ["service"]
-              },
-              {
-                "required": ["tool"]
-              }
-            ]
-          }
+            {
+              "type": "array",
+              "title": "Tools (legacy)",
+              "description": "[Deprecated] The tool(s) used to identify, confirm, or score the vulnerability.",
+              "additionalItems": false,
+              "items": {"$ref": "#/definitions/tool"}
+            }
+          ]
         },
         "analysis": {
           "type": "object",
diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd
@@ -2187,9 +2187,27 @@ limitations under the License.
                     <xs:documentation>The tool(s) used to identify, confirm, or score the vulnerability.</xs:documentation>
                 </xs:annotation>
                 <xs:complexType>
-                    <xs:sequence minOccurs="0" maxOccurs="unbounded">
-                        <xs:element name="tool" minOccurs="0" type="bom:toolType"/>
-                    </xs:sequence>
+                    <xs:choice>
+                        <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                            <xs:element name="tool" minOccurs="0" type="bom:toolType">
+                                <xs:annotation>
+                                    <xs:documentation>DEPRECATED. Use tools\components or tools\services instead.</xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                        </xs:sequence>
+                        <xs:sequence minOccurs="0" maxOccurs="1">
+                            <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1">
+                                <xs:annotation>
+                                    <xs:documentation>A list of software and hardware components used as tools.</xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                            <xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1">
+                                <xs:annotation>
+                                    <xs:documentation>A list of services used as tools.</xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                        </xs:sequence>
+                    </xs:choice>
                 </xs:complexType>
             </xs:element>
             <xs:element name="analysis" minOccurs="0" maxOccurs="1">
diff --git a/tools/src/test/resources/1.5/valid-vulnerability-1.5.json b/tools/src/test/resources/1.5/valid-vulnerability-1.5.json
@@ -80,19 +80,22 @@
           }
         ]
       },
-      "tools": [
-        {
-          "vendor": "Snyk",
-          "name": "Snyk CLI (Linux)",
-          "version": "1.729.0",
-          "hashes": [
-            {
-              "alg": "SHA-256",
-              "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
-            }
-          ]
-        }
-      ],
+      "tools": {
+        "components": [
+          {
+            "type": "application",
+            "group": "Snyk",
+            "name": "Snyk CLI (Linux)",
+            "version": "1.729.0",
+            "hashes": [
+              {
+                "alg": "SHA-256",
+                "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
+              }
+            ]
+          }
+        ]
+      },
       "analysis": {
         "state": "not_affected",
         "justification": "code_not_reachable",
diff --git a/tools/src/test/resources/1.5/valid-vulnerability-1.5.textproto b/tools/src/test/resources/1.5/valid-vulnerability-1.5.textproto
@@ -74,13 +74,20 @@ vulnerabilities {
     }
   }
   tools: {
-    vendor: "Snyk"
-    name: "Snyk CLI (Linux)"
-    version: "1.729.0"
-    hashes: {
-      alg: HASH_ALG_SHA_256
-      value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
-    }
+    components: [
+      {
+        type: CLASSIFICATION_APPLICATION,
+        group: "Snyk",
+        name: "Snyk CLI (Linux)",
+        version: "1.729.0",
+        hashes: [
+          {
+            alg: HASH_ALG_SHA_256
+            value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
+          }
+        ]
+      }
+    ]
   }
   analysis: {
     state: IMPACT_ANALYSIS_STATE_NOT_AFFECTED
diff --git a/tools/src/test/resources/1.5/valid-vulnerability-1.5.xml b/tools/src/test/resources/1.5/valid-vulnerability-1.5.xml
@@ -80,14 +80,16 @@
                 </individuals>
             </credits>
             <tools>
-                <tool>
-                    <vendor>Snyk</vendor>
-                    <name>Snyk CLI (Linux)</name>
-                    <version>1.729.0</version>
-                    <hashes>
-                        <hash alg="SHA-256">2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d</hash>
-                    </hashes>
-                </tool>
+                <components>
+                    <component type="application">
+                        <group>Snyk</group>
+                        <name>Snyk CLI (Linux)</name>
+                        <version>1.729.0</version>
+                        <hashes>
+                            <hash alg="SHA-256">2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d</hash>
+                        </hashes>
+                    </component>
+                </components>
             </tools>
             <analysis>
                 <state>not_affected</state>
