Merge branch 'master' into 2.0-dev

Signed-off-by: Jan Kowalleck <jan.kowalleck@owasp.org>

Author: jkowalleck

.github/workflows/build_docs.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Set up JDK
       # see https://github.com/actions/setup-java
       uses: actions/setup-java@v5
@@ -33,7 +33,7 @@ jobs:
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: XML-Schema-documentation
         path: docgen/xml/docs
@@ -46,7 +46,7 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Setup Python Environment
       # see https://github.com/actions/setup-python
       uses: actions/setup-python@v6
@@ -57,7 +57,7 @@ jobs:
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: JSON-Schema-documentation
         path: docgen/json/docs
@@ -70,12 +70,12 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Generate Schema documentation
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: PROTO-Schema-documentation
         path: docgen/proto/docs

.github/workflows/bundle_2.0_schemas.yml

@@ -19,12 +19,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20'
 
@@ -56,4 +56,4 @@ jobs:
             git config --local user.name "github-actions[bot]"
             git commit -m "chore: update bundled schemas [skip ci]"
             git push
-          fi
+          fi

.github/workflows/generate_algorithm_families.yml

@@ -0,0 +1,63 @@
+name: Generate Algorithm Families Enum
+
+on:
+  push:
+    paths:
+      - 'schema/cryptography-defs.json'
+      - 'tools/src/main/python/algorithmFamilyGeneration.py'
+  workflow_dispatch:
+
+jobs:
+  generate-families:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Run algorithm family generator
+        working-directory: tools/src/main/python
+        run: python3 algorithmFamilyGeneration.py
+
+      - name: Create Pull Request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="update-algorithm-families"
+          
+          # Configure Git
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          
+          # Check for changes
+          if git diff --quiet schema/cryptography-defs.schema.json; then
+            echo "No changes to algorithm families"
+            exit 0
+          fi
+          
+          # Create branch and commit
+          git checkout -b "$BRANCH_NAME"
+          git add schema/cryptography-defs.schema.json
+          git commit -m "chore: update algorithm families [skip ci]"
+          
+          # Push to the branch (use GH_TOKEN for authentication)
+          git push -u "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" "$BRANCH_NAME" --force
+          
+          # Create Pull Request using GitHub CLI (gh)
+          gh pr create \
+            --title "chore: update algorithm families" \
+            --body "This PR updates \`schema/cryptography-defs.schema.json\` with the latest algorithm families generated from \`schema/cryptography-defs.json\`." \
+            --base "master" \
+            --head "$BRANCH_NAME" || echo "Pull request already exists"

.github/workflows/test_java.yml

@@ -18,12 +18,12 @@ defaults:
 permissions: {}
 
 jobs:
-  test:
+  test_java:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Set up JDK
       # see https://github.com/actions/setup-java
       uses: actions/setup-java@v5

.github/workflows/test_js.yml

@@ -20,13 +20,13 @@ defaults:
 permissions: {}
 
 jobs:
-  test:
+  test_js:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Node.js
         # see https://github.com/actions/setup-node
         uses: actions/setup-node@v6

.github/workflows/test_php.yml

@@ -20,13 +20,13 @@ defaults:
 permissions: {}
 
 jobs:
-  test:
+  test_php:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup PHP
         # see https://github.com/shivammathur/setup-php
         uses: shivammathur/setup-php@v2

.github/workflows/test_proto.yml

@@ -20,12 +20,12 @@ defaults:
 permissions: {}
 
 jobs:
-  test:
+  test_proto:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Run test
         run: ./test.sh

.github/workflows/update_spdx_licenses.yml

@@ -0,0 +1,122 @@
+name: Update SPDX licenses
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: { }
+
+jobs:
+  update:
+    name: Update Schemas
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.diff.outputs.changed }}
+      version: ${{ steps.version.outputs.version }}
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.ref_name }}
+      - name: Set up JDK
+        # see https://github.com/actions/setup-java
+        uses: actions/setup-java@v5
+        with:
+          java-version: '21'
+          distribution: 'zulu'
+          java-package: jdk
+      - name: Update SPDX
+        run: tools/updateSpdx.sh
+      - name: detect version
+        id: version
+        run: |
+          value=$( jq -r '.["$comment"]' schema/spdx.schema.json )
+          echo "version=$value" >> $GITHUB_OUTPUT
+      - name: Detect changes
+        id: diff
+        run: |
+          if git diff --quiet -- 'schema/spdx.*'
+          then
+            echo "$GITHUB_REF_NAME is up-to-date"
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "$GITHUB_REF_NAME is not up-to-date"
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+      - name: Artifact changes
+        if: ${{ steps.diff.outputs.changed == 'true' }}
+        # https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 1
+          name: schema-spdx
+          path: schema/spdx.*
+          if-no-files-found: error
+  pullrequest:
+    name: Pull-request Changes
+    runs-on: ubuntu-latest
+    needs: [ 'update' ]
+    if: ${{ needs.update.outputs.changed == 'true' }}
+    permissions:
+      contents: write # push commits
+      pull-requests: write # create pullrequests
+    env:
+      SB_VERSION: ${{ needs.update.outputs.version }}
+      SB_BRANCH: ${{ github.ref_name }}_update-spdx/${{ needs.update.outputs.version }}
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.ref_name }}
+      - name: Switch branch
+        id: branch
+        run: |
+          set -eux
+          git remote set-branches origin "$SB_BRANCH"
+          if git ls-remote --exit-code --heads origin "$SB_BRANCH"
+          then
+            echo "existed=true" >> $GITHUB_OUTPUT
+            git fetch --depth=1 origin "$SB_BRANCH"
+            git checkout -b "$SB_BRANCH" "origin/$SB_BRANCH"
+          else
+            echo "existed=false" >> $GITHUB_OUTPUT
+            git checkout -b "$SB_BRANCH"
+          fi
+      - name: Fetch changes
+        # https://github.com/actions/download-artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: schema-spdx
+          path: schema
+      - name: Commit and push
+        run: |
+          set -eux
+          if git diff --quiet -- 'schema/spdx.*'
+          then
+            echo "branch up-to-date"
+            exit 0
+          fi
+          git config user.name 'spdx-license-bumper[bot]'
+          git config user.email 'spdx-license-bumper@bot.local'
+          git add -A schema
+          git commit -s -m "feat: bump SPDX licenses $SB_VERSION"
+          git push origin "$SB_BRANCH"
+      - name: Pull request
+        if: ${{ steps.branch.outputs.existed == 'false' }}
+        run: >
+          gh pr create
+          --title "feat: bump SPDX Licenses $SB_VERSION"
+          --body "$SB_VERSION" 
+          --base "$GITHUB_REF_NAME"
+          --head "$SB_BRANCH"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

schema/bom-1.6.proto

@@ -4,7 +4,7 @@ import "google/protobuf/timestamp.proto";
 
 // Specifies attributes of the text
 message AttachedText {
-  // Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents. [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).
+  // Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plain text documents. [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).
   optional string content_type = 1;
   // Specifies the optional encoding the text is represented in
   optional string encoding = 2;
@@ -888,7 +888,7 @@ message Vulnerability {
   optional Source source = 3;
   // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
   repeated VulnerabilityReference references = 4;
-  // List of vulnerability ratings
+  // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.
   repeated VulnerabilityRating ratings = 5;
   // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html)
   repeated int32 cwes = 6;

schema/bom-1.6.schema.json

@@ -2681,7 +2681,7 @@
         "ratings": {
           "type": "array",
           "title": "Ratings",
-          "description": "List of vulnerability ratings",
+          "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.",
           "items": {
             "$ref": "#/definitions/rating"
           }