Deprecated tool in favor of components and services used as tools. Added both current 1.5 and deprecated examples of each.

Signed-off-by: Steve Springett <[email protected]>

Author: stevespringett

schema/bom-1.5.proto

@@ -353,7 +353,7 @@ message Metadata {
   // The date and time (timestamp) when the document was created.
   optional google.protobuf.Timestamp timestamp = 1;
   // The tool(s) used in the creation of the BOM.
-  repeated Tool tools = 2;
+  optional Tool tools = 2;
   // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.
   repeated OrganizationalContact authors = 3;
   // The component that the BOM describes.
@@ -482,15 +482,20 @@ message Swid {
 
 // Specifies a tool (manual or automated).
 message Tool {
-  // The vendor of the tool used to create the BOM.
-  optional string vendor = 1;
-  // The name of the tool used to create the BOM.
-  optional string name = 2;
-  // The version of the tool used to create the BOM.
-  optional string version = 3;
-  repeated Hash hashes = 4;
-  // Provides the ability to document external references related to the tool.
-  repeated ExternalReference external_references = 5;
+  // DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM.
+  optional string vendor = 1 [deprecated = true];
+  // DEPRECATED - DO NOT USE - The name of the tool used to create the BOM.
+  optional string name = 2 [deprecated = true];
+  // DEPRECATED - DO NOT USE - The version of the tool used to create the BOM.
+  optional string version = 3 [deprecated = true];
+  // DEPRECATED - DO NOT USE
+  repeated Hash hashes = 4 [deprecated = true];
+  // DEPRECATED - DO NOT USE - Provides the ability to document external references related to the tool.
+  repeated ExternalReference external_references = 5 [deprecated = true];
+  // A list of software and hardware components used as tools
+  repeated Component components = 6;
+  // A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services.
+  repeated Service services = 7;
 }
 
 // Specifies a property
@@ -595,7 +600,7 @@ message Vulnerability {
   // Individuals or organizations credited with the discovery of the vulnerability.
   optional VulnerabilityCredits credits = 14;
   // The tool(s) used to identify, confirm, or score the vulnerability.
-  repeated Tool tools = 15;
+  optional Tool tools = 15;
   // An assessment of the impact and exploitability of the vulnerability.
   optional VulnerabilityAnalysis analysis = 16;
   // affects

schema/bom-1.5.schema.json

@@ -137,11 +137,39 @@
           "description": "The date and time (timestamp) when the BOM was created."
         },
         "tools": {
-          "type": "array",
-          "title": "Creation Tools",
-          "description": "The tool(s) used in the creation of the BOM.",
-          "additionalItems": false,
-          "items": {"$ref": "#/definitions/tool"}
+          "oneOf": [
+            {
+              "type": "object",
+              "title": "Creation Tools",
+              "description": "The tool(s) used in the creation of the BOM.",
+              "additionalProperties": false,
+              "properties": {
+                "components": {
+                  "type": "array",
+                  "additionalItems": false,
+                  "items": {"$ref": "#/definitions/component"},
+                  "uniqueItems": true,
+                  "title": "Components",
+                  "description": "A list of software and hardware components used as tools"
+                },
+                "services": {
+                  "type": "array",
+                  "additionalItems": false,
+                  "items": {"$ref": "#/definitions/service"},
+                  "uniqueItems": true,
+                  "title": "Services",
+                  "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."
+                }
+              }
+            },
+            {
+              "type": "array",
+              "title": "Creation Tools (legacy)",
+              "description": "[Deprecated] The tool(s) used in the creation of the BOM.",
+              "additionalItems": false,
+              "items": {"$ref": "#/definitions/tool"}
+            }
+          ]
         },
         "authors" :{
           "type": "array",
@@ -183,7 +211,7 @@
     "tool": {
       "type": "object",
       "title": "Tool",
-      "description": "Information about the automated or manual tool used",
+      "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. This will be removed in a future version. Use component or service instead. Information about the automated or manual tool used",
       "additionalProperties": false,
       "properties": {
         "vendor": {
@@ -1739,7 +1767,31 @@
           "title": "Creation Tools",
           "description": "The tool(s) used to identify, confirm, or score the vulnerability.",
           "additionalItems": false,
-          "items": {"$ref": "#/definitions/tool"}
+          "items": {
+            "properties": {
+              "component": {
+                "$ref": "#/definitions/component"
+              },
+              "service": {
+                "$ref": "#/definitions/service"
+              },
+              "tool": {
+                "description": "[Deprecated - Use `component` and `service` instead]",
+                "$ref": "#/definitions/tool"
+              }
+            },
+            "oneOf":[
+              {
+                "required": ["component"]
+              },
+              {
+                "required": ["service"]
+              },
+              {
+                "required": ["tool"]
+              }
+            ]
+          }
         },
         "analysis": {
           "type": "object",

schema/bom-1.5.xsd

@@ -54,9 +54,27 @@ limitations under the License.
                     <xs:documentation>The tool(s) used in the creation of the BOM.</xs:documentation>
                 </xs:annotation>
                 <xs:complexType>
-                    <xs:sequence minOccurs="0" maxOccurs="unbounded">
-                        <xs:element name="tool" minOccurs="0" type="bom:toolType"/>
-                    </xs:sequence>
+                    <xs:choice>
+                        <xs:sequence minOccurs="0" maxOccurs="unbounded">
+                            <xs:element name="tool" minOccurs="0" type="bom:toolType">
+                                <xs:annotation>
+                                    <xs:documentation>DEPRECATED. Use tools\components or tools\services instead.</xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                        </xs:sequence>
+                        <xs:sequence minOccurs="0" maxOccurs="1">
+                            <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1">
+                                <xs:annotation>
+                                    <xs:documentation>A list of software and hardware components used as tools.</xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                            <xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1">
+                                <xs:annotation>
+                                    <xs:documentation>A list of services used as tools.</xs:documentation>
+                                </xs:annotation>
+                            </xs:element>
+                        </xs:sequence>
+                    </xs:choice>
                 </xs:complexType>
             </xs:element>
             <xs:element name="authors" minOccurs="0" maxOccurs="1">

tools/src/test/resources/1.5/valid-metadata-tool-1.5.json

@@ -4,23 +4,44 @@
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "tools": [
-      {
-        "vendor": "Awesome Vendor",
-        "name": "Awesome Tool",
-        "version": "9.1.2",
-        "hashes": [
-          {
-            "alg": "SHA-1",
-            "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "Awesome Vendor",
+          "name": "Awesome Tool",
+          "version": "9.1.2",
+          "hashes": [
+            {
+              "alg": "SHA-1",
+              "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+            },
+            {
+              "alg": "SHA-256",
+              "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+            }
+          ]
+        }
+      ],
+      "services": [
+        {
+          "provider": {
+            "name": "Acme Org",
+            "url": [
+              "https://example.com"
+            ]
           },
-          {
-            "alg": "SHA-256",
-            "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
-          }
-        ]
-      }
-    ]
+          "group": "com.example",
+          "name": "Acme Signing Server",
+          "description": "Signs artifacts",
+          "endpoints": [
+            "https://example.com/sign",
+            "https://example.com/verify",
+            "https://example.com/tsa"
+          ]
+        }
+      ]
+    }
   },
   "components": []
 }

tools/src/test/resources/1.5/valid-metadata-tool-1.5.textproto

@@ -3,16 +3,35 @@ version: 1
 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
 metadata {
   tools {
-    vendor: "Awesome Vendor"
-    name: "Awesome Tool"
-    version: "9.1.2"
-    hashes {
-      alg: HASH_ALG_SHA_1
-      value: "25ed8e31b995bb927966616df2a42b979a2717f0"
+    components {
+      type: CLASSIFICATION_APPLICATION
+      group: "Awesome Vendor"
+      name: "Awesome Tool"
+      version: "9.1.2"
+      hashes {
+        alg: HASH_ALG_SHA_1
+        value: "25ed8e31b995bb927966616df2a42b979a2717f0"
+      }
+      hashes {
+        alg: HASH_ALG_SHA_256
+        value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+      }
     }
-    hashes {
-      alg: HASH_ALG_SHA_256
-      value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+    services {
+      provider: {
+        name: "Acme Org",
+        url: [
+          "https://example.com"
+        ]
+      },
+      group: "com.example",
+      name: "Acme Signing Server",
+      description: "Signs artifacts",
+      endpoints: [
+        "https://example.com/sign",
+        "https://example.com/verify",
+        "https://example.com/tsa"
+      ]
     }
   }
 }

tools/src/test/resources/1.5/valid-metadata-tool-1.5.xml

@@ -2,15 +2,17 @@
 <bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
     <metadata>
         <tools>
-            <tool>
-                <vendor>Awesome Vendor</vendor>
-                <name>Awesome Tool</name>
-                <version>9.1.2</version>
-                <hashes>
-                    <hash alg="SHA-1">25ed8e31b995bb927966616df2a42b979a2717f0</hash>
-                    <hash alg="SHA-256">a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df</hash>
-                </hashes>
-            </tool>
+            <components>
+                <component type="application">
+                    <group>Awesome Vendor</group>
+                    <name>Awesome Tool</name>
+                    <version>9.1.2</version>
+                    <hashes>
+                        <hash alg="SHA-1">25ed8e31b995bb927966616df2a42b979a2717f0</hash>
+                        <hash alg="SHA-256">a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df</hash>
+                    </hashes>
+                </component>
+            </components>
         </tools>
     </metadata>
     <components />

tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.json

@@ -0,0 +1,26 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "vendor": "Awesome Vendor",
+        "name": "Awesome Tool",
+        "version": "9.1.2",
+        "hashes": [
+          {
+            "alg": "SHA-1",
+            "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+          },
+          {
+            "alg": "SHA-256",
+            "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+          }
+        ]
+      }
+    ]
+  },
+  "components": []
+}

tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.textproto

@@ -0,0 +1,18 @@
+spec_version: "1.5"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+metadata {
+  tools {
+    vendor: "Awesome Vendor"
+    name: "Awesome Tool"
+    version: "9.1.2"
+    hashes {
+      alg: HASH_ALG_SHA_1
+      value: "25ed8e31b995bb927966616df2a42b979a2717f0"
+    }
+    hashes {
+      alg: HASH_ALG_SHA_256
+      value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+    }
+  }
+}

tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
+    <metadata>
+        <tools>
+            <tool>
+                <vendor>Awesome Vendor</vendor>
+                <name>Awesome Tool</name>
+                <version>9.1.2</version>
+                <hashes>
+                    <hash alg="SHA-1">25ed8e31b995bb927966616df2a42b979a2717f0</hash>
+                    <hash alg="SHA-256">a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df</hash>
+                </hashes>
+            </tool>
+        </tools>
+    </metadata>
+    <components />
+</bom>