|
1 | 1 | { |
2 | 2 | "$schema": "https://json-schema.org/draft/2020-12/schema", |
3 | | - "$id": "http://localhost:8080/schema/2.0/cyclonedx-metadata-2.0.schema.json", |
| 3 | + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-metadata-2.0.schema.json", |
4 | 4 | "type": "null", |
5 | | - "title": "CycloneDX Transparency Expression Language: Metadata", |
6 | | - "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", |
| 5 | + "title": "CycloneDX Metadata Model", |
| 6 | + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", |
7 | 7 | "$defs": { |
| 8 | + "metadata": { |
| 9 | + "type": "object", |
| 10 | + "title": "BOM Metadata", |
| 11 | + "description": "Provides additional information about a BOM.", |
| 12 | + "additionalProperties": false, |
| 13 | + "properties": { |
| 14 | + "timestamp": { |
| 15 | + "type": "string", |
| 16 | + "format": "date-time", |
| 17 | + "title": "Timestamp", |
| 18 | + "description": "The date and time (timestamp) when the BOM was created." |
| 19 | + }, |
| 20 | + "lifecycles": { |
| 21 | + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/lifecycles" |
| 22 | + }, |
| 23 | + "tools": { |
| 24 | + "type": "object", |
| 25 | + "title": "Tools", |
| 26 | + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", |
| 27 | + "additionalProperties": false, |
| 28 | + "properties": { |
| 29 | + "components": { |
| 30 | + "$ref": "cyclonedx-component-2.0.schema.json#/$defs/components", |
| 31 | + "description": "A list of software and hardware components used as tools." |
| 32 | + }, |
| 33 | + "services": { |
| 34 | + "$ref": "cyclonedx-service-2.0.schema.json#/$defs/services", |
| 35 | + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." |
| 36 | + } |
| 37 | + } |
| 38 | + }, |
| 39 | + "manufacturer": { |
| 40 | + "title": "BOM Manufacturer", |
| 41 | + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", |
| 42 | + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntity" |
| 43 | + }, |
| 44 | + "authors": { |
| 45 | + "type": "array", |
| 46 | + "title": "BOM Authors", |
| 47 | + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", |
| 48 | + "items": {"$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalContact"} |
| 49 | + }, |
| 50 | + "component": { |
| 51 | + "description": "The component that the BOM describes.", |
| 52 | + "$ref": "cyclonedx-component-2.0.schema.json#/$defs/component" |
| 53 | + }, |
| 54 | + "supplier": { |
| 55 | + "title": "Supplier", |
| 56 | + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", |
| 57 | + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntity" |
| 58 | + }, |
| 59 | + "licenses": { |
| 60 | + "title": "BOM License(s)", |
| 61 | + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", |
| 62 | + "$ref": "cyclonedx-license-2.0.schema.json#/$defs/licenseChoice" |
| 63 | + }, |
| 64 | + "distributionConstraints": { |
| 65 | + "$ref": "#/$defs/distributionConstraints" |
| 66 | + } |
| 67 | + }, |
| 68 | + "allOf": [ |
| 69 | + { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/baseObject" } |
| 70 | + ] |
| 71 | + }, |
| 72 | + "distributionConstraints": { |
| 73 | + "title": "Distribution Constraints", |
| 74 | + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", |
| 75 | + "type": "object", |
| 76 | + "properties": { |
| 77 | + "tlp": { |
| 78 | + "$ref": "#/$defs/tlpClassification", |
| 79 | + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." |
| 80 | + } |
| 81 | + } |
| 82 | + }, |
| 83 | + "tlpClassification": { |
| 84 | + "title": "Traffic Light Protocol (TLP) Classification", |
| 85 | + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", |
| 86 | + "type" : "string", |
| 87 | + "default": "CLEAR", |
| 88 | + "enum": [ |
| 89 | + "CLEAR", |
| 90 | + "GREEN", |
| 91 | + "AMBER", |
| 92 | + "AMBER_AND_STRICT", |
| 93 | + "RED" |
| 94 | + ], |
| 95 | + "meta:enum": { |
| 96 | + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", |
| 97 | + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", |
| 98 | + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", |
| 99 | + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", |
| 100 | + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." |
| 101 | + } |
| 102 | + } |
8 | 103 | } |
9 | 104 | } |
0 commit comments