|
63 | 63 | }, |
64 | 64 | "vulnerabilities": { |
65 | 65 | "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities" |
| 66 | + }, |
| 67 | + "annotations": { |
| 68 | + "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotations" |
66 | 69 | } |
67 | 70 | }, |
68 | 71 | "$defs": { |
|
641 | 644 | }, |
642 | 645 | "cyclonedx-annotation-2.0": { |
643 | 646 | "type": "null", |
644 | | - "title": "CycloneDX Transparency Expression Language: Annotation", |
645 | | - "$defs": {} |
| 647 | + "title": "CycloneDX Annotation Model", |
| 648 | + "$defs": { |
| 649 | + "annotations": { |
| 650 | + "type": "array", |
| 651 | + "items": { |
| 652 | + "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotation" |
| 653 | + }, |
| 654 | + "uniqueItems": true, |
| 655 | + "title": "Annotations", |
| 656 | + "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed." |
| 657 | + }, |
| 658 | + "annotation": { |
| 659 | + "type": "object", |
| 660 | + "title": "Annotations", |
| 661 | + "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.", |
| 662 | + "required": [ |
| 663 | + "subjects", |
| 664 | + "annotator", |
| 665 | + "timestamp", |
| 666 | + "text" |
| 667 | + ], |
| 668 | + "additionalProperties": false, |
| 669 | + "properties": { |
| 670 | + "bom-ref": { |
| 671 | + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", |
| 672 | + "title": "BOM Reference", |
| 673 | + "description": "An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." |
| 674 | + }, |
| 675 | + "subjects": { |
| 676 | + "type": "array", |
| 677 | + "uniqueItems": true, |
| 678 | + "items": { |
| 679 | + "anyOf": [ |
| 680 | + { |
| 681 | + "title": "Ref", |
| 682 | + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" |
| 683 | + }, |
| 684 | + { |
| 685 | + "title": "BOM-Link Element", |
| 686 | + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" |
| 687 | + } |
| 688 | + ] |
| 689 | + }, |
| 690 | + "title": "Subjects", |
| 691 | + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." |
| 692 | + }, |
| 693 | + "annotator": { |
| 694 | + "type": "object", |
| 695 | + "title": "Annotator", |
| 696 | + "description": "The organization, person, component, or service which created the textual content of the annotation.", |
| 697 | + "oneOf": [ |
| 698 | + { |
| 699 | + "required": [ |
| 700 | + "organization" |
| 701 | + ] |
| 702 | + }, |
| 703 | + { |
| 704 | + "required": [ |
| 705 | + "individual" |
| 706 | + ] |
| 707 | + }, |
| 708 | + { |
| 709 | + "required": [ |
| 710 | + "component" |
| 711 | + ] |
| 712 | + }, |
| 713 | + { |
| 714 | + "required": [ |
| 715 | + "service" |
| 716 | + ] |
| 717 | + } |
| 718 | + ], |
| 719 | + "additionalProperties": false, |
| 720 | + "properties": { |
| 721 | + "organization": { |
| 722 | + "description": "The organization that created the annotation", |
| 723 | + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" |
| 724 | + }, |
| 725 | + "individual": { |
| 726 | + "description": "The person that created the annotation", |
| 727 | + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" |
| 728 | + }, |
| 729 | + "component": { |
| 730 | + "description": "The tool or component that created the annotation", |
| 731 | + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" |
| 732 | + }, |
| 733 | + "service": { |
| 734 | + "description": "The service that created the annotation", |
| 735 | + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" |
| 736 | + } |
| 737 | + } |
| 738 | + }, |
| 739 | + "timestamp": { |
| 740 | + "type": "string", |
| 741 | + "format": "date-time", |
| 742 | + "title": "Timestamp", |
| 743 | + "description": "The date and time (timestamp) when the annotation was created." |
| 744 | + }, |
| 745 | + "text": { |
| 746 | + "type": "string", |
| 747 | + "title": "Text", |
| 748 | + "description": "The textual content of the annotation." |
| 749 | + }, |
| 750 | + "signature": { |
| 751 | + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", |
| 752 | + "title": "Signature", |
| 753 | + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." |
| 754 | + } |
| 755 | + } |
| 756 | + } |
| 757 | + } |
646 | 758 | }, |
647 | 759 | "cyclonedx-common-2.0": { |
648 | 760 | "type": "null", |
|
4829 | 4941 | }, |
4830 | 4942 | "vulnerabilities": { |
4831 | 4943 | "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities" |
| 4944 | + }, |
| 4945 | + "annotations": { |
| 4946 | + "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotations" |
4832 | 4947 | } |
4833 | 4948 | } |
4834 | 4949 | } |
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments