diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 573b443..b2d318a 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1,10 +1,10 @@ syntax = "proto3"; -package cyclonedx.v1_6; +package cyclonedx.v1_6; // version 1.6.1 import "google/protobuf/timestamp.proto"; // Specifies attributes of the text message AttachedText { - // Specifies the content type of the text. Defaults to 'text/plain' if not specified. + // Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents. [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml). optional string content_type = 1; // Specifies the optional encoding the text is represented in optional string encoding = 2; @@ -106,13 +106,15 @@ message Component { optional string group = 7; // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery string name = 8; - // The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is RECOMMENDED to use an empty string to represent components without version information. + // The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is recommended to use an empty string to represent components without version information. string version = 9; // Specifies a description for the component optional string description = 10; // Specifies the scope of the component. If a scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM optional Scope scope = 11; + // The hashes of the component. repeated Hash hashes = 12; + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) repeated LicenseChoice licenses = 13; // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. optional string copyright = 14; @@ -132,14 +134,14 @@ message Component { repeated Component components = 21; // Specifies optional, custom, properties repeated Property properties = 22; - // Specifies optional license and copyright evidence - repeated Evidence evidence = 23; + // Specifies optional license and copyright evidence. + optional Evidence evidence = 23; // Specifies optional release notes. optional ReleaseNotes releaseNotes = 24; // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. optional ModelCard modelCard = 25; - // This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types. - optional ComponentData data = 26; + // This object SHOULD be specified for any component of type `data` and must not be specified for other component types. + repeated ComponentData data = 26; // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. optional CryptoProperties cryptoProperties = 27; // The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `.authors` instead. @@ -148,9 +150,9 @@ message Component { repeated OrganizationalContact authors = 29; // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". repeated string tags = 30; - // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid repeated string omniborId = 31; - // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html repeated string swhid = 32; } @@ -175,14 +177,20 @@ message DataFlow { // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. // buf:lint:ignore ENUM_VALUE_PREFIX -- Enum value names should be prefixed with "DATA_FLOW_DIRECTION_" enum DataFlowDirection { + // Default // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` DATA_FLOW_NULL = 0; + // Data that enters a service. DATA_FLOW_INBOUND = 1; + // Data that exits a service. DATA_FLOW_OUTBOUND = 2; + // Data flows in and out of the service. DATA_FLOW_BI_DIRECTIONAL = 3; + // The directional flow of data is not known. DATA_FLOW_UNKNOWN = 4; } +// Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs. message Dependency { // References a component or service by its bom-ref attribute string ref = 1; @@ -192,6 +200,7 @@ message Dependency { repeated string provides = 3; } +// The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff message Diff { // Specifies the optional text of the diff optional AttachedText text = 1; @@ -199,6 +208,7 @@ message Diff { optional string url = 2; } +// External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. message ExternalReference { // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. ExternalReferenceType type = 1; @@ -278,7 +288,7 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31; // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32; - // Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + // Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". EXTERNAL_REFERENCE_TYPE_POAM = 33; // A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. EXTERNAL_REFERENCE_TYPE_LOG = 34; @@ -296,6 +306,8 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40; // Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41; + // Reference to release notes + EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES = 42; } enum HashAlg { @@ -333,6 +345,7 @@ message IdentifiableAction { } enum IssueClassification { + // Default // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` ISSUE_CLASSIFICATION_NULL = 0; // A fault, flaw, or bug in software @@ -343,6 +356,7 @@ enum IssueClassification { ISSUE_CLASSIFICATION_SECURITY = 3; } +// An individual issue that has been resolved. message Issue { // Specifies the type of issue IssueClassification type = 1; @@ -352,7 +366,9 @@ message Issue { optional string name = 3; // A description of the issue optional string description = 4; + // The source of the issue where it is documented optional Source source = 5; + // A collection of URL's for reference. Multiple URLs are allowed. Example: "https://example.com" repeated string references = 6; } @@ -366,19 +382,23 @@ message Source { message LicenseChoice { oneof choice { + // A license License license = 1; // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements string expression = 2; } // This field must only be used when "expression" is chosen as the License object has its own acknowledgement. optional LicenseAcknowledgementEnumeration acknowledgement = 3; + // This field must only be used when "expression" is chosen as the License object has its own bom_ref. + optional string bom_ref = 4; } +// Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license. message License { oneof license { - // A valid SPDX license ID + // A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. string id = 1; - // If SPDX does not define the license used, this field may be used to provide the license name + // The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. string name = 2; } // Specifies the optional full text of the attachment @@ -424,9 +444,12 @@ message Licensing { optional google.protobuf.Timestamp expiration = 8; } +// EITHER an organization OR an individual message OrganizationalEntityOrContact { oneof choice { + // Organization OrganizationalEntity organization = 1; + // Individual OrganizationalContact individual = 2; } } @@ -483,6 +506,7 @@ message Metadata { // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes. + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) repeated LicenseChoice licenses = 7; // Specifies optional, custom, properties repeated Property properties = 8; @@ -546,6 +570,7 @@ message OrganizationalEntity { } enum PatchClassification { + // Default // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` PATCH_CLASSIFICATION_NULL = 0; // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch @@ -558,11 +583,13 @@ enum PatchClassification { PATCH_CLASSIFICATION_CHERRY_PICK = 4; } +// Specifies an individual patch message Patch { // Specifies the purpose for the patch, including the resolution of defects, security issues, or new behavior or functionality PatchClassification type = 1; // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff optional Diff diff = 2; + // A collection of issues the patch resolves repeated Issue resolves = 3; } @@ -606,12 +633,15 @@ message Service { optional string version = 5; // Specifies a description for the service. optional string description = 6; + // The endpoint URIs of the service. Multiple endpoints are allowed. Example: "https://example.com/api/v1/ticker" repeated string endpoints = 7; // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. optional bool authenticated = 8; // A boolean value indicating if the use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. optional bool x_trust_boundary = 9; + // Specifies information about the data including the directional flow of data and the data classification. repeated DataFlow data = 10; + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) repeated LicenseChoice licenses = 11; // Provides the ability to document external references related to the service. repeated ExternalReference external_references = 12; @@ -627,6 +657,7 @@ message Service { repeated string tags = 17; } +// Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. message Swid { // Maps to the tagId of a SoftwareIdentity. string tag_id = 1; @@ -664,7 +695,9 @@ message Tool { // Specifies a property message Property { + // Name (or key) string name = 1; + // Value optional string value = 2; } @@ -701,7 +734,7 @@ message Composition { repeated string dependencies = 3; // The bom-ref identifiers of the vulnerabilities being described. repeated string vulnerabilities = 4; - // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref must be unique within the BOM. optional string bom_ref = 5; } @@ -710,16 +743,22 @@ message EvidenceCopyright { string text = 1; } +// Provides the ability to document evidence collected through various forms of extraction or analysis. message Evidence { + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) repeated LicenseChoice licenses = 1; + // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. repeated EvidenceCopyright copyright = 2; + // Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified. repeated EvidenceIdentity identity = 3; + // Evidence of individual instances of a component spread across multiple locations. repeated EvidenceOccurrences occurrences = 4; + // Evidence of the components use through the callstack. optional Callstack callstack = 5; } -// Evidence of the components use through the callstack. message Callstack { + // Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. repeated Frames frames = 1; message Frames { @@ -763,7 +802,7 @@ message EvidenceMethods { } message EvidenceOccurrences { - // An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + // An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref must be unique within the BOM. optional string bom_ref = 1; // The location or path to where the component was found. string location = 2; @@ -806,6 +845,7 @@ enum EvidenceTechnique { EVIDENCE_TECHNIQUE_OTHER = 9; } +// A note containing the locale and content. message Note { // The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". optional string locale = 1; @@ -814,7 +854,7 @@ message Note { } message ReleaseNotes { - // The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. + // The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. string type = 1; // The title of the release. optional string title = 2; @@ -838,6 +878,7 @@ message ReleaseNotes { repeated Property properties = 11; } +// Defines a weakness in a component or service that could be exploited or triggered by a threat source. message Vulnerability { // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; @@ -914,14 +955,22 @@ message VulnerabilityRating { optional string justification = 6; } +// Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately. enum Severity { + // The severity is not known // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` SEVERITY_UNKNOWN = 0; + // Critical severity SEVERITY_CRITICAL = 1; + // High severity SEVERITY_HIGH = 2; + // Medium severity SEVERITY_MEDIUM = 3; + // Low severity SEVERITY_LOW = 4; + // Informational warning. SEVERITY_INFO = 5; + // None SEVERITY_NONE = 6; } @@ -945,6 +994,7 @@ enum ScoreMethod { SCORE_METHOD_SSVC = 7; } +// Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system. message Advisory { // An optional name of the advisory. optional string title = 1; @@ -1020,10 +1070,15 @@ enum VulnerabilityResponse { // unspecified value // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` VULNERABILITY_RESPONSE_NULL = 0; + // Can not fix VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + // Will not fix VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + // Update to a different revision or release VULNERABILITY_RESPONSE_UPDATE = 3; + // Revert to a previous revision or release VULNERABILITY_RESPONSE_ROLLBACK = 4; + // There is a workaround available VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; } @@ -1050,7 +1105,9 @@ enum VulnerabilityAffectedStatus { // It is unknown (or unspecified) whether the given version is affected. // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback, doubling `unspecified` VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + // The version is affected by the vulnerability. VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + // The version is not affected by the vulnerability. VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; } @@ -1068,7 +1125,7 @@ message AnnotatorChoice { } message Annotation { - // An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + // An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref must be unique within the BOM. optional string bom_ref = 1; // The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. repeated string subjects = 2; @@ -1080,8 +1137,14 @@ message Annotation { string text = 5; } +/** + * A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types. + * + * Comment: + * Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json. + */ message ModelCard { - // An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + // An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref must be unique within the BOM. optional string bom_ref = 1; // Hyper-parameters for construction of the model. optional ModelParameters modelParameters = 2; @@ -1107,15 +1170,19 @@ message ModelCard { repeated MachineLearningInputOutputParameters outputs = 7; message Approach { + // Learning types describing the learning problem or hybrid learning problem. optional ModelParameterApproachType type = 1; } + message Datasets { oneof choice { + // Inline Data Information ComponentData dataset = 1; // References a data component by the components bom-ref attribute string ref = 2; } } + message MachineLearningInputOutputParameters { // The data format for input/output to the model. Example formats include string, image, time-series optional string format = 1; @@ -1124,6 +1191,7 @@ message ModelCard { message QuantitativeAnalysis { // The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc. repeated PerformanceMetrics performanceMetrics = 1; + // A collection of graphics that represent various measurements. optional GraphicsCollection graphics = 2; message PerformanceMetrics { @@ -1186,6 +1254,7 @@ message ModelCard { message EnergyConsumption { // An activity that is part of a machine learning model development or operational lifecycle. enum ActivityType { + // Default ACTIVITY_TYPE_UNSPECIFIED = 0; // a lifecycle activity type whose description does not match currently defined values (the default type). ACTIVITY_TYPE_OTHER = 1; @@ -1227,6 +1296,7 @@ message ModelCard { // Describes the physical provider of energy used for model development or operations. message EnergyProviderType { enum EnergySourceType { + // Default ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; // energy source: unknown. The energy source is unknown. ENERGY_SOURCE_TYPE_UNKNOWN = 1; @@ -1269,6 +1339,7 @@ message EnergyProviderType { // A measure of energy. message EnergyMeasureType { enum EnergyMeasureUnitType { + //Default ENERGY_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h) (the default unit). ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 1; @@ -1284,6 +1355,7 @@ message EnergyMeasureType { // A measure of carbon dioxide (CO2). message CO2MeasureType { enum CO2MeasureUnitType { + // Default CO2_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; // Tonnes (t) of carbon dioxide (CO2) equivalent (eq) (the default unit). CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 1; @@ -1298,7 +1370,7 @@ message CO2MeasureType { // An address used to identify a contactable location. message PostalAddressType { - // An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + // An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM. optional string bom_ref = 1; // The country name or the two-letter ISO 3166-1 country code. optional string country = 2; @@ -1329,7 +1401,7 @@ enum ModelParameterApproachType { } message ComponentData { - // An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + // An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref must be unique within the BOM. optional string bom_ref = 1; // The general theme or subject matter of the data being specified. ComponentDataType type = 2; @@ -1358,6 +1430,7 @@ message ComponentData { } } +// Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle. message DataGovernance { // Data custodians are responsible for the safe custody, transport, and storage of data. repeated DataGovernanceResponsibleParty custodians = 1; @@ -1368,7 +1441,9 @@ message DataGovernance { message DataGovernanceResponsibleParty { oneof choice { + // The organization that is responsible for specific data governance role(s). OrganizationalEntity organization = 1; + // The individual that is responsible for specific data governance role(s). OrganizationalContact contact = 2; } } @@ -1388,6 +1463,7 @@ enum ComponentDataType { COMPONENT_DATA_TYPE_OTHER = 4; } +// A collection of graphics that represent various measurements. message GraphicsCollection { // A description of this collection of graphics. optional string description = 1; @@ -1397,7 +1473,7 @@ message GraphicsCollection { message Graphic { // The name of the graphic. optional string name = 1; - // The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + // The graphic (vector or raster). Base64 encoding must be specified for binary images. optional AttachedText image = 2; } } @@ -1588,7 +1664,7 @@ message Trigger { TriggerType type = 7; // The event data that caused the associated trigger to activate. optional Event event = 8; - // Conditions + // A list of conditions used to determine if a trigger should be activated. repeated Condition conditions = 9; // The date and time (timestamp) when the trigger was activated. optional google.protobuf.Timestamp timeActivated = 10; @@ -1674,7 +1750,9 @@ message OutputType { // Type that permits a choice to reference a resource using an iternal bom-ref identifier or an external reference. message ResourceReferenceChoice { oneof choice { + // References an object by its bom-ref attribute string ref = 1; + // Reference to an externally accessible resource ExternalReference externalReference = 2; } } @@ -1729,11 +1807,14 @@ message Parameter { message EnvironmentVars { oneof choice { + // Name-value pair Property property = 1; + // Value string value = 2; } } +// The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. message Declarations { message Assessor { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -1743,8 +1824,13 @@ message Declarations { // The entity issuing the assessment. optional OrganizationalEntity organization = 3; } + + // Attestation message Attestation { + // Map message AttestationMap { + + // Conformance message AttestationConformance { // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. optional double score = 1; @@ -1753,12 +1839,15 @@ message Declarations { // The list of `bom-ref` to the evidence provided describing the mitigation strategies. repeated string mitigationStrategies = 3; } + + // Confidence message AttestationConfidence { // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. optional double score = 1; // The rationale for the confidence score. optional string rationale = 2; } + // The `bom-ref` to the requirement being attested to. optional string requirement = 1; // The list of `bom-ref` to the claims being attested to. @@ -1770,6 +1859,7 @@ message Declarations { // The confidence of the claim meeting the requirement. optional AttestationConfidence confidence = 5; } + // The short description explaining the main points of the attestation. optional string summary = 1; // The `bom-ref` to the assessor asserting the attestation. @@ -1777,6 +1867,7 @@ message Declarations { // The grouping of requirements to claims and the attestors' declared conformance and confidence thereof. repeated AttestationMap map = 3; } + message Claim { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; @@ -1795,6 +1886,7 @@ message Declarations { // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. repeated ExternalReference externalReferences = 8; } + message Evidence { message Data { message Contents { @@ -1803,6 +1895,7 @@ message Declarations { // The URL to where the data can be retrieved. optional string url = 2; } + // The name of the data. optional string name = 1; // The contents or references to the contents of the data being described. @@ -1814,6 +1907,7 @@ message Declarations { // Data Governance optional DataGovernance governance = 5; } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. @@ -1831,6 +1925,7 @@ message Declarations { // The reviewer of the evidence. optional OrganizationalContact reviewer = 8; } + message Targets { // The list of organizations which claims are made against. repeated OrganizationalEntity organizations = 1; @@ -1839,6 +1934,7 @@ message Declarations { // The list of services which claims are made against. repeated Service services = 3; } + message Affirmation { message Signatory { // The signatory's name. @@ -1850,11 +1946,13 @@ message Declarations { // An External reference provides a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. optional ExternalReference externalReference = 4; } - // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. + + // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. Example: "I certify, to the best of my knowledge, that all information is correct." optional string statement = 1; // The list of signatories authorized on behalf of an organization to assert validity of this document. repeated Signatory signatories = 2; } + // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. repeated Assessor assessors = 1; // The list of attestations asserted by an assessor that maps requirements to claims. @@ -1865,11 +1963,12 @@ message Declarations { repeated Evidence evidence = 4; // The list of targets which claims are made against. optional Targets targets = 5; - // affirmation + // A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. optional Affirmation affirmation = 6; } message Definition { + // A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. message Standard { message Requirement { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -1891,6 +1990,7 @@ message Definition { // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. repeated ExternalReference externalReferences = 9; } + message Level { // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; @@ -1903,6 +2003,7 @@ message Definition { // The list of requirement `bom-ref`s that comprise the level. repeated string requirements = 5; } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 1; // The name of the standard. This will often be a shortened, single name of the standard. @@ -1920,19 +2021,30 @@ message Definition { // External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. repeated ExternalReference externalReferences = 8; } + + // The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. repeated Standard standards = 1; } +// "Cryptographic Properties message CryptoProperties { + // Asset Type enum CryptoAssetType { // ProtoBuff's default value CRYPTO_ASSET_TYPE_UNSPECIFIED = 0; + // Mathematical function commonly used for data encryption, authentication, and digital signatures. CRYPTO_ASSET_TYPE_ALGORITHM = 1; + // An electronic document that is used to provide the identity or validate a public key. CRYPTO_ASSET_TYPE_CERTIFICATE = 2; + // A set of rules and guidelines that govern the behavior and communication with each other. CRYPTO_ASSET_TYPE_PROTOCOL = 3; + // Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens. CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 4; } + + // Algorithm Propertie message AlgorithmProperties { + // Primitive enum CryptoPrimitive { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_PRIMITIVE_UNSPECIFIED = 0; @@ -1940,20 +2052,35 @@ message CryptoProperties { CRYPTO_PRIMITIVE_UNKNOWN = 1; // Another primitive type - none of the following CRYPTO_PRIMITIVE_OTHER = 2; + // Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important. CRYPTO_PRIMITIVE_DRBG = 3; + // In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message. CRYPTO_PRIMITIVE_MAC = 4; + // A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission. CRYPTO_PRIMITIVE_BLOCK_CIPHER = 5; + // A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). CRYPTO_PRIMITIVE_STREAM_CIPHER = 6; + // In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication. CRYPTO_PRIMITIVE_SIGNATURE = 7; + // A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing. CRYPTO_PRIMITIVE_HASH = 8; + // Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography. CRYPTO_PRIMITIVE_PKE = 9; + // An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF. CRYPTO_PRIMITIVE_XOF = 10; + // A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input. CRYPTO_PRIMITIVE_KDF = 11; + // In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome. CRYPTO_PRIMITIVE_KEY_AGREE = 12; + // A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key. CRYPTO_PRIMITIVE_KEM = 13; + // Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols. CRYPTO_PRIMITIVE_AE = 14; + // A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive. CRYPTO_PRIMITIVE_COMBINER = 15; } + + // Execution Environment enum CryptoExecutionEnvironment { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_EXECUTION_ENVIRONMENT_UNSPECIFIED = 0; @@ -1961,11 +2088,17 @@ message CryptoProperties { CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 1; // Another implementation environment - none of the following CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 2; + // A software implementation running in plain unencrypted RAM. CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 3; + // A software implementation running in encrypted RAM. CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 4; + // A software implementation running in a trusted execution environment. CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 5; + // A hardware implementation. CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 6; } + + // Implementation platform enum CryptoImplementationPlatform { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_IMPLEMENTATION_PLATFORM_UNSPECIFIED = 0; @@ -1986,6 +2119,8 @@ message CryptoProperties { CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 13; CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 14; } + + // Mode enum CryptoAlgorithmMode { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_ALGORITHM_MODE_UNSPECIFIED = 0; @@ -1993,14 +2128,23 @@ message CryptoProperties { CRYPTO_ALGORITHM_MODE_UNKNOWN = 1; // Another mode of operation - none of the following CRYPTO_ALGORITHM_MODE_OTHER = 2; + // Cipher block chaining CRYPTO_ALGORITHM_MODE_CBC = 3; + // Electronic codebook CRYPTO_ALGORITHM_MODE_ECB = 4; + // Counter with cipher block chaining message authentication code CRYPTO_ALGORITHM_MODE_CCM = 5; + // Galois/counter CRYPTO_ALGORITHM_MODE_GCM = 6; + // Cipher feedback CRYPTO_ALGORITHM_MODE_CFB = 7; + // Output feedback CRYPTO_ALGORITHM_MODE_OFB = 8; + // Counter CRYPTO_ALGORITHM_MODE_CTR = 9; } + + // Padding enum CryptoAlgorithmPadding { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_ALGORITHM_PADDING_UNSPECIFIED = 0; @@ -2008,12 +2152,19 @@ message CryptoProperties { CRYPTO_ALGORITHM_PADDING_UNKNOWN = 1; // Another padding scheme - none of the following CRYPTO_ALGORITHM_PADDING_OTHER = 2; + // Public Key Cryptography Standard: Password-Based Cryptography CRYPTO_ALGORITHM_PADDING_PKCS5 = 3; + // Public Key Cryptography Standard: Cryptographic Message Syntax CRYPTO_ALGORITHM_PADDING_PKCS7 = 4; + // Public Key Cryptography Standard: RSA Cryptography v1.5 CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 5; + // Optimal asymmetric encryption padding CRYPTO_ALGORITHM_PADDING_OAEP = 6; + // Raw CRYPTO_ALGORITHM_PADDING_RAW = 7; } + + // Cryptographic functions enum CryptoAlgorithmFunction { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_ALGORITHM_FUNCTION_UNSPECIFIED = 0; @@ -2033,6 +2184,7 @@ message CryptoProperties { CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 12; CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 13; } + // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). optional CryptoPrimitive primitive = 1; // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). @@ -2056,6 +2208,8 @@ message CryptoProperties { // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. optional int32 nistQuantumSecurityLevel = 11; } // end of AlgorithmProperties + + // Certificate Properties message CertificateProperties { // The subject name for the certificate optional string subjectName = 1; @@ -2074,7 +2228,11 @@ message CryptoProperties { // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. optional string certificateExtension = 8; } // end of CertificateProperties + + // Related Cryptographic Material Properties message RelatedCryptoMaterialProperties { + + // relatedCryptoMaterialType enum CryptoRelatedType { // ProtoBuff's default value -- it differs from "unknown" CRYPTO_RELATED_TYPE_UNSPECIFIED = 0; @@ -2100,6 +2258,8 @@ message CryptoProperties { CRYPTO_RELATED_TYPE_CREDENTIAL = 18; CRYPTO_RELATED_TYPE_TOKEN = 19; } + + // State enum CryptoRelatedState { // Default CRYPTO_RELATED_STATE_UNSPECIFIED = 0; @@ -2110,12 +2270,15 @@ message CryptoProperties { CRYPTO_RELATED_STATE_COMPROMISED = 5; CRYPTO_RELATED_STATE_DESTROYED = 6; } + + // Secured By message CryptoRelatedSecuredBy { // Specifies the mechanism by which the cryptographic asset is secured. Examples include HSM, TPM, SGX, Software, and None optional string mechanism = 1; // The bom-ref to the algorithm. optional string algorithmRef = 2; } + // The type for the related cryptographic material optional CryptoRelatedType type = 1; // The optional unique identifier for the related cryptographic material. @@ -2141,6 +2304,8 @@ message CryptoProperties { // The mechanism by which the cryptographic asset is secured. optional CryptoRelatedSecuredBy securedBy = 12; } // end of RelatedCryptoMaterialProperties + + // Protocol Properties message ProtocolProperties { enum CryptoProtocolType { // ProtoBuff's default value -- it differs from "unknown" @@ -2149,13 +2314,21 @@ message CryptoProperties { CRYPTO_PROTOCOL_TYPE_UNKNOWN = 1; // Another protocol type - none of the following CRYPTO_PROTOCOL_TYPE_OTHER = 2; + // Transport Layer Security CRYPTO_PROTOCOL_TYPE_TLS = 3; + // Secure Shell CRYPTO_PROTOCOL_TYPE_SSH = 4; + // Internet Protocol Security CRYPTO_PROTOCOL_TYPE_IPSEC = 5; + // Internet Key Exchange CRYPTO_PROTOCOL_TYPE_IKE = 6; + // Secure Socket Tunneling Protocol CRYPTO_PROTOCOL_TYPE_SSTP = 7; + // Wi-Fi Protected Access CRYPTO_PROTOCOL_TYPE_WPA = 8; } + + // Object representing a cipher suite message CryptoProtocolCipherSuite { // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM optional string name = 1; @@ -2164,6 +2337,8 @@ message CryptoProperties { // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E repeated string identifiers = 3; } + + // IKEv2 Transform Types message Ikev2TransformTypes { // Transform Type 1: encryption algorithms repeated string encr = 1; @@ -2178,6 +2353,7 @@ message CryptoProperties { // IKEv2 Authentication method repeated string auth = 6; } + // The concrete protocol type. optional CryptoProtocolType type = 1; // The version of the protocol. Examples include 1.0, 1.2, and 1.99. @@ -2186,7 +2362,10 @@ message CryptoProperties { repeated CryptoProtocolCipherSuite cipherSuites = 3; // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties. optional Ikev2TransformTypes ikev2TransformTypes = 4; + // The bom-ref(s) to protocol-related cryptographic assets + repeated string cryptoRef = 5; } // end of ProtocolProperties + // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. CryptoAssetType assetType = 1; // Additional properties specific to a cryptographic algorithm. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index d52d463..45fd8e2 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -16,7 +16,7 @@ "bomFormat": { "type": "string", "title": "BOM Format", - "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value MUST be \"CycloneDX\".", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value must be \"CycloneDX\".", "enum": [ "CycloneDX" ] @@ -25,12 +25,12 @@ "type": "string", "title": "CycloneDX Specification Version", "description": "The version of the CycloneDX specification the BOM conforms to.", - "examples": ["1.6"] + "examples": ["1.6.1"] }, "serialNumber": { "type": "string", "title": "BOM Serial Number", - "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers is RECOMMENDED.", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.", "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" }, @@ -121,7 +121,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, "thirdParty": { "type": "boolean", @@ -250,7 +250,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, "target": { "$ref": "#/definitions/refLinkType", @@ -311,7 +311,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, "propertyName": { "type": "string", @@ -433,6 +433,7 @@ "affirmation": { "type": "object", "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", "additionalProperties": false, "properties": { "statement": { @@ -519,7 +520,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -709,7 +710,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} } } @@ -752,13 +753,12 @@ "organizationalEntity": { "type": "object", "title": "Organizational Entity", - "description": "", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", @@ -794,13 +794,12 @@ "organizationalContact": { "type": "object", "title": "Organizational Contact", - "description": "", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", @@ -852,7 +851,7 @@ "meta:enum": { "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", - "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", "platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.", "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", @@ -878,7 +877,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "supplier": { "title": "Component Supplier", @@ -972,13 +971,13 @@ "purl": { "type": "string", "title": "Package URL (purl)", - "description": "Asserts the identity of the component using package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "description": "Asserts the identity of the component using package-url (purl). The purl, if specified, must be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] }, "omniborId": { "type": "array", "title": "OmniBOR Artifact Identifier (gitoid)", - "description": "Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "description": "Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "items": { "type": "string" }, "examples": [ "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", @@ -987,8 +986,8 @@ }, "swhid": { "type": "array", - "title": "SoftWare Heritage Identifier", - "description": "Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "title": "Software Heritage Identifier", + "description": "Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "items": { "type": "string" }, "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"] }, @@ -1076,7 +1075,7 @@ "type": "array", "items": {"$ref": "#/definitions/componentData"}, "title": "Data", - "description": "This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types." + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." }, "cryptoProperties": { "$ref": "#/definitions/cryptoProperties", @@ -1085,7 +1084,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} }, "tags": { @@ -1162,8 +1161,13 @@ "contentType": { "type": "string", "title": "Content-Type", - "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", - "default": "text/plain" + "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", + "default": "text/plain", + "examples": [ + "text/plain", + "application/json", + "image/png" + ] }, "encoding": { "type": "string", @@ -1229,6 +1233,7 @@ "license": { "type": "object", "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", "oneOf": [ { "required": ["id"] @@ -1242,18 +1247,18 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "id": { "$ref": "spdx.schema.json", "title": "License ID (SPDX)", - "description": "A valid SPDX license ID", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", "examples": ["Apache-2.0"] }, "name": { "type": "string", "title": "License Name", - "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", "examples": ["Acme Software License"] }, "acknowledgement": { @@ -1429,7 +1434,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} } } @@ -1493,7 +1498,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." } } }] @@ -1810,10 +1815,10 @@ "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POAM) complement an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", - "rfc-9116": "Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", "other": "Use this if no other types accurately describe the purpose of the external reference." } }, @@ -1828,7 +1833,7 @@ "dependency": { "type": "object", "title": "Dependency", - "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies MUST be declared as empty elements within the graph. Components or services that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", "required": [ "ref" ], @@ -1870,7 +1875,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "provider": { "title": "Provider", @@ -1932,7 +1937,7 @@ }, "licenses": { "$ref": "#/definitions/licenseChoice", - "title": "Component License(s)" + "title": "Service License(s)" }, "externalReferences": { "type": "array", @@ -1955,7 +1960,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} }, "tags": { @@ -2064,6 +2069,7 @@ "copyright": { "type": "object", "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", "required": [ "text" ], @@ -2071,7 +2077,8 @@ "properties": { "text": { "type": "string", - "title": "Copyright Text" + "title": "Copyright Text", + "description": "The textual content of the copyright." } } }, @@ -2083,7 +2090,7 @@ "properties": { "identity": { "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", "oneOf" : [ { "type": "array", @@ -2110,7 +2117,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "location": { "type": "string", @@ -2225,7 +2232,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "aggregate": { "$ref": "#/definitions/aggregateType", @@ -2306,7 +2313,7 @@ "property": { "type": "object", "title": "Lightweight name-value pair", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "required": [ "name" ], @@ -2328,7 +2335,7 @@ "type": "string", "pattern": "^([a-z]{2})(-[A-Z]{2})?$", "title": "Locale", - "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" }, "releaseType": { "type": "string", @@ -2339,7 +2346,7 @@ "pre-release", "internal" ], - "description": "The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." }, "note": { "type": "object", @@ -2430,7 +2437,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} } } @@ -2626,7 +2633,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "id": { "type": "string", @@ -2941,7 +2948,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -3008,7 +3015,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "subjects": { "type": "array", @@ -3096,13 +3103,13 @@ "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", "type": "object", "title": "Model Card", - "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified for other component types.", + "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "modelParameters": { "type": "object", @@ -3179,6 +3186,7 @@ } ], "title": "Reference", + "type": "string", "description": "References a data component by the components bom-ref attribute" } } @@ -3277,7 +3285,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} } } @@ -3305,7 +3313,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "type": { "type": "string", @@ -3413,10 +3421,12 @@ "properties": { "organization": { "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", "$ref": "#/definitions/organizationalEntity" }, "contact": { "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", "$ref": "#/definitions/organizationalContact" } }, @@ -3460,7 +3470,7 @@ }, "image": { "title": "Graphic Image", - "description": "The graphic (vector or raster). Base64 encoding MUST be specified for binary images.", + "description": "The graphic (vector or raster). Base64 encoding must be specified for binary images.", "$ref": "#/definitions/attachment" } } @@ -3572,6 +3582,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -3640,6 +3651,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -3711,7 +3723,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "description": { @@ -3722,6 +3734,7 @@ "organization": { "type": "object", "title": "Organization", + "description": "The organization that provides energy.", "$ref": "#/definitions/organizationalEntity" }, "energySource": { @@ -3776,7 +3789,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "country": { @@ -3824,7 +3837,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "components": { @@ -3858,6 +3871,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -3878,7 +3892,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -4001,6 +4015,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4021,7 +4036,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -4125,6 +4140,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4157,6 +4173,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4175,6 +4192,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4193,7 +4211,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -4266,6 +4284,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4321,6 +4340,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4340,7 +4360,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -4386,6 +4406,7 @@ "conditions": { "type": "array", "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", "uniqueItems": true, "items": { "$ref": "#/definitions/condition" @@ -4420,6 +4441,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4466,6 +4488,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4560,6 +4583,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4645,6 +4669,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4710,6 +4735,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4870,7 +4896,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, "name": { "type": "string", @@ -4904,7 +4930,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, "identifier": { "type": "string", @@ -4945,7 +4971,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4971,7 +4997,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, "identifier": { "type": "string", @@ -5119,7 +5145,7 @@ }, "implementationPlatform": { "type": "string", - "title": "implementation platform", + "title": "Implementation platform", "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", "enum": [ "generic", @@ -5466,7 +5492,7 @@ }, "size": { "type": "integer", - "title":"Size", + "title": "Size", "description": "The size of the cryptographic asset (in bits)." }, "format": { @@ -5534,7 +5560,7 @@ "ikev2TransformTypes": { "type": "object", "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", "additionalProperties": false, "properties": { "encr": { @@ -5555,7 +5581,7 @@ "ke": { "$ref": "#/definitions/cryptoRefArray", "title": "Key Exchange Method (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)" + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." }, "esn": { "type": "boolean", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5119056..cee94c8 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -22,7 +22,7 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.6" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.6.0"> + version="1.6.1"> @@ -253,7 +253,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -355,7 +355,10 @@ limitations under the License. - The URL of the organization. Multiple URLs are allowed. + + The URL of the organization. Multiple URLs are allowed. + Example: https://example.com + @@ -569,6 +572,9 @@ limitations under the License. + + The hashes of the component. + @@ -578,8 +584,7 @@ limitations under the License. - A copyright notice informing users of the underlying claims to - copyright ownership in a published work. + A copyright notice informing users of the underlying claims to copyright ownership in a published work. @@ -592,7 +597,7 @@ limitations under the License. - Specifies the package-url (purl). The purl, if specified, MUST be valid and conform + Specifies the package-url (purl). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec @@ -600,7 +605,7 @@ limitations under the License. - Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid @@ -608,7 +613,7 @@ limitations under the License. - Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html @@ -653,7 +658,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -693,12 +698,12 @@ limitations under the License. limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of - type `machine-learning-model` and MUST NOT be specified for other component types. + type `machine-learning-model` and must not be specified for other component types. - + - This object SHOULD be specified for any component of type `data` and MUST NOT be + This object SHOULD be specified for any component of type `data` and must not be specified for other component types. @@ -734,7 +739,7 @@ limitations under the License. - The OPTIONAL mime-type of the component. When used on file components, the mime-type + The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type. @@ -757,16 +762,22 @@ limitations under the License. + + Specifies the details and attributes related to a software license. + It can either include a valid SPDX license identifier or a named license, along with additional + properties such as license acknowledgment, comprehensive commercial licensing information, and + the full text of the license. + - A valid SPDX license ID + A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. - If SPDX does not define the license used, this field may be used to provide the license name + The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. @@ -913,7 +924,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -959,8 +970,14 @@ limitations under the License. - Specifies the content type of the text. Defaults to text/plain - if not specified. + + Specifies the format and nature of the data being attached, helping systems correctly + interpret and process the content. Common content type examples include `application/json` + for JSON data and `text/plain` for plan text documents. + RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive + list of registered content types, refer to the IANA media types registry at + https://www.iana.org/assignments/media-types/media-types.xhtml. + @@ -1379,8 +1396,11 @@ limitations under the License. - The URL to the license file. If a license URL has been defined in the license - node, it should also be defined as an external reference for completeness + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness. + Example: https://www.apache.org/licenses/LICENSE-2.0.txt + @@ -1507,7 +1527,7 @@ limitations under the License. - Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". @@ -1825,6 +1845,12 @@ limitations under the License. + + + A collection of URL's for reference. Multiple URLs are allowed. + Example: "https://example.com" + + @@ -1981,10 +2007,10 @@ limitations under the License. Defines the direct dependencies of a component or service. Components or services - that do not have their own dependencies MUST be declared as empty elements within the graph. - Components or services that are not represented in the dependency graph MAY have unknown - dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an - indicator of a object being dependency-free. It is RECOMMENDED to leverage compositions to + that do not have their own dependencies must be declared as empty elements within the graph. + Components or services that are not represented in the dependency graph may have unknown + dependencies. It is recommended that implementations assume this to be opaque and not an + indicator of a object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs. @@ -2041,6 +2067,12 @@ limitations under the License. + + + The endpoint URIs of the service. Multiple endpoints are allowed. + Example: "https://example.com/api/v1/ticker" + + @@ -2071,6 +2103,9 @@ limitations under the License. + + Specifies information about the data including the directional flow of data and the data classification. + @@ -2159,7 +2194,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -2236,10 +2271,28 @@ limitations under the License. states that the direction is not known. - - - - + + + + Data that enters a service. + + + + + + Data that exits a service. + + + + + Data flows in and out of the service. + + + + + The directional flow of data is not known. + + @@ -2418,8 +2471,8 @@ limitations under the License. Evidence that substantiates the identity of a component. The identify may be an - object or an array of identity objects. Support for specifying identify as a single object was - introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is RECOMMENDED that all + object or an array of identity objects. Support for specifying identity as a single object was + introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is recommended that all implementations are aware of "unbounded". @@ -2526,7 +2579,7 @@ limitations under the License. An optional identifier which can be used to reference the occurrence elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + in the BOM. Every bom-ref must be unique within the BOM. @@ -2545,6 +2598,11 @@ limitations under the License. + + + Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + + @@ -2611,7 +2669,13 @@ limitations under the License. - + + + + opyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + + + @@ -2786,8 +2850,8 @@ limitations under the License. Defines a syntax for representing two character language code (ISO-639) followed by an optional two - character country code. The language code MUST be lower case. If the country code is specified, the - country code MUST be upper case. The language code and country code MUST be separated by a minus sign. + character country code. The language code must be lower case. If the country code is specified, the + country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA @@ -2800,7 +2864,7 @@ limitations under the License. - The software versioning type. It is RECOMMENDED that the release type use one + The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. @@ -2896,7 +2960,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -2915,19 +2979,19 @@ limitations under the License. - + A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. - This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified + This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types. @@ -2997,7 +3061,11 @@ limitations under the License. - + + + Inline Data Information + + @@ -3155,7 +3223,7 @@ limitations under the License. - The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + The graphic (vector or raster). Base64 encoding must be specified for binary images. @@ -3323,7 +3391,7 @@ limitations under the License. An optional identifier which can be used to reference the model card elsewhere in the BOM. - Every bom-ref MUST be unique within the BOM. + Every bom-ref must be unique within the BOM. @@ -3350,7 +3418,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -3492,7 +3560,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -3889,7 +3957,7 @@ limitations under the License. An optional identifier which can be used to reference the dataset elsewhere in the BOM. - Every bom-ref MUST be unique within the BOM. + Every bom-ref must be unique within the BOM. @@ -3978,7 +4046,7 @@ limitations under the License. - The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + The graphic (vector or raster). Base64 encoding must be specified for binary images. @@ -4437,7 +4505,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -4632,13 +4700,41 @@ limitations under the License. - - - - - - - + + + Critical severity + + + + + High severity + + + + + Medium severity + + + + + Low severity + + + + + Informational warning. + + + + + None + + + + + The severity is not known + + @@ -4835,11 +4931,31 @@ limitations under the License. - - - - - + + + Can not fix + + + + + Will not fix + + + + + Update to a different revision or release + + + + + Revert to a previous revision or release + + + + + There is a workaround available + + @@ -4854,9 +4970,21 @@ limitations under the License. - - - + + + The version is affected by the vulnerability. + + + + + The version is not affected by the vulnerability. + + + + + It is unknown (or unspecified) whether the given version is affected. + + @@ -4919,7 +5047,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5080,7 +5208,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5302,7 +5430,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5505,7 +5633,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5606,7 +5734,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5665,7 +5793,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5681,7 +5809,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5745,6 +5873,9 @@ limitations under the License. + + A list of conditions used to determine if a trigger should be activated. + @@ -5776,7 +5907,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5823,7 +5954,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5910,7 +6041,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5998,7 +6129,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -6085,7 +6216,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -7298,6 +7429,11 @@ limitations under the License. + + + A protocol-related cryptographic assets + + @@ -7348,7 +7484,7 @@ limitations under the License. An optional identifier which can be used to reference the object elsewhere in the BOM. - Every bom-ref MUST be unique within the BOM. + Every bom-ref must be unique within the BOM. @@ -7615,7 +7751,7 @@ limitations under the License. An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + in the BOM. Every bom-ref must be unique within the BOM. @@ -7746,7 +7882,7 @@ limitations under the License. An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + in the BOM. Every bom-ref must be unique within the BOM. @@ -7809,6 +7945,12 @@ limitations under the License. + + + A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. + It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + + @@ -8002,7 +8144,7 @@ limitations under the License. - + @@ -8032,7 +8174,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -8046,7 +8188,7 @@ limitations under the License. An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + in the BOM. Every bom-ref must be unique within the BOM. @@ -8110,7 +8252,7 @@ limitations under the License. An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + in the BOM. Every bom-ref must be unique within the BOM. @@ -8143,7 +8285,7 @@ limitations under the License. An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + in the BOM. Every bom-ref must be unique within the BOM. @@ -8212,7 +8354,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -8271,8 +8413,8 @@ limitations under the License. Every BOM generated SHOULD have a unique serial number, even if the contents of - the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. - Use of serial numbers are RECOMMENDED. + the BOM have not changed over time. If specified, the serial number must conform to RFC-4122. + Use of serial numbers are recommended. diff --git a/specification/overview/index.md b/specification/overview/index.md index af6ce9b..71ed7e0 100644 --- a/specification/overview/index.md +++ b/specification/overview/index.md @@ -22,7 +22,10 @@ micro_nav: false   The CycloneDX object model: -* is defined in [JSON Schema](https://github.com/CycloneDX/specification/blob/1.6/schema/bom-1.6.schema.json), [XML Schema](https://github.com/CycloneDX/specification/blob/1.6/schema/bom-1.6.xsd), and [Protocol Buffers](https://github.com/CycloneDX/specification/blob/1.6/schema/bom-1.6.proto) +* is defined in + [JSON Schema](https://github.com/CycloneDX/specification/blob/1.6.1/schema/bom-1.6.schema.json), + [XML Schema](https://github.com/CycloneDX/specification/blob/1.6.1/schema/bom-1.6.xsd), and + [Protocol Buffers](https://github.com/CycloneDX/specification/blob/1.6.1/schema/bom-1.6.proto) * is prescriptive and simple to use * is designed for xBOM use cases, including SBOM, SaaSBOM, AI/ML-BOM, CBOM, and VEX * can easily describe complex relationships