Add support for OmniBOR and Software Heritage persistent IDs (#414)

Closes #413 - [x] modify JSON schema - [x] modify XML schema - [x] modify protobuf schema - [x] add examples & test resources
CycloneDX · Mar 29, 2024 · 86b6ae1 · 86b6ae1
2 parents 6f284bd + f3e98d4
commit 86b6ae1
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 1 deletion.
diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
@@ -148,6 +148,10 @@ message Component {
   repeated OrganizationalContact authors = 29;
   // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection".
   repeated string tags = 30;
+  // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid
+  repeated string omniborId = 31;
+  // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html
+  repeated string swhid = 32;
 }
 
 // Specifies the data flow.
@@ -784,6 +788,8 @@ enum EvidenceFieldType {
   EVIDENCE_FIELD_CPE = 5;
   EVIDENCE_FIELD_SWID = 6;
   EVIDENCE_FIELD_HASH = 7;
+  EVIDENCE_FIELD_OMNIBOR_ID = 8;
+  EVIDENCE_FIELD_SWHID = 9;
 }
 
 enum EvidenceTechnique {

diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
@@ -974,6 +974,23 @@
           "description": "Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)",
           "examples": ["pkg:maven/com.acme/[email protected]?packaging=jar"]
         },
+        "omniborId": {
+          "type": "array",
+          "title": "OmniBOR Artifact Identifier (gitoid)",
+          "description": "Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid)",
+          "items": { "type": "string" },
+          "examples": [
+            "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
+            "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+          ]
+        },
+        "swhid": {
+          "type": "array",
+          "title": "SoftWare Heritage Identifier",
+          "description": "Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html)",
+          "items": { "type": "string" },
+          "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"]
+        },
         "swid": {
           "$ref": "#/definitions/swid",
           "title": "SWID Tag",
@@ -4698,7 +4715,7 @@
         "field": {
           "type": "string",
           "enum": [
-            "group", "name", "version", "purl", "cpe", "swid", "hash"
+            "group", "name", "version", "purl", "cpe", "omniborId", "swhid", "swid", "hash"
           ],
           "title": "Field",
           "description": "The identity field of the component which the evidence describes."

diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
@@ -597,6 +597,23 @@ limitations under the License.
                     </xs:documentation>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="omniborId" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
+                <xs:annotation>
+                    <xs:documentation>
+                        Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform
+                        to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
+            <xs:element name="swhid" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
+                <xs:annotation>
+                    <xs:documentation>
+                        Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST
+                        be valid and conform to the specification defined at:
+                        https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:element name="swid" type="bom:swidType" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>
@@ -2307,6 +2324,8 @@ limitations under the License.
             <xs:enumeration value="version"/>
             <xs:enumeration value="purl"/>
             <xs:enumeration value="cpe"/>
+            <xs:enumeration value="omniborId"/>
+            <xs:enumeration value="swhid"/>
             <xs:enumeration value="swid"/>
             <xs:enumeration value="hash"/>
         </xs:restriction>

diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json
@@ -0,0 +1,21 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "acme-library",
+      "version": "1.0.0",
+      "cpe": "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*",
+      "purl": "pkg:maven/com.example/[email protected]",
+      "omniborId": [
+        "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+        "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+      ],
+      "swhid": [ "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" ]
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto
@@ -0,0 +1,19 @@
+# proto-file: schema/bom-1.6.proto
+# proto-message: Bom
+
+spec_version: "1.6"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+  type: CLASSIFICATION_LIBRARY
+  group: "com.example"
+  name: "acme-example"
+  version: "1.0.0"
+  cpe: "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*"
+  purl: "pkg:maven/com.example/[email protected]"
+  omniborId: [
+    "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+    "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+  ]
+  swhid: [ "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" ]
+}
diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+    <components>
+        <component type="library">
+            <group>com.example</group>
+            <name>acme-library</name>
+            <version>1.0.0</version>
+            <cpe>cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*</cpe>
+            <purl>pkg:maven/com.example/[email protected]</purl>
+            <omnibodId>gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64</omnibodId>
+            <omniborId>gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08</omniborId>
+            <swhid>swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2</swhid>
+        </component>
+    </components>
+</bom>