Merge pull request #213 from CycloneDX/v1.5-dev-lifecycle

stevespringett · web-flow · commit 9847c91fe8e1 · 2023-05-27T13:53:17.000-05:00
Added lifecycle support
diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto
@@ -416,6 +416,36 @@ message Metadata {
   optional LicenseChoice licenses = 7;
   // Specifies optional, custom, properties
   repeated Property properties = 8;
+  // The product lifecycle(s) that this BOM represents.
+  repeated Lifecycles lifecycles = 9;
+}
+
+message Lifecycles {
+   oneof choice {
+     // A pre-defined phase in the product lifecycle.
+     LifecyclePhase phase = 1;
+     // The name of the lifecycle phase
+     string name = 2;
+   }
+   // The description of the lifecycle phase
+  optional string description = 2;
+}
+
+enum LifecyclePhase {
+  // BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.
+  LIFECYCLE_PHASE_DESIGN = 0;
+  // BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.
+  LIFECYCLE_PHASE_PRE_BUILD = 1;
+  // BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.
+  LIFECYCLE_PHASE_BUILD = 2;
+  // BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.
+  LIFECYCLE_PHASE_POST_BUILD = 3;
+  // BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.
+  LIFECYCLE_PHASE_OPERATIONS = 4;
+  // BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.
+  LIFECYCLE_PHASE_DISCOVERY = 5;
+  // BOM containing inventory that will be, or has been retired from operations.
+  LIFECYCLE_PHASE_DECOMMISSION = 6;
 }
 
 message OrganizationalContact {
diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json
@@ -136,6 +136,56 @@
           "title": "Timestamp",
           "description": "The date and time (timestamp) when the BOM was created."
         },
+        "lifecycles": {
+          "type": "array",
+          "title": "Lifecycles",
+          "description": "",
+          "additionalItems": false,
+          "items": {
+            "type": "object",
+            "title": "Lifecycle",
+            "description": "The product lifecycle(s) that this BOM represents.",
+            "additionalProperties": false,
+            "oneOf": [
+              {
+                "required": ["phase"],
+                "additionalProperties": false,
+                "properties": {
+                  "phase": {
+                    "type": "string",
+                    "title": "Phase",
+                    "description": "A pre-defined phase in the product lifecycle.\n\n* __design__ = BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.\n* __pre-build__ = BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.\n* __build__ = BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.\n* __post-build__ = BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.\n* __operations__ = BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.\n* __discovery__ = BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.\n* __decommission__ = BOM containing inventory that will be, or has been retired from operations.",
+                    "enum": [
+                      "design",
+                      "pre-build",
+                      "build",
+                      "post-build",
+                      "operations",
+                      "discovery",
+                      "decommission"
+                    ]
+                  }
+                }
+              },
+              {
+                "required": ["name"],
+                "additionalProperties": false,
+                "properties": {
+                  "name": {
+                    "type": "string",
+                    "title": "Name",
+                    "description": "The name of the lifecycle phase"
+                  },
+                  "description": {
+                    "type": "string",
+                    "title": "Description",
+                    "description": "The description of the lifecycle phase"
+                  }
+                }
+              }
+            ]
+          }
+      },
         "tools": {
           "oneOf": [
             {
diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd
@@ -49,6 +49,48 @@ limitations under the License.
                     <xs:documentation>The date and time (timestamp) when the BOM was created.</xs:documentation>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="lifecycles" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>
+                        The product lifecycle(s) that this BOM represents.
+                    </xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                    <xs:sequence>
+                        <xs:element name="lifecycle" minOccurs="0" maxOccurs="unbounded">
+                            <xs:complexType>
+                                <xs:choice>
+                                    <xs:sequence>
+                                        <xs:element name="phase" type="bom:lifecyclePhaseType" minOccurs="1" maxOccurs="1">
+                                            <xs:annotation>
+                                                <xs:documentation>
+                                                    A pre-defined phase in the product lifecycle.
+                                                </xs:documentation>
+                                            </xs:annotation>
+                                        </xs:element>
+                                    </xs:sequence>
+                                    <xs:sequence>
+                                        <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
+                                            <xs:annotation>
+                                                <xs:documentation>
+                                                    The name of the lifecycle phase
+                                                </xs:documentation>
+                                            </xs:annotation>
+                                        </xs:element>
+                                        <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1">
+                                            <xs:annotation>
+                                                <xs:documentation>
+                                                    The description of the lifecycle phase
+                                                </xs:documentation>
+                                            </xs:annotation>
+                                        </xs:element>
+                                    </xs:sequence>
+                                </xs:choice>
+                            </xs:complexType>
+                        </xs:element>
+                    </xs:sequence>
+                </xs:complexType>
+            </xs:element>
             <xs:element name="tools" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>The tool(s) used in the creation of the BOM.</xs:documentation>
@@ -131,6 +173,75 @@ limitations under the License.
         </xs:anyAttribute>
     </xs:complexType>
 
+    <xs:simpleType name="lifecyclePhaseType">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="design">
+                <xs:annotation>
+                    <xs:documentation>
+                        BOM produced early in the development lifecycle containing inventory of components and services
+                        that are proposed or planned to be used. The inventory may need to be procured, retrieved,
+                        or resourced prior to use.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="pre-build">
+                <xs:annotation>
+                    <xs:documentation>
+                        BOM consisting of information obtained prior to a build process and may contain source files
+                        and development artifacts and manifests. The inventory may need to be resolved and retrieved
+                        prior to use.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="build">
+                <xs:annotation>
+                    <xs:documentation>
+                        BOM consisting of information obtained during a build process where component inventory is
+                        available for use. The precise versions of resolved components are usually available at this
+                        time as well as the provenance of where the components were retrieved from.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="post-build">
+                <xs:annotation>
+                    <xs:documentation>
+                        BOM consisting of information obtained after a build process has completed and the resulting
+                        components(s) are available for further analysis. Built components may exist as the result of a
+                        CI/CD process, may have been installed or deployed to a system or device, and may need to be
+                        retrieved or extracted from the system or device.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="operations">
+                <xs:annotation>
+                    <xs:documentation>
+                        BOM produced that represents inventory that is running and operational. This may include staging
+                        or production environments and will generally encompass multiple SBOMs describing the applications
+                        and operating system, along with HBOMs describing the hardware that makes up the system. Operations
+                        Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations,
+                        and additional dependencies.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="discovery">
+                <xs:annotation>
+                    <xs:documentation>
+                        BOM consisting of information observed through network discovery providing point-in-time
+                        enumeration of embedded, on-premise, and cloud-native services such as server applications,
+                        connected devices, microservices, and serverless functions.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="decommission">
+                <xs:annotation>
+                    <xs:documentation>
+                        BOM containing inventory that will be, or has been retired from operations.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+        </xs:restriction>
+    </xs:simpleType>
+
     <xs:complexType name="organizationalEntity">
         <xs:sequence minOccurs="0" maxOccurs="1">
             <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
@@ -1867,41 +1978,13 @@ limitations under the License.
 
     <xs:simpleType name="identityFieldType">
         <xs:restriction base="xs:string">
-            <xs:enumeration value="group">
-                <xs:annotation>
-                    <xs:documentation>blah</xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-            <xs:enumeration value="name">
-                <xs:annotation>
-                    <xs:documentation>blah</xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-            <xs:enumeration value="version">
-                <xs:annotation>
-                    <xs:documentation>blah</xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-            <xs:enumeration value="purl">
-                <xs:annotation>
-                    <xs:documentation>blah</xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-            <xs:enumeration value="cpe">
-                <xs:annotation>
-                    <xs:documentation>blah</xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-            <xs:enumeration value="swid">
-                <xs:annotation>
-                    <xs:documentation>blah</xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-            <xs:enumeration value="hash">
-                <xs:annotation>
-                    <xs:documentation>blah</xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
+            <xs:enumeration value="group"/>
+            <xs:enumeration value="name"/>
+            <xs:enumeration value="version"/>
+            <xs:enumeration value="purl"/>
+            <xs:enumeration value="cpe"/>
+            <xs:enumeration value="swid"/>
+            <xs:enumeration value="hash"/>
         </xs:restriction>
     </xs:simpleType>
 
diff --git a/tools/src/test/resources/1.5/valid-metadata-lifecycle-1.5.json b/tools/src/test/resources/1.5/valid-metadata-lifecycle-1.5.json
@@ -0,0 +1,21 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [
+      {
+        "phase": "build"
+      },
+      {
+        "phase": "post-build"
+      },
+      {
+        "name": "platform-integration-testing",
+        "description": "Integration testing specific to the runtime platform"
+      }
+    ]
+  },
+  "components": []
+}
diff --git a/tools/src/test/resources/1.5/valid-metadata-lifecycle-1.5.textproto b/tools/src/test/resources/1.5/valid-metadata-lifecycle-1.5.textproto
@@ -0,0 +1,17 @@
+spec_version: "1.5"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+metadata {
+  lifecycles [
+    {
+      phase: LIFECYCLE_PHASE_BUILD
+    },
+    {
+      phase: LIFECYCLE_PHASE_POST_BUILD
+    },
+    {
+      name: "platform-integration-testing"
+      description: "Integration testing specific to the runtime platform"
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.5/valid-metadata-lifecycle-1.5.xml b/tools/src/test/resources/1.5/valid-metadata-lifecycle-1.5.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
+    <metadata>
+        <lifecycles>
+            <lifecycle>
+                <phase>build</phase>
+            </lifecycle>
+            <lifecycle>
+                <phase>post-build</phase>
+            </lifecycle>
+            <lifecycle>
+                <name>platform-integration-testing</name>
+                <description>Integration testing specific to the runtime platform</description>
+            </lifecycle>
+        </lifecycles>
+    </metadata>
+    <components />
+</bom>
