adressed comments and reviewed further the schema

petra-dv · petra-dv · commit e8f7aba603fa · 2025-12-07T18:36:51.000Z
diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json
@@ -81,13 +81,63 @@
       },
       "description": "Data, control, or process flows between assets"
     },
+    "actors": {
+      "type": "array",
+      "items": {
+        "$ref": "#/$defs/actor"
+      },
+      "description": "Human or system actors involved in the model, distinct from assets"
+    },
     "assumptions": {
       "type": "array",
       "items": {
         "$ref": "#/$defs/assumption"
       },
       "description": "Assumptions made during the modeling process"
     },
+    "actor": {
+      "type": "object",
+      "required": ["bom-ref", "name", "type"],
+      "additionalProperties": false,
+      "properties": {
+        "bom-ref": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
+          "description": "Unique identifier for the actor"
+        },
+        "name": {
+          "type": "string",
+          "description": "Name or title of the actor"
+        },
+        "description": {
+          "type": "string",
+          "description": "Narrative describing the actor's role and context"
+        },
+        "type": {
+          "type": "string",
+          "enum": ["user", "engineer", "administrator", "operator", "system", "external"],
+          "description": "Classification of the actor",
+          "meta:enum": {
+            "user": "End user of a client application or service",
+            "engineer": "Developer or platform/DevOps engineer",
+            "administrator": "Administrative or privileged operator",
+            "operator": "Operational staff running the system",
+            "system": "Automated system actor or service account",
+            "external": "Third-party or external entity"
+          }
+        },
+        "permissions": {
+          "type": "string",
+          "description": "Key permissions, capabilities, or duties the actor holds"
+        },
+        "trustZone": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
+          "description": "Reference to the trust zone where the actor resides"
+        },
+        "properties": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties"
+        }
+      }
+    },
     "visualizations": {
       "type": "array",
       "items": {
@@ -335,8 +385,6 @@
             "compliance",
             "risk",
             "stakeholder",
-            "use-case",
-            "abuse-case",
             "design-review",
             "custom"
           ],
@@ -357,8 +405,6 @@
             "compliance": "Regulatory compliance perspective",
             "risk": "Risk management perspective",
             "stakeholder": "General stakeholder perspective",
-            "use-case": "A high level persepctive that captures the data-flows of the use case, rather than deep granularity of systems",
-            "abuse-case": "A high level persepctive that captures the data-flows of a certain abuse case, rather than deep granularity of systems",
             "custom": "Custom or other perspective"
           }
         },
diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json
@@ -159,7 +159,7 @@
           "type": "string",
           "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"],
           "meta:enum": {
-            "threat": "Security threat scenario",
+            "threat": "Threat scenario",
             "vulnerability": "Exploitable vulnerability",
             "weakness": "System or design weakness",
             "risk": "General risk scenario",
diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json
@@ -26,6 +26,13 @@
             "attackPattern": {
               "$ref": "#/$defs/attackPatternReference"
             },
+            "abuseCases": {
+              "type": "array",
+              "items": {
+                "$ref": "#/$defs/abuseCase"
+              },
+              "description": "Abuse or misuse cases that illustrate how this threat can be exercised"
+            },
             "weakness": {
               "$ref": "#/$defs/weaknessReference"
             },
@@ -174,11 +181,6 @@
           },
           "description": "Primary motivations"
         },
-        "capability": {
-          "type": "string",
-          "enum": ["minimal", "limited", "moderate", "significant", "advanced"],
-          "description": "Overall capability level"
-        },
         "intent": {
           "type": "string",
           "enum": ["accidental", "opportunistic", "targeted", "persistent"],
@@ -219,7 +221,10 @@
         },
         "complexity": {
           "type": "string",
-          "enum": ["low", "high"],
+          "enum": [
+            "low",
+            "high"
+          ],
           "description": "Attack complexity"
         },
         "privileges": {
@@ -239,6 +244,42 @@
         }
       }
     },
+    "abuseCase": {
+      "type": "object",
+      "required": ["bom-ref", "name"],
+      "additionalProperties": false,
+      "properties": {
+        "bom-ref": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+        },
+        "name": {
+          "type": "string",
+          "description": "Name of the abuse case"
+        },
+        "description": {
+          "type": "string",
+          "description": "Narrative describing how the system can be misused or abused"
+        },
+        "abuser": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
+          "description": "Reference (bom-ref) to a threat actor involved in the abuse case"
+        },
+        "targets": {
+          "type": "array",
+          "items": {
+            "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+          },
+          "description": "References (bom-refs) to assets or flows targeted in this abuse case"
+        },
+        "steps": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Ordered steps the abuser follows"
+        }
+      }
+    },
     "attackPattern": {
       "type": "object",
       "required": ["bom-ref", "name"],
@@ -259,14 +300,6 @@
           "type": "string",
           "description": "Description of the attack pattern"
         },
-        "severity": {
-          "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/severity"
-        },
-        "likelihood": {
-          "type": "string",
-          "enum": ["low", "medium", "high"],
-          "description": "Likelihood of this pattern being used"
-        },
         "prerequisites": {
           "type": "array",
           "items": {
@@ -768,4 +801,4 @@
       }
     }
   }
-}
+}
