diff --git a/schema/cyclonedx/cyclonedx.json b/schema/cyclonedx/cyclonedx.json index d720cc795..fa94bbf1e 100644 --- a/schema/cyclonedx/cyclonedx.json +++ b/schema/cyclonedx/cyclonedx.json @@ -1,6 +1,6 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "$id": "http://cyclonedx.org/schema/bom-1.7.schema.json", "type": "object", "title": "CycloneDX Bill of Materials Standard", "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", @@ -16,7 +16,7 @@ "bomFormat": { "type": "string", "title": "BOM Format", - "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value MUST be \"CycloneDX\".", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value must be \"CycloneDX\".", "enum": [ "CycloneDX" ] @@ -25,12 +25,12 @@ "type": "string", "title": "CycloneDX Specification Version", "description": "The version of the CycloneDX specification the BOM conforms to.", - "examples": ["1.6"] + "examples": ["1.7"] }, "serialNumber": { "type": "string", "title": "BOM Serial Number", - "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers is RECOMMENDED.", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.", "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" }, @@ -100,7 +100,7 @@ "items": {"$ref": "#/definitions/formula"}, "uniqueItems": true, "title": "Formulation", - "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." + "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." }, "declarations": { "type": "object", @@ -121,7 +121,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, "thirdParty": { "type": "boolean", @@ -145,7 +145,7 @@ "title": "Attestation", "additionalProperties": false, "properties": { - "summary": { + "summary": { "type": "string", "title": "Summary", "description": "The short description explaining the main points of the attestation." @@ -178,7 +178,7 @@ "counterClaims": { "type": "array", "title": "Counter Claims", - "description": "The list of `bom-ref` to the counter claims being attested to.", + "description": "The list of `bom-ref` to the counter claims being attested to.", "items": { "$ref": "#/definitions/refLinkType" } }, "conformance": { @@ -202,7 +202,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", "items": { "$ref": "#/definitions/refLinkType" } } } @@ -250,12 +250,12 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, "target": { "$ref": "#/definitions/refLinkType", "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." }, "predicate": { "type": "string", @@ -265,7 +265,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", "items": { "$ref": "#/definitions/refLinkType" } }, "reasoning": { @@ -311,7 +311,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, "propertyName": { "type": "string", @@ -345,7 +345,7 @@ "properties": { "attachment": { "title": "Data Attachment", - "description": "An optional way to include textual or encoded data.", + "description": "A way to include textual or encoded data.", "$ref": "#/definitions/attachment" }, "url": { @@ -384,7 +384,7 @@ "type": "string", "format": "date-time", "title": "Expires", - "description": "The optional date and time (timestamp) when the evidence is no longer valid." + "description": "The date and time (timestamp) when the evidence is no longer valid." }, "author": { "$ref": "#/definitions/organizationalContact", @@ -433,6 +433,7 @@ "affirmation": { "type": "object", "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", "additionalProperties": false, "properties": { "statement": { @@ -513,13 +514,31 @@ "items": { "$ref": "#/definitions/standard" } + }, + "patents": { + "type": "array", + "title": "Patents", + "description": "The list of either individual patents or patent families.", + "items": { + "anyOf": [ + { "$ref": "#/definitions/patent" }, + { "$ref": "#/definitions/patentFamily" } + ] + } } } }, + "citations": { + "type": "array", + "items": {"$ref": "#/definitions/citation"}, + "uniqueItems": true, + "title": "Citations", + "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." + }, "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -532,12 +551,14 @@ }, "definitions": { "refType": { + "title": "BOM Reference", "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "type": "string", "minLength": 1, - "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + "$comment": "TODO (breaking change): add a format constraint that prevents the value from starting with 'urn:cdx:'" }, "refLinkType": { + "title": "BOM Reference", "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", "$ref": "#/definitions/refType" }, @@ -639,7 +660,7 @@ } ] } - }, + }, "tools": { "title": "Tools", "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", @@ -669,7 +690,8 @@ { "type": "array", "title": "Tools (legacy)", - "description": "[Deprecated] The tool(s) used in the creation, enrichment, and validation of the BOM.", + "description": "[Deprecated]\nThe tool(s) used in the creation, enrichment, and validation of the BOM.", + "deprecated": true, "items": {"$ref": "#/definitions/tool"} } ] @@ -709,16 +731,49 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} + }, + "distributionConstraints": { + "title": "Distribution Constraints", + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", + "type": "object", + "properties": { + "tlp": { + "$ref": "#/definitions/tlpClassification", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." + } + }, + "additionalProperties": false } } }, + "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", + "type" : "string", + "default": "CLEAR", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "AMBER_AND_STRICT", + "RED" + ], + "meta:enum": { + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + } + }, "tool": { "type": "object", "title": "Tool", - "description": "[Deprecated] This will be removed in a future version. Use component or service instead. Information about the automated or manual tool used", + "description": "[Deprecated] This will be removed in a future version. Use component or service instead.\nInformation about the automated or manual tool used", "additionalProperties": false, + "deprecated": true, "properties": { "vendor": { "type": "string", @@ -751,14 +806,12 @@ }, "organizationalEntity": { "type": "object", - "title": "Organizational Entity", - "description": "", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", @@ -793,14 +846,13 @@ }, "organizationalContact": { "type": "object", - "title": "Organizational Contact", - "description": "", "additionalProperties": false, + "title": "Organizational Person", "properties": { "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", @@ -852,9 +904,9 @@ "meta:enum": { "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", - "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", - "platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.", + "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", @@ -871,14 +923,14 @@ "mime-type": { "type": "string", "title": "Mime-Type", - "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", "examples": ["image/jpeg"], "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" }, "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "supplier": { "title": "Component Supplier", @@ -924,7 +976,18 @@ "version": { "$ref": "#/definitions/version", "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced." + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "versionRange": { + "$ref": "#/definitions/versionRange", + "title": "Component Version Range", + "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at https://github.com/package-url/vers-spec\nMay only be used if `.isExternal` is set to `true`.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "isExternal": { + "type": "boolean", + "title": "Component Is External", + "description": "Determine whether this component is external.\nAn external component is one that is not part of an assembly, but is expected to be provided by the environment, regardless of the component's `.scope`. This setting can be useful for distinguishing which components are bundled with the product and which can be relied upon to be present in the deployment environment.\nThis may be set to `true` for runtime components only. For `$.metadata.component`, it must be set to `false`.", + "default": false }, "description": { "type": "string", @@ -963,6 +1026,10 @@ "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", "examples": ["Acme Inc"] }, + "patentAssertions": { + "$ref": "#/definitions/patentAssertions", + "title": "Component Patent(s)" + }, "cpe": { "type": "string", "title": "Common Platform Enumeration (CPE)", @@ -972,13 +1039,13 @@ "purl": { "type": "string", "title": "Package URL (purl)", - "description": "Asserts the identity of the component using package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "description": "Asserts the identity of the component using package-url (purl). The purl, if specified, must be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] }, "omniborId": { "type": "array", "title": "OmniBOR Artifact Identifier (gitoid)", - "description": "Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "description": "Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "items": { "type": "string" }, "examples": [ "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", @@ -987,8 +1054,8 @@ }, "swhid": { "type": "array", - "title": "SoftWare Heritage Identifier", - "description": "Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", + "title": "Software Heritage Identifier", + "description": "Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "items": { "type": "string" }, "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"] }, @@ -1000,7 +1067,8 @@ "modified": { "type": "boolean", "title": "Component Modified From Original", - "description": "[Deprecated] This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + "description": "[Deprecated] This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified.\nA boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.", + "deprecated": true }, "pedigree": { "type": "object", @@ -1011,7 +1079,7 @@ "ancestors": { "type": "array", "title": "Ancestors", - "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains an ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", "items": {"$ref": "#/definitions/component"} }, "descendants": { @@ -1035,7 +1103,7 @@ "patches": { "type": "array", "title": "Patches", - "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", + "description": "A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", "items": {"$ref": "#/definitions/patch"} }, "notes": { @@ -1066,9 +1134,9 @@ "releaseNotes": { "$ref": "#/definitions/releaseNotes", "title": "Release notes", - "description": "Specifies optional release notes." + "description": "Specifies release notes." }, - "modelCard": { + "modelCard": { "$ref": "#/definitions/modelCard", "title": "AI/ML Model Card" }, @@ -1076,7 +1144,7 @@ "type": "array", "items": {"$ref": "#/definitions/componentData"}, "title": "Data", - "description": "This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types." + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." }, "cryptoProperties": { "$ref": "#/definitions/cryptoProperties", @@ -1085,7 +1153,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} }, "tags": { @@ -1097,7 +1165,25 @@ "title": "Signature", "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } - } + }, + "allOf": [ + { + "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", + "not": { + "required": ["version", "versionRange"] + } + }, + { + "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", + "if": { + "properties": { "isExternal": { "const": false } } + }, + "then": { + "not": { "required": ["versionRange"] } + }, + "else": true + } + ] }, "swid": { "type": "object", @@ -1162,13 +1248,18 @@ "contentType": { "type": "string", "title": "Content-Type", - "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", - "default": "text/plain" + "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plain text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", + "default": "text/plain", + "examples": [ + "text/plain", + "application/json", + "image/png" + ] }, "encoding": { "type": "string", "title": "Encoding", - "description": "Specifies the optional encoding the text is represented in.", + "description": "Specifies the encoding the text is represented in.", "enum": [ "base64" ], @@ -1216,7 +1307,9 @@ "BLAKE2b-256", "BLAKE2b-384", "BLAKE2b-512", - "BLAKE3" + "BLAKE3", + "Streebog-256", + "Streebog-512" ] }, "hash-content": { @@ -1226,9 +1319,165 @@ "examples": ["3942447fac867ae5cdb3229b658f4d48"], "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." + } + } + }, "license": { "type": "object", "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", "oneOf": [ { "required": ["id"] @@ -1242,18 +1491,18 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "id": { "$ref": "spdx.schema.json", "title": "License ID (SPDX)", - "description": "A valid SPDX license ID", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", "examples": ["Apache-2.0"] }, "name": { "type": "string", "title": "License Name", - "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", "examples": ["Acme Software License"] }, "acknowledgement": { @@ -1261,7 +1510,7 @@ }, "text": { "title": "License text", - "description": "An optional way to include the textual content of a license.", + "description": "A way to include the textual content of a license.", "$ref": "#/definitions/attachment" }, "url": { @@ -1271,165 +1520,11 @@ "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], "format": "iri-reference" }, - "licensing": { - "type": "object", - "title": "Licensing information", - "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", - "additionalProperties": false, - "properties": { - "altIds": { - "type": "array", - "title": "Alternate License Identifiers", - "description": "License identifiers that may be used to manage licenses and their lifecycle", - "items": { - "type": "string" - } - }, - "licensor": { - "title": "Licensor", - "description": "The individual or organization that grants a license to another individual or organization", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensor (Organization)", - "description": "The organization that granted the license", - "$ref": "#/definitions/organizationalEntity" - }, - "individual": { - "title": "Licensor (Individual)", - "description": "The individual, not associated with an organization, that granted the license", - "$ref": "#/definitions/organizationalContact" - } - }, - "oneOf":[ - { - "required": ["organization"] - }, - { - "required": ["individual"] - } - ] - }, - "licensee": { - "title": "Licensee", - "description": "The individual or organization for which a license was granted to", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensee (Organization)", - "description": "The organization that was granted the license", - "$ref": "#/definitions/organizationalEntity" - }, - "individual": { - "title": "Licensee (Individual)", - "description": "The individual, not associated with an organization, that was granted the license", - "$ref": "#/definitions/organizationalContact" - } - }, - "oneOf":[ - { - "required": ["organization"] - }, - { - "required": ["individual"] - } - ] - }, - "purchaser": { - "title": "Purchaser", - "description": "The individual or organization that purchased the license", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Purchaser (Organization)", - "description": "The organization that purchased the license", - "$ref": "#/definitions/organizationalEntity" - }, - "individual": { - "title": "Purchaser (Individual)", - "description": "The individual, not associated with an organization, that purchased the license", - "$ref": "#/definitions/organizationalContact" - } - }, - "oneOf":[ - { - "required": ["organization"] - }, - { - "required": ["individual"] - } - ] - }, - "purchaseOrder": { - "type": "string", - "title": "Purchase Order", - "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" - }, - "licenseTypes": { - "type": "array", - "title": "License Type", - "description": "The type of license(s) that was granted to the licensee.", - "items": { - "type": "string", - "enum": [ - "academic", - "appliance", - "client-access", - "concurrent-user", - "core-points", - "custom-metric", - "device", - "evaluation", - "named-user", - "node-locked", - "oem", - "perpetual", - "processor-points", - "subscription", - "user", - "other" - ], - "meta:enum": { - "academic": "A license that grants use of software solely for the purpose of education or research.", - "appliance": "A license covering use of software embedded in a specific piece of hardware.", - "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", - "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", - "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", - "custom-metric": "A license for which consumption is measured by non-standard metrics.", - "device": "A license that covers a defined number of installations on computers and other types of devices.", - "evaluation": "A license that grants permission to install and use software for trial purposes.", - "named-user": "A license that grants access to the software to one or more pre-defined users.", - "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", - "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", - "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", - "processor-points": "A license where each installation consumes points per processor.", - "subscription": "A license where the licensee pays a fee to use the software or service.", - "user": "A license that grants access to the software or service by a specified number of users.", - "other": "Another license type." - } - } - }, - "lastRenewal": { - "type": "string", - "format": "date-time", - "title": "Last Renewal", - "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." - }, - "expiration": { - "type": "string", - "format": "date-time", - "title": "Expiration", - "description": "The timestamp indicating when the current license expires (if applicable)." - } - } - }, + "licensing": {"$ref": "#/definitions/licensing"}, "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} } } @@ -1449,56 +1544,108 @@ }, "licenseChoice": { "title": "License Choice", - "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)", + "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", "type": "array", - "oneOf": [ - { - "title": "Multiple licenses", - "description": "A list of SPDX licenses and/or named licenses.", - "type": "array", - "items": { + "items": { + "oneOf": [ + { "type": "object", "title": "License", - "required": ["license"], + "required": [ + "license" + ], "additionalProperties": false, "properties": { - "license": {"$ref": "#/definitions/license"} + "license": { + "$ref": "#/definitions/license" + } } - } - }, - { - "title": "SPDX License Expression", - "description": "A tuple of exactly one SPDX License Expression.", - "type": "array", - "additionalItems": false, - "minItems": 1, - "maxItems": 1, - "items": [{ + }, + { + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", "type": "object", "additionalProperties": false, - "required": ["expression"], + "required": [ + "expression" + ], "properties": { "expression": { "type": "string", "title": "SPDX License Expression", - "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", "examples": [ "Apache-2.0 AND (MIT OR GPL-2.0-only)", "GPL-3.0-only WITH Classpath-exception-2.0" ] }, + "expressionDetails": { + "title": "Expression Details", + "description": "Details for parts of the `expression`.", + "type": "array", + "items": { + "type": "object", + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "required": [ + "licenseIdentifier" + ], + "properties": { + "licenseIdentifier": { + "title": "License Identifier", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" + ] + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "text": { + "title": "License texts", + "description": "A way to include the textual content of the license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + } + }, + "additionalProperties": false + } + }, "acknowledgement": { "$ref": "#/definitions/licenseAcknowledgementEnumeration" }, "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "licensing": { + "$ref": "#/definitions/licensing" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } } } - }] - } - ] + } + ] + } }, "commit": { "type": "object", @@ -1581,7 +1728,7 @@ "properties": { "text": { "title": "Diff text", - "description": "Specifies the optional text of the diff", + "description": "Specifies the text of the diff", "$ref": "#/definitions/attachment" }, "url": { @@ -1720,7 +1867,7 @@ "comment": { "type": "string", "title": "Comment", - "description": "An optional comment describing the external reference" + "description": "A comment describing the external reference" }, "type": { "type": "string", @@ -1769,6 +1916,10 @@ "electronic-signature", "digital-signature", "rfc-9116", + "patent", + "patent-family", + "patent-assertion", + "citation", "other" ], "meta:enum": { @@ -1794,7 +1945,7 @@ "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", "configuration": "Parameters or settings that may be used by other components or services.", "evidence": "Information used to substantiate a claim.", - "formulation": "Describes how a component or service was manufactured or deployed.", + "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", @@ -1810,10 +1961,14 @@ "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POAM) complement an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", - "rfc-9116": "Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", + "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-assertion" : "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", "other": "Use this if no other types accurately describe the purpose of the external reference." } }, @@ -1822,13 +1977,19 @@ "items": {"$ref": "#/definitions/hash"}, "title": "Hashes", "description": "The hashes of the external reference (if applicable)." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} } } }, "dependency": { "type": "object", "title": "Dependency", - "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies MUST be declared as empty elements within the graph. Components or services that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", "required": [ "ref" ], @@ -1870,7 +2031,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "provider": { "title": "Provider", @@ -1932,7 +2093,11 @@ }, "licenses": { "$ref": "#/definitions/licenseChoice", - "title": "Component License(s)" + "title": "Service License(s)" + }, + "patentAssertions": { + "$ref": "#/definitions/patentAssertions", + "title": "Service Patent(s)" }, "externalReferences": { "type": "array", @@ -1950,12 +2115,12 @@ "releaseNotes": { "$ref": "#/definitions/releaseNotes", "title": "Release notes", - "description": "Specifies optional release notes." + "description": "Specifies release notes." }, "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} }, "tags": { @@ -2064,6 +2229,7 @@ "copyright": { "type": "object", "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", "required": [ "text" ], @@ -2071,7 +2237,8 @@ "properties": { "text": { "type": "string", - "title": "Copyright Text" + "title": "Copyright Text", + "description": "The textual content of the copyright." } } }, @@ -2083,7 +2250,7 @@ "properties": { "identity": { "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", "oneOf" : [ { "type": "array", @@ -2110,7 +2277,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "location": { "type": "string", @@ -2176,7 +2343,7 @@ }, "parameters": { "title": "Parameters", - "description": "Optional arguments that are passed to the module or function.", + "description": "Arguments that are passed to the module or function.", "type": "array", "items": { "type": "string" @@ -2225,12 +2392,12 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "aggregate": { "$ref": "#/definitions/aggregateType", "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is." + "description": "Specifies an aggregate type that describes how complete a relationship is." }, "assemblies": { "type": "array", @@ -2306,10 +2473,11 @@ "property": { "type": "object", "title": "Lightweight name-value pair", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "required": [ "name" ], + "additionalProperties": false, "properties": { "name": { "type": "string", @@ -2321,14 +2489,13 @@ "title": "Value", "description": "The value of the property." } - }, - "additionalProperties": false + } }, "localeType": { "type": "string", "pattern": "^([a-z]{2})(-[A-Z]{2})?$", "title": "Locale", - "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" }, "releaseType": { "type": "string", @@ -2339,7 +2506,7 @@ "pre-release", "internal" ], - "description": "The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." }, "note": { "type": "object", @@ -2430,7 +2597,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} } } @@ -2445,7 +2612,7 @@ "title": { "type": "string", "title": "Title", - "description": "An optional name of the advisory." + "description": "A name of the advisory." }, "url": { "type": "string", @@ -2585,7 +2752,7 @@ "justification": { "type": "string", "title": "Justification", - "description": "An optional reason for rating the vulnerability as it was" + "description": "A reason for rating the vulnerability as it was" } } }, @@ -2626,7 +2793,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "id": { "type": "string", @@ -2674,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } @@ -2816,7 +2983,8 @@ { "type": "array", "title": "Tools (legacy)", - "description": "[Deprecated] The tool(s) used to identify, confirm, or score the vulnerability.", + "description": "[Deprecated]\nThe tool(s) used to identify, confirm, or score the vulnerability.", + "deprecated": true, "items": {"$ref": "#/definitions/tool"} } ] @@ -2921,7 +3089,7 @@ }, "range": { "title": "Version Range", - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "$ref": "#/definitions/versionRange" }, "status": { @@ -2941,7 +3109,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -2976,7 +3144,7 @@ ] }, "versionRange": { - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "type": "string", "minLength": 1, "maxLength": 4096, @@ -3008,7 +3176,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "subjects": { "type": "array", @@ -3096,13 +3264,13 @@ "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", "type": "object", "title": "Model Card", - "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified for other component types.", + "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "modelParameters": { "type": "object", @@ -3179,6 +3347,7 @@ } ], "title": "Reference", + "type": "string", "description": "References a data component by the components bom-ref attribute" } } @@ -3277,7 +3446,7 @@ "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": {"$ref": "#/definitions/property"} } } @@ -3305,7 +3474,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "type": { "type": "string", @@ -3339,7 +3508,7 @@ "properties": { "attachment": { "title": "Data Attachment", - "description": "An optional way to include textual or encoded data.", + "description": "A way to include textual or encoded data.", "$ref": "#/definitions/attachment" }, "url": { @@ -3413,10 +3582,12 @@ "properties": { "organization": { "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", "$ref": "#/definitions/organizationalEntity" }, "contact": { "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", "$ref": "#/definitions/organizationalContact" } }, @@ -3460,7 +3631,7 @@ }, "image": { "title": "Graphic Image", - "description": "The graphic (vector or raster). Base64 encoding MUST be specified for binary images.", + "description": "The graphic (vector or raster). Base64 encoding must be specified for binary images.", "$ref": "#/definitions/attachment" } } @@ -3572,6 +3743,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -3640,6 +3812,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -3711,7 +3884,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "description": { @@ -3722,6 +3895,7 @@ "organization": { "type": "object", "title": "Organization", + "description": "The organization that provides energy.", "$ref": "#/definitions/organizationalEntity" }, "energySource": { @@ -3776,7 +3950,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An identifier which can be used to reference the address elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "country": { @@ -3824,7 +3998,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "components": { @@ -3858,6 +4032,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -3867,7 +4042,7 @@ "workflow": { "title": "Workflow", "description": "A specialized orchestration task.", - "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", "type": "object", "required": [ "bom-ref", @@ -3878,7 +4053,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -3991,7 +4166,7 @@ "runtimeTopology": { "title": "Runtime topology", "description": "A graph of the component runtime topology for workflow's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", "type": "array", "uniqueItems": true, "items": { @@ -4001,6 +4176,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4021,7 +4197,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -4115,7 +4291,7 @@ "runtimeTopology": { "title": "Runtime topology", "description": "A graph of the component runtime topology for task's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", "type": "array", "items": { "$ref": "#/definitions/dependency" @@ -4125,6 +4301,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4157,6 +4334,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4175,6 +4353,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4193,7 +4372,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -4266,6 +4445,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4321,6 +4501,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4340,7 +4521,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -4386,6 +4567,7 @@ "conditions": { "type": "array", "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", "uniqueItems": true, "items": { "$ref": "#/definitions/condition" @@ -4420,6 +4602,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4466,6 +4649,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4547,7 +4731,9 @@ "$ref": "#/definitions/property" }, { - "type": "string" + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." } ] } @@ -4560,6 +4746,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4636,7 +4823,9 @@ "$ref": "#/definitions/property" }, { - "type": "string" + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." } ] }, @@ -4645,6 +4834,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4710,6 +4900,7 @@ "properties": { "type": "array", "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4870,7 +5061,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, "name": { "type": "string", @@ -4904,7 +5095,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, "identifier": { "type": "string", @@ -4925,14 +5116,14 @@ "type": "array", "title": "Descriptions", "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", - "items": { "type": "string" } + "items": { "type": "string" } }, "openCre": { "type": "array", "title": "OWASP OpenCRE Identifier(s)", "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", "items": { - "type": "string", + "type": "string", "pattern": "^CRE:[0-9]+-[0-9]+$", "examples": [ "CRE:764-507" ] } @@ -4940,12 +5131,12 @@ "parent": { "$ref": "#/definitions/refLinkType", "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." }, "properties": { "type": "array", "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/definitions/property" } @@ -4971,7 +5162,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, "identifier": { "type": "string", @@ -5065,6 +5256,7 @@ "kem", "ae", "combiner", + "key-wrap", "other", "unknown" ], @@ -5082,19 +5274,32 @@ "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", "other": "Another primitive type.", "unknown": "The primitive is not known." } }, + "algorithmFamily": { + "$ref": "cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", + "examples": ["3DES", "Blowfish", "ECDH"] + }, "parameterSetIdentifier": { "type": "string", "title": "Parameter Set Identifier", "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." }, "curve": { + "deprecated": true, "type": "string", "title": "Elliptic Curve", - "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." + "description": "[Deprecated] This will be removed in a future version. Use `@.ellipticCurve` instead.\nThe specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." + }, + "ellipticCurve": { + "$ref": "cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value must be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." }, "executionEnvironment": { "type": "string", @@ -5119,7 +5324,7 @@ }, "implementationPlatform": { "type": "string", - "title": "implementation platform", + "title": "Implementation platform", "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", "enum": [ "generic", @@ -5132,7 +5337,6 @@ "armv9-a", "armv9-m", "s390x", - "riscv64", "ppc64", "ppc64le", "other", @@ -5303,6 +5507,11 @@ "description": "Properties for cryptographic assets of asset type 'certificate'", "additionalProperties": false, "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, "subjectName": { "type": "string", "title": "Subject Name", @@ -5326,14 +5535,16 @@ "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" }, "signatureAlgorithmRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "The bom-ref to signature algorithm used by the certificate" + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to signature algorithm used by the certificate" }, "subjectPublicKeyRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Key reference", - "description": "The bom-ref to the public key of the subject" + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to the public key of the subject" }, "certificateFormat": { "type": "string", @@ -5347,9 +5558,10 @@ ] }, "certificateExtension": { + "deprecated": true, "type": "string", "title": "Certificate File Extension", - "description": "The file extension of the certificate", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.certificateFileExtension` instead.\nThe file extension of the certificate", "examples": [ "crt", "pem", @@ -5357,6 +5569,206 @@ "der", "p12" ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactivated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revocation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "commonExtensionName", + "commonExtensionValue" + ], + "additionalProperties": false, + "properties": { + "commonExtensionName": { + "type": "string", + "title": "name", + "description": "The name of the extension.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "commonExtensionValue": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", + "required": [ + "customExtensionName" + ], + "additionalProperties": false, + "properties": { + "customExtensionName": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "customExtensionValue": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." } } }, @@ -5414,71 +5826,83 @@ } }, "id": { - "type": "string", - "title": "ID", - "description": "The optional unique identifier for the related cryptographic material." + "type": "string", + "title": "ID", + "description": "The unique identifier for the related cryptographic material." }, "state": { - "type": "string", - "title": "State", - "description": "The key state as defined by NIST SP 800-57.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] }, "algorithmRef": { - "$ref": "#/definitions/refType", - "title": "Algorithm Reference", - "description": "The bom-ref to the algorithm used to generate the related cryptographic material." + "deprecated": true, + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "[DEPRECATED] Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to the algorithm used to generate the related cryptographic material." }, "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the related cryptographic material was created." + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." }, "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the related cryptographic material was activated." + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." }, "updateDate": { - "type": "string", - "format": "date-time", - "title": "Update Date", - "description": "The date and time (timestamp) when the related cryptographic material was updated." + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." }, "expirationDate": { - "type": "string", - "format": "date-time", - "title": "Expiration Date", - "description": "The date and time (timestamp) when the related cryptographic material expires." + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." }, "value": { - "type": "string", - "title": "Value", - "description": "The associated value of the cryptographic material." + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." }, "size": { - "type": "integer", - "title":"Size", - "description": "The size of the cryptographic asset (in bits)." + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." }, "format": { - "type": "string", - "title": "Format", - "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." }, "securedBy": { - "$ref": "#/definitions/securedBy", - "title": "Secured By", - "description": "The mechanism by which the cryptographic asset is secured by." + "$ref": "#/definitions/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." } } }, @@ -5499,6 +5923,12 @@ "ike", "sstp", "wpa", + "dtls", + "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", "other", "unknown" ], @@ -5509,6 +5939,12 @@ "ike": "Internet Key Exchange", "sstp": "Secure Socket Tunneling Protocol", "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", "other": "Another protocol type", "unknown": "The protocol type is not known" } @@ -5535,45 +5971,122 @@ "ikev2TransformTypes": { "type": "object", "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", "additionalProperties": false, "properties": { "encr": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Encryption Algorithm (ENCR)", - "description": "Transform Type 1: encryption algorithms" + "title": "Encryption Algorithms (ENCR)", + "description": "Transform Type 1: encryption algorithms", + "anyOf": [ + { + "type": "array", + "title": "Encryption Algorithms (ENCR)", + "items": { + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "title": "Encryption Algorithm (ENCR) References", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 1: encryption algorithms" + } + ] }, "prf": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Pseudorandom Function (PRF)", - "description": "Transform Type 2: pseudorandom functions" + "title": "Pseudorandom Functions (PRF)", + "description": "Transform Type 2: pseudorandom functions", + "anyOf": [ + { + "type": "array", + "title": "Pseudorandom Functions (PRF)", + "items": { + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 2: pseudorandom functions" + } + ] }, "integ": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Integrity Algorithm (INTEG)", - "description": "Transform Type 3: integrity algorithms" + "title": "Integrity Algorithms (INTEG)", + "description": "Transform Type 3: integrity algorithms", + "anyOf": [ + { + "type": "array", + "title": "Integrity Algorithms (INTEG)", + "items": { + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 3: integrity algorithms" + } + ] }, "ke": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Key Exchange Method (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)" + "title": "Key Exchange Methods (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "anyOf": [ + { + "type": "array", + "title": "Key Exchange Methods (KE)", + "items": { + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Method (KE)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." + } + ] }, "esn": { "type": "boolean", - "title": "Extended Sequence Numbers (ESN)", + "title": "Extended Sequence Number (ESN)", "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { - "$ref": "#/definitions/cryptoRefArray", - "title": "IKEv2 Authentication method", - "description": "IKEv2 Authentication method" + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "anyOf": [ + { + "type": "array", + "title": "IKEv2 Authentication Methods", + "items": { + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nIKEv2 Authentication method" + } + ] } } }, "cryptoRefArray": { + "deprecated": true, "$ref": "#/definitions/cryptoRefArray", "title": "Cryptographic References", - "description": "A list of protocol-related cryptographic assets" + "description": "[DEPRECATED] Use `@.relatedCryptographicAssets` instead.\nA list of protocol-related cryptographic assets" + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." } } }, @@ -5621,15 +6134,183 @@ "0x9E" ] } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } + } + } + }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE)", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." } } }, "cryptoRefArray" : { + "deprecated": true, + "title": "Encryption Algorithm (ENCR) Reference Array", + "description": "Deprecated definition.", "type": "array", "items": { "$ref": "#/definitions/refType" } }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/definitions/relatedCryptographicAsset", + "title": "Related Cryptographic Asset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, "securedBy": { "type": "object", "title": "Secured By", @@ -5669,6 +6350,351 @@ "translation", "object-detection" ] + }, + "patentFamily": { + "type": "object", + "title": "Patent Family", + "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", + "required": ["familyId"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + }, + "familyId": { + "type": "string", + "title": "Patent Family ID", + "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + }, + "priorityApplication": { + "$ref": "#/definitions/priorityApplication" + }, + "members": { + "type": "array", + "title": "Family Members", + "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", + "items": { + "$ref": "#/definitions/refLinkType", + "title": "BOM Reference", + "description": "A `bom-ref` linking to a patent or application object within the BOM." + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "items": { + "$ref": "#/definitions/externalReference" + } + } + } + }, + "patent": { + "type": "object", + "title": "Patent", + "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "required": ["patentNumber", "jurisdiction", "patentLegalStatus"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "patentNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Number", + "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", + "examples": ["US987654321", "EP1234567B1"] + }, + "applicationNumber": { + "$ref": "#/definitions/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/definitions/patentJurisdiction" + }, + "priorityApplication": { + "$ref": "#/definitions/priorityApplication" + }, + "publicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Publication Number", + "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + }, + "title": { + "type": "string", + "title": "Patent Title", + "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + }, + "abstract": { + "type": "string", + "title": "Patent Abstract", + "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + }, + "filingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "grantDate": { + "type": "string", + "format": "date", + "title": "Grant Date", + "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + }, + "patentExpirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date", + "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + }, + "patentLegalStatus": { + "type": "string", + "title": "Legal Status", + "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "enum": [ + "pending", + "granted", + "revoked", + "expired", + "lapsed", + "withdrawn", + "abandoned", + "suspended", + "reinstated", + "opposed", + "terminated", + "invalidated", + "in-force" + ], + "meta:enum": { + "pending": "The patent application has been filed but not yet examined or granted.", + "granted": "The patent application has been examined and a patent has been issued.", + "revoked": "The patent has been declared invalid through a legal or administrative process.", + "expired": "The patent has reached the end of its enforceable term.", + "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", + "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", + "abandoned": "The patent application was abandoned, often due to lack of action or response.", + "suspended": "Processing of the patent application has been temporarily halted.", + "reinstated": "A previously abandoned or lapsed patent has been reinstated.", + "opposed": "The patent application or granted patent is under formal opposition proceedings.", + "terminated": "The patent or application has been officially terminated.", + "invalidated": "The patent has been invalidated, either in part or in full.", + "in-force": "The granted patent is active and enforceable." + } + }, + "patentAssignee": { + "type": "array", + "title": "Patent Assignees", + "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", + "items": { + "oneOf": [ + { + "title": "Person", + "$ref": "#/definitions/organizationalContact" + }, + { + "title": "Organizational Entity", + "$ref": "#/definitions/organizationalEntity" + } + ] + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "items": { + "$ref": "#/definitions/externalReference" + } + } + } + }, + "patentAssertions": { + "type": "array", + "title": "Patent Assertions", + "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "items": { + "type": "object", + "title": "Patent Assertion", + "description": "An assertion linking a patent or patent family to this component or service.", + "required": ["assertionType", "asserter"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", + "enum": [ + "ownership", + "license", + "third-party-claim", + "standards-inclusion", + "prior-art", + "exclusive-rights", + "non-assertion", + "research-or-evaluation" + ], + "meta:enum": { + "ownership": "The manufacturer asserts ownership of the patent or patent family.", + "license": "The manufacturer asserts they have a license to use the patent or patent family.", + "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", + "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", + "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", + "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", + "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", + "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." + } + }, + "patentRefs": { + "type": "array", + "title": "Patent References", + "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", + "items": { + "$ref": "#/definitions/refType" + } + }, + "asserter": { + "oneOf": [ + { + "$ref": "#/definitions/organizationalEntity", + "title": "Organizational Entity" + }, + { + "$ref": "#/definitions/organizationalContact", + "title": "Person" + }, + { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." + } + ] + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." + } + } + } + }, + "patentApplicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Application Number", + "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", + "examples": ["US20240000123", "EP23123456"] + }, + "patentJurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", + "pattern": "^[A-Z]{2}$", + "examples": ["US", "EP", "JP"] + }, + "patentFilingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "priorityApplication": { + "type": "object", + "title": "Priority Application", + "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", + "required": ["applicationNumber", "jurisdiction", "filingDate"], + "additionalProperties": false, + "properties": { + "applicationNumber": { + "$ref": "#/definitions/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/definitions/patentJurisdiction" + }, + "filingDate": { + "$ref": "#/definitions/patentFilingDate" + } + } + }, + "citation": { + "type": "object", + "title": "Citation", + "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference" + }, + "pointers": { + "type": "array", + "items": { + "type": "string", + "title": "Field Reference", + "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies.\nUsers of other serialization formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations." + }, + "minItems": 1, + "title": "Field References", + "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "expressions": { + "type": "array", + "items": { + "type": "string", + "title": "Path Expression", + "description": "Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialization.\nUse [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified.\nImplementers shall ensure the expression is valid within the context of the applicable serialization format." + }, + "minItems": 1, + "title": "Path Expressions", + "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time when the attribution was made or the information was supplied." + }, + "attributedTo": { + "$ref": "#/definitions/refLinkType", + "title": "Attributed To", + "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "process": { + "$ref": "#/definitions/refLinkType", + "title": "Process Reference", + "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "note": { + "type": "string", + "title": "Note", + "description": "A description or comment about the context or quality of the data attribution." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "A digital signature verifying the authenticity or integrity of the attribution." + } + }, + "required": ["timestamp"], + "anyOf": [ + { "required": ["attributedTo"] }, + { "required": ["process"] } + ], + "oneOf": [ + { "required": ["pointers"] }, + { "required": ["expressions"] } + ] } } -} +} \ No newline at end of file diff --git a/schema/cyclonedx/cyclonedx.xsd b/schema/cyclonedx/cyclonedx.xsd index 21a591414..e7e13f796 100644 --- a/schema/cyclonedx/cyclonedx.xsd +++ b/schema/cyclonedx/cyclonedx.xsd @@ -16,13 +16,13 @@ limitations under the License. --> + version="1.7.1"> @@ -76,7 +76,7 @@ limitations under the License. - DEPRECATED. Use tools\components or tools\services instead. + DEPRECATED. Use `../components` or `../services` instead. @@ -253,9 +253,29 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. + + + + Conditions and constraints governing the sharing and distribution of the data or components + described by this BOM. + + + + + + + + The Traffic Light Protocol (TLP) classification that controls the sharing and + distribution of the data that the BOM describes. + + + + + + @@ -355,7 +375,10 @@ limitations under the License. - The URL of the organization. Multiple URLs are allowed. + + The URL of the organization. Multiple URLs are allowed. + Example: https://example.com + @@ -374,7 +397,7 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere in the BOM. + An identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -387,6 +410,52 @@ limitations under the License. + + + + Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. + The default classification is "CLEAR" + + + + + + + The information is not subject to any restrictions as regards the sharing. + + + + + + + The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels. + + + + + + + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients. + + + + + + + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization. + + + + + + + The information is subject to restricted distribution to individual recipients only and must not be shared. + + + + + + Information about the automated or manual tool used @@ -463,7 +532,7 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere in the BOM. + An identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -551,12 +620,26 @@ limitations under the License. of the component. Examples: commons-lang3 and jquery - + - The component version. The version should ideally comply with semantic versioning - but is not enforced. + Must be used exclusively, either 'version' or 'versionRange', but not both. - + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + + + + Specifies a description for the component @@ -569,6 +652,9 @@ limitations under the License. + + The hashes of the component. + @@ -578,10 +664,21 @@ limitations under the License. - A copyright notice informing users of the underlying claims to - copyright ownership in a published work. + A copyright notice informing users of the underlying claims to copyright ownership in a published work. + + + + A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + + + + @@ -592,7 +689,7 @@ limitations under the License. - Specifies the package-url (purl). The purl, if specified, MUST be valid and conform + Specifies the package-url (purl). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec @@ -600,7 +697,7 @@ limitations under the License. - Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid @@ -608,7 +705,7 @@ limitations under the License. - Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html @@ -653,7 +750,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -684,7 +781,7 @@ limitations under the License. - Specifies optional release notes. + Specifies release notes. @@ -693,12 +790,12 @@ limitations under the License. limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of - type `machine-learning-model` and MUST NOT be specified for other component types. + type `machine-learning-model` and must not be specified for other component types. - + - This object SHOULD be specified for any component of type `data` and MUST NOT be + This object SHOULD be specified for any component of type `data` and must not be specified for other component types. @@ -734,16 +831,25 @@ limitations under the License. - The OPTIONAL mime-type of the component. When used on file components, the mime-type + The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type. + + + + Determine whether this component is external. + An external component is one that is not part of an assembly, but is expected to be provided by the environment, regardless of the component's `@scope`. This setting can be useful for distinguishing which components are bundled with the product and which can be relied upon to be present in the deployment environment. + This may be set to `true` for runtime components only. For `/metadata/component`, it must be set to `false`. + + + - An optional identifier which can be used to reference the component elsewhere in the BOM. + An identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -754,180 +860,21 @@ limitations under the License. do not have the same name as an existing attribute used by the schema. + - - - - - - A valid SPDX license ID - - - - - If SPDX does not define the license used, this field may be used to provide the license name - - - - - - Specifies the optional full text of the attachment - - - - - The URL to the attachment file. If the attachment is a license or BOM, - an externalReference should also be specified for completeness. - - - - - Licensing details describing the licensor/licensee, license type, renewal and - expiration dates, and other important metadata - - - - - - License identifiers that may be used to manage licenses and - their lifecycle - - - - - - - - - - The individual or organization that grants a license to another - individual or organization - - - - - - - The organization that granted the license - - - - - The individual, not associated with an organization, - that granted the license - - - - - - - - - The individual or organization for which a license was granted to - - - - - - - The organization that was granted the license - - - - - The individual, not associated with an organization, - that was granted the license - - - - - - - - - The individual or organization that purchased the license - - - - - - - The organization that purchased the license - - - - - The individual, not associated with an organization, - that purchased the license - - - - - - - - - The purchase order identifier the purchaser sent to a supplier or - vendor to authorize a purchase - - - - - The type of license(s) that was granted to the licensee - - - - - - - - - - The timestamp indicating when the license was last - renewed. For new purchases, this is often the purchase or acquisition date. - For non-perpetual licenses or subscriptions, this is the timestamp of when the - license was last renewed. - - - - - The timestamp indicating when the current license - expires (if applicable). - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - - Provides the ability to document properties in a name/value store. - This provides flexibility to include data not officially supported in the standard - without having to use additional namespaces or create extensions. Property names - of interest to the general public are encouraged to be registered in the - CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - + - An optional identifier which can be used to reference the license elsewhere in the BOM. + An identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -949,6 +896,301 @@ limitations under the License. + + + + + + + License identifiers that may be used to manage licenses and + their lifecycle + + + + + + + + + + The individual or organization that grants a license to another + individual or organization + + + + + + + The organization that granted the license + + + + + The individual, not associated with an organization, + that granted the license + + + + + + + + + The individual or organization for which a license was granted to + + + + + + + The organization that was granted the license + + + + + The individual, not associated with an organization, + that was granted the license + + + + + + + + + The individual or organization that purchased the license + + + + + + + The organization that purchased the license + + + + + The individual, not associated with an organization, + that purchased the license + + + + + + + + + The purchase order identifier the purchaser sent to a supplier or + vendor to authorize a purchase + + + + + The type of license(s) that was granted to the licensee + + + + + + + + + + The timestamp indicating when the license was last + renewed. For new purchases, this is often the purchase or acquisition date. + For non-perpetual licenses or subscriptions, this is the timestamp of when the + license was last renewed. + + + + + The timestamp indicating when the current license + expires (if applicable). + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies the details and attributes related to a software license. + It can either include a valid SPDX license identifier or a named license, along with additional + properties such as license acknowledgment, comprehensive commercial licensing information, and + the full text of the license. + + + + + + A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. + + + + + The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. + + + + + + Specifies the full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements. + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + + + Specifies the details and attributes related to a software license. + It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. + + + + + + Details for parts of the `expression`. + + + + + This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers. + The `license-identifier` attribute serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc. + + + + + + A way to include the textual content of the license. + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + This attribute serves as the primary key, which uniquely identifies each record. + + Example values: + - Apache-2.0 + - GPL-3.0-only WITH Classpath-exception-2.0 + - LicenseRef-my-custom-license + + + + + + + An identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements. + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + @@ -959,14 +1201,20 @@ limitations under the License. - Specifies the content type of the text. Defaults to text/plain - if not specified. + + Specifies the format and nature of the data being attached, helping systems correctly + interpret and process the content. Common content type examples include `application/json` + for JSON data and `text/plain` for plain text documents. + RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive + list of registered content types, refer to the IANA media types registry at + https://www.iana.org/assignments/media-types/media-types.xhtml. + - Specifies the optional encoding the text is represented in + Specifies the encoding the text is represented in @@ -1045,8 +1293,11 @@ limitations under the License. - A runtime environment which interprets or executes software. This may include - runtimes such as those that execute bytecode or low-code/no-code application platforms. + + A runtime environment that interprets or executes software. + This may include runtimes such as those that execute bytecode, just-in-time compilers, + interpreters, or low-code/no-code application platforms. + @@ -1117,6 +1368,8 @@ limitations under the License. + + @@ -1379,8 +1632,11 @@ limitations under the License. - The URL to the license file. If a license URL has been defined in the license - node, it should also be defined as an external reference for completeness + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness. + Example: https://www.apache.org/licenses/LICENSE-2.0.txt + @@ -1427,7 +1683,7 @@ limitations under the License. - Describes how a component or service was manufactured or deployed. + Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. @@ -1507,7 +1763,7 @@ limitations under the License. - Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". @@ -1525,6 +1781,26 @@ limitations under the License. Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + + + References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + + + + + References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + + + + + References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM. + + Use this if no other types accurately describe the purpose of the external reference @@ -1567,7 +1843,7 @@ limitations under the License. - An optional comment describing the external reference + A comment describing the external reference @@ -1577,6 +1853,16 @@ limitations under the License. + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + @@ -1758,7 +2044,7 @@ limitations under the License. - Specifies the optional text of the diff + Specifies the text of the diff @@ -1825,6 +2111,12 @@ limitations under the License. + + + A collection of URL's for reference. Multiple URLs are allowed. + Example: "https://example.com" + + @@ -1981,10 +2273,10 @@ limitations under the License. Defines the direct dependencies of a component or service. Components or services - that do not have their own dependencies MUST be declared as empty elements within the graph. - Components or services that are not represented in the dependency graph MAY have unknown - dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an - indicator of a object being dependency-free. It is RECOMMENDED to leverage compositions to + that do not have their own dependencies must be declared as empty elements within the graph. + Components or services that are not represented in the dependency graph may have unknown + dependencies. It is recommended that implementations assume this to be opaque and not an + indicator of a object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs. @@ -2041,6 +2333,12 @@ limitations under the License. + + + The endpoint URIs of the service. Multiple endpoints are allowed. + Example: "https://example.com/api/v1/ticker" + + @@ -2071,12 +2369,15 @@ limitations under the License. + + Specifies information about the data including the directional flow of data and the data classification. + - DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead + DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use `./dataflow/classification` instead @@ -2147,6 +2448,18 @@ limitations under the License. + + + + A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + + + + Provides the ability to document external references related to the service. @@ -2159,7 +2472,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -2184,7 +2497,7 @@ limitations under the License. - Specifies optional release notes. + Specifies release notes. @@ -2199,7 +2512,7 @@ limitations under the License. - An optional identifier which can be used to reference the service elsewhere in the BOM. + An identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -2236,70 +2549,51 @@ limitations under the License. states that the direction is not known. - - - - + + + + Data that enters a service. + + + + + + Data that exits a service. + + + + + Data flows in and out of the service. + + + + + The directional flow of data is not known. + + - - - - - A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements - - Example values: - - Apache-2.0 AND (MIT OR GPL-2.0-only) - - GPL-3.0-only WITH Classpath-exception-2.0 - - - - - - - - - An optional identifier which can be used to reference the license elsewhere in the BOM. - Uniqueness is enforced within all elements and children of the root-level bom element. - - - - - - - Declared licenses and concluded licenses represent two different stages in the - licensing process within software development. Declared licenses refer to the - initial intention of the software authors regarding the licensing terms under - which their code is released. On the other hand, concluded licenses are the - result of a comprehensive analysis of the project's codebase to identify and - confirm the actual licenses of the components used, which may differ from the - initially declared licenses. While declared licenses provide an upfront indication - of the licensing intentions, concluded licenses offer a more thorough understanding - of the actual licensing within a project, facilitating proper compliance and risk - management. Observed licenses are defined in `evidence.licenses`. Observed licenses - form the evidence necessary to substantiate a concluded license. - - - - - - - + + A list of SPDX licenses and/or named licenses and/or SPDX License Expression. + + + + + - - - Declared licenses represent the initial intentions of authors regarding - the licensing terms of their code. - - + + + Declared licenses represent the initial intentions of authors regarding + the licensing terms of their code. + + @@ -2419,7 +2713,7 @@ limitations under the License. Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identity as a single object was - introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is RECOMMENDED that all + introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is recommended that all implementations are aware of "unbounded". @@ -2525,8 +2819,8 @@ limitations under the License. - An optional identifier which can be used to reference the occurrence elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the occurrence elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. @@ -2545,6 +2839,11 @@ limitations under the License. + + + Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + + @@ -2564,7 +2863,7 @@ limitations under the License. - Optional arguments that are passed to the module or function. + Arguments that are passed to the module or function. @@ -2611,7 +2910,13 @@ limitations under the License. - + + + + Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + + + @@ -2651,7 +2956,7 @@ limitations under the License. - Specifies an aggregate type that describe how complete a relationship is. + Specifies an aggregate type that describes how complete a relationship is. @@ -2720,7 +3025,7 @@ limitations under the License. - An optional identifier which can be used to reference the composition elsewhere in the BOM. + An identifier which can be used to reference the composition elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -2746,12 +3051,12 @@ limitations under the License. - The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. - The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. @@ -2786,8 +3091,8 @@ limitations under the License. Defines a syntax for representing two character language code (ISO-639) followed by an optional two - character country code. The language code MUST be lower case. If the country code is specified, the - country code MUST be upper case. The language code and country code MUST be separated by a minus sign. + character country code. The language code must be lower case. If the country code is specified, the + country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA @@ -2800,7 +3105,7 @@ limitations under the License. - The software versioning type. It is RECOMMENDED that the release type use one + The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. @@ -2808,9 +3113,9 @@ limitations under the License. * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. * patch = Patch releases are typically unplanned and may resolve defects or important security issues. * pre-release = A pre-release may include alpha, beta, or release candidates and typically have - limited support. They provide the ability to preview a release prior to its general availability. + limited support. They provide the ability to preview a release prior to its general availability. * internal = Internal releases are not for public consumption and are intended to be used exclusively - by the project or manufacturer that produced it. + by the project or manufacturer that produced it. @@ -2845,7 +3150,8 @@ limitations under the License. One or more alternate names the release may be referred to. This may - include unofficial terms used by development and marketing teams (e.g. code names). + include unofficial terms used by development and marketing teams (e.g. code names). + @@ -2868,7 +3174,8 @@ limitations under the License. Zero or more release notes containing the locale and content. Multiple - note elements may be specified to support release notes in a wide variety of languages. + note elements may be specified to support release notes in a wide variety of languages. + @@ -2896,7 +3203,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -2915,19 +3222,19 @@ limitations under the License. - + A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. - This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified + This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types. @@ -2997,7 +3304,11 @@ limitations under the License. - + + + Inline Data Information + + @@ -3155,7 +3466,7 @@ limitations under the License. - The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + The graphic (vector or raster). Base64 encoding must be specified for binary images. @@ -3188,7 +3499,7 @@ limitations under the License. - + @@ -3200,7 +3511,7 @@ limitations under the License. - + @@ -3214,7 +3525,7 @@ limitations under the License. - + @@ -3226,7 +3537,7 @@ limitations under the License. - + @@ -3318,12 +3629,22 @@ limitations under the License. + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + - An optional identifier which can be used to reference the model card elsewhere in the BOM. - Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the model card elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. @@ -3350,7 +3671,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -3492,7 +3813,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -3694,7 +4015,7 @@ limitations under the License. - An optional identifier which can be used to reference the energy provider elsewhere in the BOM. + An identifier which can be used to reference the energy provider elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -3754,7 +4075,7 @@ limitations under the License. - An optional identifier which can be used to reference the address elsewhere in the BOM. + An identifier which can be used to reference the address elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -3838,7 +4159,7 @@ limitations under the License. - An optional way to include textual or encoded data. + A way to include textual or encoded data. @@ -3861,7 +4182,7 @@ limitations under the License. - + A description of any sensitive data in a dataset. @@ -3888,8 +4209,8 @@ limitations under the License. - An optional identifier which can be used to reference the dataset elsewhere in the BOM. - Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the dataset elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. @@ -3950,7 +4271,7 @@ limitations under the License. - + A description of this collection of graphics. @@ -3978,7 +4299,7 @@ limitations under the License. - The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + The graphic (vector or raster). Base64 encoding must be specified for binary images. @@ -4150,7 +4471,7 @@ limitations under the License. - List of vulnerability ratings. + List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. @@ -4201,9 +4522,9 @@ limitations under the License. - - Precise steps to reproduce the vulnerability. - + + Precise steps to reproduce the vulnerability. + @@ -4293,7 +4614,7 @@ limitations under the License. - DEPRECATED. Use tools\components or tools\services instead. + DEPRECATED. Use `../components` or `../services` instead. @@ -4407,7 +4728,7 @@ limitations under the License. - A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec @@ -4437,14 +4758,14 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. - An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. + An identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -4463,7 +4784,8 @@ limitations under the License. The url of the vulnerability documentation as provided by the source. - For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + @@ -4498,7 +4820,7 @@ limitations under the License. - An optional reason for rating the vulnerability as it was. + A reason for rating the vulnerability as it was. @@ -4508,7 +4830,7 @@ limitations under the License. - An optional name of the advisory. + A name of the advisory. @@ -4611,7 +4933,7 @@ limitations under the License. - An optional identifier which can be used to reference the annotation elsewhere in the BOM. + An identifier which can be used to reference the annotation elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -4632,13 +4954,41 @@ limitations under the License. - - - - - - - + + + Critical severity + + + + + High severity + + + + + Medium severity + + + + + Low severity + + + + + Informational warning. + + + + + None + + + + + The severity is not known + + @@ -4835,11 +5185,31 @@ limitations under the License. - - - - - + + + Can not fix + + + + + Will not fix + + + + + Update to a different revision or release + + + + + Revert to a previous revision or release + + + + + There is a workaround available + + @@ -4854,18 +5224,34 @@ limitations under the License. - - - + + + The version is affected by the vulnerability. + + + + + The version is not affected by the vulnerability. + + + + + It is unknown (or unspecified) whether the given version is affected. + + - Describes how a component or service was manufactured or deployed. This is achieved through the use - of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the - observed formulas describing the steps which transpired in the manufacturing process. + Describes the formulation of any referencable object within the BOM, + including components, services, metadata, declarations, or the BOM itself. This may + encompass how the object was created, assembled, deployed, tested, certified, or otherwise + brought into its present form. Common examples include software build pipelines, + deployment processes, AI/ML model training, cryptographic key generation or certification, + and third-party audits. Processes are modeled using declared and observed formulas, + composed of workflows, tasks, and individual steps. @@ -4919,14 +5305,14 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. - An optional identifier which can be used to reference the formula elsewhere in the BOM. + An identifier which can be used to reference the formula elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -5080,7 +5466,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5094,7 +5480,7 @@ limitations under the License. - An optional identifier which can be used to reference the workflow elsewhere in the BOM. + An identifier which can be used to reference the workflow elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -5302,7 +5688,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5316,7 +5702,7 @@ limitations under the License. - An optional identifier which can be used to reference the task elsewhere in the BOM. + An identifier which can be used to reference the task elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -5505,7 +5891,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5519,7 +5905,7 @@ limitations under the License. - An optional identifier which can be used to reference the workflow elsewhere in the BOM. + An identifier which can be used to reference the workflow elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -5606,7 +5992,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5665,7 +6051,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5681,7 +6067,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5745,6 +6131,9 @@ limitations under the License. + + A list of conditions used to determine if a trigger should be activated. + @@ -5776,7 +6165,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5823,7 +6212,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5837,7 +6226,7 @@ limitations under the License. - An optional identifier which can be used to reference the trigger elsewhere in the BOM. + An identifier which can be used to reference the trigger elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -5910,7 +6299,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -5998,7 +6387,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -6085,7 +6474,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -6365,6 +6754,14 @@ limitations under the License. + + + + Key-wrap is a cryptographic technique used to securely encrypt and + protect cryptographic keys using algorithms like AES. + + + @@ -6382,6 +6779,14 @@ limitations under the License. + + + + A valid algorithm family identifier. + If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for XML is not available. + + + @@ -6395,6 +6800,7 @@ limitations under the License. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./ellipticCurve` instead. The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as @@ -6403,6 +6809,14 @@ limitations under the License. + + + + The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. + If specified, this value must be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for XML is not available. + + + @@ -6471,7 +6885,6 @@ limitations under the License. - @@ -6897,6 +7310,13 @@ limitations under the License. + + + + The serial number is a unique identifier for the certificate issued by a CA. + + + @@ -6928,6 +7348,7 @@ limitations under the License. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. The bom-ref to signature algorithm used by the certificate @@ -6935,6 +7356,7 @@ limitations under the License. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. The bom-ref to the public key of the subject @@ -6949,10 +7371,339 @@ limitations under the License. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./certificateFileExtension` instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + The fingerprint is a cryptographic hash of the certificate excluding it's signature. + + + + + + + The certificate lifecycle is a comprehensive process that manages digital + certificates from their initial creation to eventual expiration or revocation. + It typically involves several stages. + + + + + + + + + + A pre-defined state in the certificate lifecycle. + + + + + + + + The certificate has been issued by the issuing + certificate authority (CA) but has not been authorized + for use. + + + + + + + The certificate may be used to cryptographically protect + information, cryptographically process previously protected + information, or both. + + + + + + + Certificates in the deactivated state shall not be used + to apply cryptographic protection but, in some cases, + may be used to process cryptographically protected + information. + + + + + + + The use of a certificate may be suspended for several + possible reasons. + + + + + + + A revoked certificate is a digital certificate that has + been invalidated by the issuing certificate authority (CA) + before its scheduled expiration date. + + + + + + + The certificate has been destroyed. + + + + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + The name of the certificate lifecycle state. + + + + + + + The description of the certificate lifecycle state. + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + + The date and time (timestamp) when the certificate was created or pre-activated. + + + + + + + The date and time (timestamp) when the certificate was activated. + + + + + + + The date and time (timestamp) when the related certificate was deactivated. + + + + + + + The date and time (timestamp) when the certificate was revoked. + + + + + + + The date and time (timestamp) when the certificate was destroyed. + + + + + + + A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + + + + + + + + Extension: This can be either a common extension + (with a well-known name and value) or a custom extension + (for application or vendor-specific data). + + + + + + + + + + The name of the extension. + + + + + + + + Specifies whether a certificate can be used as a CA certificate or not. + + + + + + + Specifies the allowed uses of the public key in the certificate. + + + + + + + Specifies additional purposes for which the public key can be used. + + + + + + + Allows inclusion of additional names to identify the entity associated with the certificate. + + + + + + + Identifies the public key of the CA that issued the certificate. + + + + + + + Identifies the public key associated with the entity the certificate was issued to. + + + + + + + Contains CA issuers and OCSP information. + + + + + + + Defines the policies under which the certificate was issued and can be used. + + + + + + + Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained. + + + + + + + Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof. + + + + + + + + + + The value of the certificate extension. + + + + + + + + + + The name for the custom certificate extension. + + + + + + + The description of the custom certificate extension. + + + + + + + + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + @@ -6997,7 +7748,7 @@ limitations under the License. - The optional unique identifier for the related cryptographic material. + The unique identifier for the related cryptographic material. @@ -7100,6 +7851,50 @@ limitations under the License. + + + + The fingerprint is a cryptographic hash of the related cryptographic material, excluding it's signature. + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + @@ -7161,6 +7956,48 @@ limitations under the License. + + + + Datagram Transport Layer Security + + + + + + + Quick UDP Internet Connections + + + + + + + Extensible Authentication Protocol variant + + + + + + + Enhanced version of EAP-AKA + + + + + + + Protection of Inter-Network Signaling + + + + + + + Authentication and Key Agreement for 5G + + + @@ -7239,6 +8076,48 @@ limitations under the License. + + + + A list of TLS named groups (formerly known as curves) for + this cipher suite. These groups define the parameters for + key exchange algorithms like ECDHE. + + + + + + + + The name of the TLS group. + Example values: x25519, ffdhe2048 + + + + + + + + + + A list of signature schemes supported for cipher suite. + These schemes specify the algorithms used for digital + signatures in TLS handshakes and certificate verification. + + + + + + + + The name of the TLS signature scheme. + Example values: ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, ed25519 + + + + + + @@ -7254,33 +8133,127 @@ limitations under the License. - + Transform Type 1: encryption algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + A name for the encryption method. + Example: ENCR_AES_GCM_16 + + + + + + + The key length of the encryption algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + - + Transform Type 2: pseudorandom functions + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + A name for the pseudorandom function. + Example: PRF_HMAC_SHA2_256 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + - + Transform Type 3: integrity algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + A name for the integrity algorithm. + Example: AUTH_HMAC_SHA2_256_128 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + - + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + A group identifier for the key exchange algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + @@ -7289,16 +8262,42 @@ limitations under the License. - + IKEv2 Authentication method + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + A name for the authentication method. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + A protocol-related cryptographic assets + + @@ -7348,8 +8347,8 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere in the BOM. - Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the object elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. @@ -7615,8 +8614,8 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. @@ -7686,7 +8685,7 @@ limitations under the License. - An optional way to include textual or encoded data. + A way to include textual or encoded data. @@ -7722,7 +8721,7 @@ limitations under the License. - The optional date and time (timestamp) when the evidence is no longer valid. + The date and time (timestamp) when the evidence is no longer valid. @@ -7746,8 +8745,8 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + A identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. @@ -7810,6 +8809,12 @@ limitations under the License. + + + A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. + It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + + @@ -7901,6 +8906,16 @@ limitations under the License. + + + + + + + + + + @@ -8003,7 +9018,7 @@ limitations under the License. - + @@ -8022,7 +9037,7 @@ limitations under the License. - The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. @@ -8033,7 +9048,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -8046,8 +9061,8 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. @@ -8110,8 +9125,8 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. @@ -8143,8 +9158,8 @@ limitations under the License. - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. @@ -8172,6 +9187,444 @@ limitations under the License. + + + + A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable. + + + + + + The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd). + + + + + + A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM. + + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable. + + + + + + The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd). + + + + + + + + This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. + + Purpose: Identifies the publicly available version of the application. + + Format: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. + + Example: + - US: US20240000123A1 (indicates the first publication of application US20240000123) + - Europe: EP23123456A1 (first publication of European application EP23123456). + + WIPO ST.96 v8.0: + - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd + + + + + The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd). + + + + + A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd). + + + + + The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd). + + + + + The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd). + + + + + The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules. + + + + + Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status. + + + + + Organisations or individuals to whom the patent rights are assigned. Supports joint ownership. + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + An assertion linking a patent or patent family to a component or service. This allows expression of ownership, licensing, third-party claims, and other legal relationships. + + + + + + The type of assertion being made (e.g. ownership, license, third-party-claim, etc.). + + + + + A list of references (`bom-ref`) linking to patents or families associated with this assertion. + + + + + + + + + + The organisation, individual, or BOM reference asserting the patent claim. + + + + + + + + + + + + Additional clarifications regarding the assertion, such as geographic or temporal constraints. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + The legal status of the patent, reflecting various administrative or judicial states a patent or application may be in. Aligned with concepts in WIPO ST.27. + + + + + The patent application has been filed but not yet examined or granted. + + + The patent application has been examined and a patent has been issued. + + + The patent has been declared invalid through a legal or administrative process. + + + The patent has reached the end of its enforceable term. + + + The patent is no longer in force due to non-payment of maintenance fees or other requirements. + + + The patent application was voluntarily withdrawn by the applicant. + + + The patent application was abandoned, often due to lack of action or response. + + + Processing of the patent application has been temporarily halted. + + + A previously abandoned or lapsed patent has been reinstated. + + + The patent application or granted patent is under formal opposition proceedings. + + + The patent or application has been officially terminated. + + + The patent has been invalidated, either in part or in full. + + + The granted patent is active and enforceable. + + + + + + + + Specifies the type of assertion made about a patent or patent family. Enables documentation of legal, ownership, or usage-related claims. + + + + + The manufacturer asserts ownership of the patent or patent family. + + + The manufacturer asserts they have a license to use the patent or patent family. + + + A third party has asserted a claim or potential infringement against the manufacturer’s component or service. + + + The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service. + + + The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim. + + + The manufacturer asserts exclusive rights granted through a licensing agreement. + + + The manufacturer asserts they will not enforce the patent or patent family against certain uses or users. + + + The patent or patent family is being used under a research or evaluation license. + + + + + + + + + + + + + + The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd). + + + + + + + + + + + The date the priority application was filed. Aligned with `FilingDate` in WIPO ST.96. + + + + + + + + + The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context. + + + + + + + + + + + + + + + Details a specific attribution of data within the BOM to a contributing entity or process. + + + + + + + + + + Details a specific attribution of data within the BOM to a contributing entity or process. + + + + + + Exactly one of the "pointers" or "expressions" elements must be present. + + + + + + + One or more JSON Pointers(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies. + + + + + + + + A JSON Pointer(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies. + Users of other serialisation formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations. + + + + + + + + + + One or more path expressions used to locate values within a BOM. + + + + + + + + Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialisation. + Use [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified. + Implementers shall ensure the expression is valid within the context of the applicable serialisation format. + + + + + + + + + + + The date and time when the attribution was made or the information was supplied. + + + + + + + The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information. + At least one of the "attributedTo" or "process" elements must be present. + + + + + + + The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data. + At least one of the "attributedTo" or "process" elements must be present. + + + + + + + An description or comment about the context or quality of the data attribution. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + @@ -8213,7 +9666,7 @@ limitations under the License. without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. + Formal registration is optional. @@ -8232,10 +9685,13 @@ limitations under the License. - Describes how a component or service was manufactured or deployed. This is - achieved through the use of formulas, workflows, tasks, and steps, which declare the precise - steps to reproduce along with the observed formulas describing the steps which transpired - in the manufacturing process. + Describes the formulation of any referencable object within the BOM, + including components, services, metadata, declarations, or the BOM itself. This may + encompass how the object was created, assembled, deployed, tested, certified, or otherwise + brought into its present form. Common examples include software build pipelines, + deployment processes, AI/ML model training, cryptographic key generation or certification, + and third-party audits. Processes are modeled using declared and observed formulas, + composed of workflows, tasks, and individual steps. @@ -8253,6 +9709,11 @@ limitations under the License. + + + A collection of attributions indicating which entity supplied information for specific fields within the BOM. + + @@ -8272,8 +9733,8 @@ limitations under the License. Every BOM generated SHOULD have a unique serial number, even if the contents of - the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. - Use of serial numbers are RECOMMENDED. + the BOM have not changed over time. If specified, the serial number must conform to RFC-4122. + Use of serial numbers are recommended. diff --git a/schema/cyclonedx/spdx.schema.json b/schema/cyclonedx/spdx.schema.json index 1e49a6d9e..092202126 100644 --- a/schema/cyclonedx/spdx.schema.json +++ b/schema/cyclonedx/spdx.schema.json @@ -1,7 +1,7 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/spdx.schema.json", - "$comment": "v1.0-3.27.0", + "$comment": "v1.1-3.28.0", "type": "string", "enum": [ "0BSD", @@ -14,6 +14,7 @@ "Adobe-Glyph", "Adobe-Utopia", "ADSL", + "Advanced-Cryptics-Dictionary", "AFL-1.1", "AFL-1.2", "AFL-2.0", @@ -27,6 +28,7 @@ "AGPL-3.0-only", "AGPL-3.0-or-later", "Aladdin", + "ALGLIB-Documentation", "AMD-newlib", "AMDPLPA", "AML", @@ -68,6 +70,7 @@ "BlueOak-1.0.0", "Boehm-GC", "Boehm-GC-without-fee", + "BOLA-1.1", "Borceux", "Brian-Gladman-2-Clause", "Brian-Gladman-3-Clause", @@ -94,6 +97,7 @@ "BSD-3-Clause-No-Nuclear-Warranty", "BSD-3-Clause-Open-MPI", "BSD-3-Clause-Sun", + "BSD-3-Clause-Tso", "BSD-4-Clause", "BSD-4-Clause-Shortened", "BSD-4-Clause-UC", @@ -102,12 +106,14 @@ "BSD-Advertising-Acknowledgement", "BSD-Attribution-HPND-disclaimer", "BSD-Inferno-Nettverk", + "BSD-Mark-Modifications", "BSD-Protection", "BSD-Source-beginning-file", "BSD-Source-Code", "BSD-Systemics", "BSD-Systemics-W3Works", "BSL-1.0", + "Buddy", "BUSL-1.1", "bzip2-1.0.5", "bzip2-1.0.6", @@ -116,6 +122,7 @@ "CAL-1.0-Combined-Work-Exception", "Caldera", "Caldera-no-preamble", + "CAPEC-tou", "Catharon", "CATOSL-1.1", "CC-BY-1.0", @@ -245,6 +252,9 @@ "EPL-1.0", "EPL-2.0", "ErlPL-1.1", + "ESA-PL-permissive-2.4", + "ESA-PL-strong-copyleft-2.4", + "ESA-PL-weak-copyleft-2.4", "etalab-2.0", "EUDatagrid", "EUPL-1.0", @@ -350,11 +360,14 @@ "HPND-sell-MIT-disclaimer-xserver", "HPND-sell-regexpr", "HPND-sell-variant", + "HPND-sell-variant-critical-systems", "HPND-sell-variant-MIT-disclaimer", "HPND-sell-variant-MIT-disclaimer-rev", + "HPND-SMC", "HPND-UC", "HPND-UC-export-US", "HTMLTIDY", + "hyphen-bulgarian", "IBM-pibs", "ICU", "IEC-Code-Components-EULA", @@ -373,6 +386,7 @@ "IPL-1.0", "ISC", "ISC-Veillard", + "ISO-permission", "Jam", "JasPer-2.0", "jove", @@ -450,10 +464,12 @@ "MIT-Khronos-old", "MIT-Modern-Variant", "MIT-open-group", + "MIT-STK", "MIT-testregex", "MIT-Wu", "MITNFA", "MMIXware", + "MMPL-1.0.1", "Motosoto", "MPEG-SSG", "mpi-permissive", @@ -487,6 +503,7 @@ "NICTA-1.0", "NIST-PD", "NIST-PD-fallback", + "NIST-PD-TNT", "NIST-Software", "NLOD-1.0", "NLOD-2.0", @@ -540,6 +557,7 @@ "OLDAP-2.8", "OLFL-1.3", "OML", + "OpenMDW-1.0", "OpenPBS-2.3", "OpenSSL", "OpenSSL-standalone", @@ -547,13 +565,16 @@ "OPL-1.0", "OPL-UK-3.0", "OPUBL-1.0", + "OSC-1.0", "OSET-PL-2.1", "OSL-1.0", "OSL-1.1", "OSL-2.0", "OSL-2.1", "OSL-3.0", + "OSSP", "PADL", + "ParaType-Free-Font-1.3", "Parity-6.0.0", "Parity-7.0.0", "PDDL-1.0", @@ -598,6 +619,7 @@ "SGI-B-1.1", "SGI-B-2.0", "SGI-OpenGL", + "SGMLUG-PM", "SGP4", "SHL-0.5", "SHL-0.51", @@ -635,6 +657,7 @@ "TAPR-OHL-1.0", "TCL", "TCP-wrappers", + "TekHVC", "TermReadKey", "TGPPL-1.0", "ThirdEye", @@ -662,9 +685,11 @@ "Unlicense", "Unlicense-libtelnet", "Unlicense-libwhirlpool", + "UnRAR", "UPL-1.0", "URT-RLE", "Vim", + "Vixie-Cron", "VOSTROM", "VSL-1.0", "W3C", @@ -673,12 +698,15 @@ "w3m", "Watcom-1.0", "Widget-Workshop", + "WordNet", "Wsuipa", + "WTFNMFPL", "WTFPL", "wwl", "wxWindows", "X11", "X11-distribute-modifications-variant", + "X11-no-permit-persons", "X11-swapped", "Xdebug-1.03", "Xerox", @@ -716,6 +744,7 @@ "Bootloader-exception", "CGAL-linking-exception", "Classpath-exception-2.0", + "Classpath-exception-2.0-short", "CLISP-exception-2.0", "cryptsetup-OpenSSL-exception", "Digia-Qt-LGPL-exception-1.1", @@ -746,6 +775,7 @@ "i2p-gpl-java-exception", "Independent-modules-exception", "KiCad-libraries-exception", + "kvirc-openssl-exception", "LGPL-3.0-linking-exception", "libpri-OpenH323-exception", "Libtool-exception", @@ -769,9 +799,12 @@ "Qwt-exception-1.0", "romic-exception", "RRDtool-FLOSS-exception-2.0", + "rsync-linking-exception", "SANE-exception", "SHL-2.0", "SHL-2.1", + "Simple-Library-Usage-exception", + "sqlitestudio-OpenSSL-exception", "stunnel-exception", "SWI-exception", "Swift-exception", @@ -782,5 +815,818 @@ "vsftpd-openssl-exception", "WxWindows-exception-3.1", "x11vnc-openssl-exception" - ] -} + ], + "meta:enum": { + "0BSD": "BSD Zero Clause License", + "3D-Slicer-1.0": "3D Slicer License v1.0", + "AAL": "Attribution Assurance License", + "Abstyles": "Abstyles License", + "AdaCore-doc": "AdaCore Doc License", + "Adobe-2006": "Adobe Systems Incorporated Source Code License Agreement", + "Adobe-Display-PostScript": "Adobe Display PostScript License", + "Adobe-Glyph": "Adobe Glyph List License", + "Adobe-Utopia": "Adobe Utopia Font License", + "ADSL": "Amazon Digital Services License", + "Advanced-Cryptics-Dictionary": "Advanced Cryptics Dictionary License", + "AFL-1.1": "Academic Free License v1.1", + "AFL-1.2": "Academic Free License v1.2", + "AFL-2.0": "Academic Free License v2.0", + "AFL-2.1": "Academic Free License v2.1", + "AFL-3.0": "Academic Free License v3.0", + "Afmparse": "Afmparse License", + "AGPL-1.0": "Affero General Public License v1.0", + "AGPL-1.0-only": "Affero General Public License v1.0 only", + "AGPL-1.0-or-later": "Affero General Public License v1.0 or later", + "AGPL-3.0": "GNU Affero General Public License v3.0", + "AGPL-3.0-only": "GNU Affero General Public License v3.0 only", + "AGPL-3.0-or-later": "GNU Affero General Public License v3.0 or later", + "Aladdin": "Aladdin Free Public License", + "ALGLIB-Documentation": "ALGLIB Documentation License", + "AMD-newlib": "AMD newlib License", + "AMDPLPA": "AMD's plpa_map.c License", + "AML": "Apple MIT License", + "AML-glslang": "AML glslang variant License", + "AMPAS": "Academy of Motion Picture Arts and Sciences BSD", + "ANTLR-PD": "ANTLR Software Rights Notice", + "ANTLR-PD-fallback": "ANTLR Software Rights Notice with license fallback", + "any-OSI": "Any OSI License", + "any-OSI-perl-modules": "Any OSI License - Perl Modules", + "Apache-1.0": "Apache License 1.0", + "Apache-1.1": "Apache License 1.1", + "Apache-2.0": "Apache License 2.0", + "APAFML": "Adobe Postscript AFM License", + "APL-1.0": "Adaptive Public License 1.0", + "App-s2p": "App::s2p License", + "APSL-1.0": "Apple Public Source License 1.0", + "APSL-1.1": "Apple Public Source License 1.1", + "APSL-1.2": "Apple Public Source License 1.2", + "APSL-2.0": "Apple Public Source License 2.0", + "Arphic-1999": "Arphic Public License", + "Artistic-1.0": "Artistic License 1.0", + "Artistic-1.0-cl8": "Artistic License 1.0 w\/clause 8", + "Artistic-1.0-Perl": "Artistic License 1.0 (Perl)", + "Artistic-2.0": "Artistic License 2.0", + "Artistic-dist": "Artistic License 1.0 (dist)", + "Aspell-RU": "Aspell Russian License", + "ASWF-Digital-Assets-1.0": "ASWF Digital Assets License version 1.0", + "ASWF-Digital-Assets-1.1": "ASWF Digital Assets License 1.1", + "Baekmuk": "Baekmuk License", + "Bahyph": "Bahyph License", + "Barr": "Barr License", + "bcrypt-Solar-Designer": "bcrypt Solar Designer License", + "Beerware": "Beerware License", + "Bitstream-Charter": "Bitstream Charter Font License", + "Bitstream-Vera": "Bitstream Vera Font License", + "BitTorrent-1.0": "BitTorrent Open Source License v1.0", + "BitTorrent-1.1": "BitTorrent Open Source License v1.1", + "blessing": "SQLite Blessing", + "BlueOak-1.0.0": "Blue Oak Model License 1.0.0", + "Boehm-GC": "Boehm-Demers-Weiser GC License", + "Boehm-GC-without-fee": "Boehm-Demers-Weiser GC License (without fee)", + "BOLA-1.1": "Buena Onda License Agreement v1.1", + "Borceux": "Borceux license", + "Brian-Gladman-2-Clause": "Brian Gladman 2-Clause License", + "Brian-Gladman-3-Clause": "Brian Gladman 3-Clause License", + "BSD-1-Clause": "BSD 1-Clause License", + "BSD-2-Clause": "BSD 2-Clause \"Simplified\" License", + "BSD-2-Clause-Darwin": "BSD 2-Clause - Ian Darwin variant", + "BSD-2-Clause-first-lines": "BSD 2-Clause - first lines requirement", + "BSD-2-Clause-FreeBSD": "BSD 2-Clause FreeBSD License", + "BSD-2-Clause-NetBSD": "BSD 2-Clause NetBSD License", + "BSD-2-Clause-Patent": "BSD-2-Clause Plus Patent License", + "BSD-2-Clause-pkgconf-disclaimer": "BSD 2-Clause pkgconf disclaimer variant", + "BSD-2-Clause-Views": "BSD 2-Clause with views sentence", + "BSD-3-Clause": "BSD 3-Clause \"New\" or \"Revised\" License", + "BSD-3-Clause-acpica": "BSD 3-Clause acpica variant", + "BSD-3-Clause-Attribution": "BSD with attribution", + "BSD-3-Clause-Clear": "BSD 3-Clause Clear License", + "BSD-3-Clause-flex": "BSD 3-Clause Flex variant", + "BSD-3-Clause-HP": "Hewlett-Packard BSD variant license", + "BSD-3-Clause-LBNL": "Lawrence Berkeley National Labs BSD variant license", + "BSD-3-Clause-Modification": "BSD 3-Clause Modification", + "BSD-3-Clause-No-Military-License": "BSD 3-Clause No Military License", + "BSD-3-Clause-No-Nuclear-License": "BSD 3-Clause No Nuclear License", + "BSD-3-Clause-No-Nuclear-License-2014": "BSD 3-Clause No Nuclear License 2014", + "BSD-3-Clause-No-Nuclear-Warranty": "BSD 3-Clause No Nuclear Warranty", + "BSD-3-Clause-Open-MPI": "BSD 3-Clause Open MPI variant", + "BSD-3-Clause-Sun": "BSD 3-Clause Sun Microsystems", + "BSD-3-Clause-Tso": "BSD 3-Clause Tso variant", + "BSD-4-Clause": "BSD 4-Clause \"Original\" or \"Old\" License", + "BSD-4-Clause-Shortened": "BSD 4 Clause Shortened", + "BSD-4-Clause-UC": "BSD-4-Clause (University of California-Specific)", + "BSD-4.3RENO": "BSD 4.3 RENO License", + "BSD-4.3TAHOE": "BSD 4.3 TAHOE License", + "BSD-Advertising-Acknowledgement": "BSD Advertising Acknowledgement License", + "BSD-Attribution-HPND-disclaimer": "BSD with Attribution and HPND disclaimer", + "BSD-Inferno-Nettverk": "BSD-Inferno-Nettverk", + "BSD-Mark-Modifications": "BSD Mark Modifications License", + "BSD-Protection": "BSD Protection License", + "BSD-Source-beginning-file": "BSD Source Code Attribution - beginning of file variant", + "BSD-Source-Code": "BSD Source Code Attribution", + "BSD-Systemics": "Systemics BSD variant license", + "BSD-Systemics-W3Works": "Systemics W3Works BSD variant license", + "BSL-1.0": "Boost Software License 1.0", + "Buddy": "Buddy License", + "BUSL-1.1": "Business Source License 1.1", + "bzip2-1.0.5": "bzip2 and libbzip2 License v1.0.5", + "bzip2-1.0.6": "bzip2 and libbzip2 License v1.0.6", + "C-UDA-1.0": "Computational Use of Data Agreement v1.0", + "CAL-1.0": "Cryptographic Autonomy License 1.0", + "CAL-1.0-Combined-Work-Exception": "Cryptographic Autonomy License 1.0 (Combined Work Exception)", + "Caldera": "Caldera License", + "Caldera-no-preamble": "Caldera License (without preamble)", + "CAPEC-tou": "Common Attack Pattern Enumeration and Classification License", + "Catharon": "Catharon License", + "CATOSL-1.1": "Computer Associates Trusted Open Source License 1.1", + "CC-BY-1.0": "Creative Commons Attribution 1.0 Generic", + "CC-BY-2.0": "Creative Commons Attribution 2.0 Generic", + "CC-BY-2.5": "Creative Commons Attribution 2.5 Generic", + "CC-BY-2.5-AU": "Creative Commons Attribution 2.5 Australia", + "CC-BY-3.0": "Creative Commons Attribution 3.0 Unported", + "CC-BY-3.0-AT": "Creative Commons Attribution 3.0 Austria", + "CC-BY-3.0-AU": "Creative Commons Attribution 3.0 Australia", + "CC-BY-3.0-DE": "Creative Commons Attribution 3.0 Germany", + "CC-BY-3.0-IGO": "Creative Commons Attribution 3.0 IGO", + "CC-BY-3.0-NL": "Creative Commons Attribution 3.0 Netherlands", + "CC-BY-3.0-US": "Creative Commons Attribution 3.0 United States", + "CC-BY-4.0": "Creative Commons Attribution 4.0 International", + "CC-BY-NC-1.0": "Creative Commons Attribution Non Commercial 1.0 Generic", + "CC-BY-NC-2.0": "Creative Commons Attribution Non Commercial 2.0 Generic", + "CC-BY-NC-2.5": "Creative Commons Attribution Non Commercial 2.5 Generic", + "CC-BY-NC-3.0": "Creative Commons Attribution Non Commercial 3.0 Unported", + "CC-BY-NC-3.0-DE": "Creative Commons Attribution Non Commercial 3.0 Germany", + "CC-BY-NC-4.0": "Creative Commons Attribution Non Commercial 4.0 International", + "CC-BY-NC-ND-1.0": "Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic", + "CC-BY-NC-ND-2.0": "Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic", + "CC-BY-NC-ND-2.5": "Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic", + "CC-BY-NC-ND-3.0": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported", + "CC-BY-NC-ND-3.0-DE": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany", + "CC-BY-NC-ND-3.0-IGO": "Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO", + "CC-BY-NC-ND-4.0": "Creative Commons Attribution Non Commercial No Derivatives 4.0 International", + "CC-BY-NC-SA-1.0": "Creative Commons Attribution Non Commercial Share Alike 1.0 Generic", + "CC-BY-NC-SA-2.0": "Creative Commons Attribution Non Commercial Share Alike 2.0 Generic", + "CC-BY-NC-SA-2.0-DE": "Creative Commons Attribution Non Commercial Share Alike 2.0 Germany", + "CC-BY-NC-SA-2.0-FR": "Creative Commons Attribution-NonCommercial-ShareAlike 2.0 France", + "CC-BY-NC-SA-2.0-UK": "Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales", + "CC-BY-NC-SA-2.5": "Creative Commons Attribution Non Commercial Share Alike 2.5 Generic", + "CC-BY-NC-SA-3.0": "Creative Commons Attribution Non Commercial Share Alike 3.0 Unported", + "CC-BY-NC-SA-3.0-DE": "Creative Commons Attribution Non Commercial Share Alike 3.0 Germany", + "CC-BY-NC-SA-3.0-IGO": "Creative Commons Attribution Non Commercial Share Alike 3.0 IGO", + "CC-BY-NC-SA-4.0": "Creative Commons Attribution Non Commercial Share Alike 4.0 International", + "CC-BY-ND-1.0": "Creative Commons Attribution No Derivatives 1.0 Generic", + "CC-BY-ND-2.0": "Creative Commons Attribution No Derivatives 2.0 Generic", + "CC-BY-ND-2.5": "Creative Commons Attribution No Derivatives 2.5 Generic", + "CC-BY-ND-3.0": "Creative Commons Attribution No Derivatives 3.0 Unported", + "CC-BY-ND-3.0-DE": "Creative Commons Attribution No Derivatives 3.0 Germany", + "CC-BY-ND-4.0": "Creative Commons Attribution No Derivatives 4.0 International", + "CC-BY-SA-1.0": "Creative Commons Attribution Share Alike 1.0 Generic", + "CC-BY-SA-2.0": "Creative Commons Attribution Share Alike 2.0 Generic", + "CC-BY-SA-2.0-UK": "Creative Commons Attribution Share Alike 2.0 England and Wales", + "CC-BY-SA-2.1-JP": "Creative Commons Attribution Share Alike 2.1 Japan", + "CC-BY-SA-2.5": "Creative Commons Attribution Share Alike 2.5 Generic", + "CC-BY-SA-3.0": "Creative Commons Attribution Share Alike 3.0 Unported", + "CC-BY-SA-3.0-AT": "Creative Commons Attribution Share Alike 3.0 Austria", + "CC-BY-SA-3.0-DE": "Creative Commons Attribution Share Alike 3.0 Germany", + "CC-BY-SA-3.0-IGO": "Creative Commons Attribution-ShareAlike 3.0 IGO", + "CC-BY-SA-4.0": "Creative Commons Attribution Share Alike 4.0 International", + "CC-PDDC": "Creative Commons Public Domain Dedication and Certification", + "CC-PDM-1.0": "Creative Commons Public Domain Mark 1.0 Universal", + "CC-SA-1.0": "Creative Commons Share Alike 1.0 Generic", + "CC0-1.0": "Creative Commons Zero v1.0 Universal", + "CDDL-1.0": "Common Development and Distribution License 1.0", + "CDDL-1.1": "Common Development and Distribution License 1.1", + "CDL-1.0": "Common Documentation License 1.0", + "CDLA-Permissive-1.0": "Community Data License Agreement Permissive 1.0", + "CDLA-Permissive-2.0": "Community Data License Agreement Permissive 2.0", + "CDLA-Sharing-1.0": "Community Data License Agreement Sharing 1.0", + "CECILL-1.0": "CeCILL Free Software License Agreement v1.0", + "CECILL-1.1": "CeCILL Free Software License Agreement v1.1", + "CECILL-2.0": "CeCILL Free Software License Agreement v2.0", + "CECILL-2.1": "CeCILL Free Software License Agreement v2.1", + "CECILL-B": "CeCILL-B Free Software License Agreement", + "CECILL-C": "CeCILL-C Free Software License Agreement", + "CERN-OHL-1.1": "CERN Open Hardware Licence v1.1", + "CERN-OHL-1.2": "CERN Open Hardware Licence v1.2", + "CERN-OHL-P-2.0": "CERN Open Hardware Licence Version 2 - Permissive", + "CERN-OHL-S-2.0": "CERN Open Hardware Licence Version 2 - Strongly Reciprocal", + "CERN-OHL-W-2.0": "CERN Open Hardware Licence Version 2 - Weakly Reciprocal", + "CFITSIO": "CFITSIO License", + "check-cvs": "check-cvs License", + "checkmk": "Checkmk License", + "ClArtistic": "Clarified Artistic License", + "Clips": "Clips License", + "CMU-Mach": "CMU Mach License", + "CMU-Mach-nodoc": "CMU Mach - no notices-in-documentation variant", + "CNRI-Jython": "CNRI Jython License", + "CNRI-Python": "CNRI Python License", + "CNRI-Python-GPL-Compatible": "CNRI Python Open Source GPL Compatible License Agreement", + "COIL-1.0": "Copyfree Open Innovation License", + "Community-Spec-1.0": "Community Specification License 1.0", + "Condor-1.1": "Condor Public License v1.1", + "copyleft-next-0.3.0": "copyleft-next 0.3.0", + "copyleft-next-0.3.1": "copyleft-next 0.3.1", + "Cornell-Lossless-JPEG": "Cornell Lossless JPEG License", + "CPAL-1.0": "Common Public Attribution License 1.0", + "CPL-1.0": "Common Public License 1.0", + "CPOL-1.02": "Code Project Open License 1.02", + "Cronyx": "Cronyx License", + "Crossword": "Crossword License", + "CryptoSwift": "CryptoSwift License", + "CrystalStacker": "CrystalStacker License", + "CUA-OPL-1.0": "CUA Office Public License v1.0", + "Cube": "Cube License", + "curl": "curl License", + "cve-tou": "Common Vulnerability Enumeration ToU License", + "D-FSL-1.0": "Deutsche Freie Software Lizenz", + "DEC-3-Clause": "DEC 3-Clause License", + "diffmark": "diffmark license", + "DL-DE-BY-2.0": "Data licence Germany \u2013 attribution \u2013 version 2.0", + "DL-DE-ZERO-2.0": "Data licence Germany \u2013 zero \u2013 version 2.0", + "DOC": "DOC License", + "DocBook-DTD": "DocBook DTD License", + "DocBook-Schema": "DocBook Schema License", + "DocBook-Stylesheet": "DocBook Stylesheet License", + "DocBook-XML": "DocBook XML License", + "Dotseqn": "Dotseqn License", + "DRL-1.0": "Detection Rule License 1.0", + "DRL-1.1": "Detection Rule License 1.1", + "DSDP": "DSDP License", + "dtoa": "David M. Gay dtoa License", + "dvipdfm": "dvipdfm License", + "ECL-1.0": "Educational Community License v1.0", + "ECL-2.0": "Educational Community License v2.0", + "eCos-2.0": "eCos license version 2.0", + "EFL-1.0": "Eiffel Forum License v1.0", + "EFL-2.0": "Eiffel Forum License v2.0", + "eGenix": "eGenix.com Public License 1.1.0", + "Elastic-2.0": "Elastic License 2.0", + "Entessa": "Entessa Public License v1.0", + "EPICS": "EPICS Open License", + "EPL-1.0": "Eclipse Public License 1.0", + "EPL-2.0": "Eclipse Public License 2.0", + "ErlPL-1.1": "Erlang Public License v1.1", + "ESA-PL-permissive-2.4": "European Space Agency Public License \u2013 v2.4 \u2013 Permissive (Type 3)", + "ESA-PL-strong-copyleft-2.4": "European Space Agency Public License (ESA-PL) - V2.4 - Strong Copyleft (Type 1)", + "ESA-PL-weak-copyleft-2.4": "European Space Agency Public License \u2013 v2.4 \u2013 Weak Copyleft (Type 2)", + "etalab-2.0": "Etalab Open License 2.0", + "EUDatagrid": "EU DataGrid Software License", + "EUPL-1.0": "European Union Public License 1.0", + "EUPL-1.1": "European Union Public License 1.1", + "EUPL-1.2": "European Union Public License 1.2", + "Eurosym": "Eurosym License", + "Fair": "Fair License", + "FBM": "Fuzzy Bitmap License", + "FDK-AAC": "Fraunhofer FDK AAC Codec Library", + "Ferguson-Twofish": "Ferguson Twofish License", + "Frameworx-1.0": "Frameworx Open License 1.0", + "FreeBSD-DOC": "FreeBSD Documentation License", + "FreeImage": "FreeImage Public License v1.0", + "FSFAP": "FSF All Permissive License", + "FSFAP-no-warranty-disclaimer": "FSF All Permissive License (without Warranty)", + "FSFUL": "FSF Unlimited License", + "FSFULLR": "FSF Unlimited License (with License Retention)", + "FSFULLRSD": "FSF Unlimited License (with License Retention and Short Disclaimer)", + "FSFULLRWD": "FSF Unlimited License (With License Retention and Warranty Disclaimer)", + "FSL-1.1-ALv2": "Functional Source License, Version 1.1, ALv2 Future License", + "FSL-1.1-MIT": "Functional Source License, Version 1.1, MIT Future License", + "FTL": "Freetype Project License", + "Furuseth": "Furuseth License", + "fwlw": "fwlw License", + "Game-Programming-Gems": "Game Programming Gems License", + "GCR-docs": "Gnome GCR Documentation License", + "GD": "GD License", + "generic-xts": "Generic XTS License", + "GFDL-1.1": "GNU Free Documentation License v1.1", + "GFDL-1.1-invariants-only": "GNU Free Documentation License v1.1 only - invariants", + "GFDL-1.1-invariants-or-later": "GNU Free Documentation License v1.1 or later - invariants", + "GFDL-1.1-no-invariants-only": "GNU Free Documentation License v1.1 only - no invariants", + "GFDL-1.1-no-invariants-or-later": "GNU Free Documentation License v1.1 or later - no invariants", + "GFDL-1.1-only": "GNU Free Documentation License v1.1 only", + "GFDL-1.1-or-later": "GNU Free Documentation License v1.1 or later", + "GFDL-1.2": "GNU Free Documentation License v1.2", + "GFDL-1.2-invariants-only": "GNU Free Documentation License v1.2 only - invariants", + "GFDL-1.2-invariants-or-later": "GNU Free Documentation License v1.2 or later - invariants", + "GFDL-1.2-no-invariants-only": "GNU Free Documentation License v1.2 only - no invariants", + "GFDL-1.2-no-invariants-or-later": "GNU Free Documentation License v1.2 or later - no invariants", + "GFDL-1.2-only": "GNU Free Documentation License v1.2 only", + "GFDL-1.2-or-later": "GNU Free Documentation License v1.2 or later", + "GFDL-1.3": "GNU Free Documentation License v1.3", + "GFDL-1.3-invariants-only": "GNU Free Documentation License v1.3 only - invariants", + "GFDL-1.3-invariants-or-later": "GNU Free Documentation License v1.3 or later - invariants", + "GFDL-1.3-no-invariants-only": "GNU Free Documentation License v1.3 only - no invariants", + "GFDL-1.3-no-invariants-or-later": "GNU Free Documentation License v1.3 or later - no invariants", + "GFDL-1.3-only": "GNU Free Documentation License v1.3 only", + "GFDL-1.3-or-later": "GNU Free Documentation License v1.3 or later", + "Giftware": "Giftware License", + "GL2PS": "GL2PS License", + "Glide": "3dfx Glide License", + "Glulxe": "Glulxe License", + "GLWTPL": "Good Luck With That Public License", + "gnuplot": "gnuplot License", + "GPL-1.0": "GNU General Public License v1.0 only", + "GPL-1.0+": "GNU General Public License v1.0 or later", + "GPL-1.0-only": "GNU General Public License v1.0 only", + "GPL-1.0-or-later": "GNU General Public License v1.0 or later", + "GPL-2.0": "GNU General Public License v2.0 only", + "GPL-2.0+": "GNU General Public License v2.0 or later", + "GPL-2.0-only": "GNU General Public License v2.0 only", + "GPL-2.0-or-later": "GNU General Public License v2.0 or later", + "GPL-2.0-with-autoconf-exception": "GNU General Public License v2.0 w\/Autoconf exception", + "GPL-2.0-with-bison-exception": "GNU General Public License v2.0 w\/Bison exception", + "GPL-2.0-with-classpath-exception": "GNU General Public License v2.0 w\/Classpath exception", + "GPL-2.0-with-font-exception": "GNU General Public License v2.0 w\/Font exception", + "GPL-2.0-with-GCC-exception": "GNU General Public License v2.0 w\/GCC Runtime Library exception", + "GPL-3.0": "GNU General Public License v3.0 only", + "GPL-3.0+": "GNU General Public License v3.0 or later", + "GPL-3.0-only": "GNU General Public License v3.0 only", + "GPL-3.0-or-later": "GNU General Public License v3.0 or later", + "GPL-3.0-with-autoconf-exception": "GNU General Public License v3.0 w\/Autoconf exception", + "GPL-3.0-with-GCC-exception": "GNU General Public License v3.0 w\/GCC Runtime Library exception", + "Graphics-Gems": "Graphics Gems License", + "gSOAP-1.3b": "gSOAP Public License v1.3b", + "gtkbook": "gtkbook License", + "Gutmann": "Gutmann License", + "HaskellReport": "Haskell Language Report License", + "HDF5": "HDF5 License", + "hdparm": "hdparm License", + "HIDAPI": "HIDAPI License", + "Hippocratic-2.1": "Hippocratic License 2.1", + "HP-1986": "Hewlett-Packard 1986 License", + "HP-1989": "Hewlett-Packard 1989 License", + "HPND": "Historical Permission Notice and Disclaimer", + "HPND-DEC": "Historical Permission Notice and Disclaimer - DEC variant", + "HPND-doc": "Historical Permission Notice and Disclaimer - documentation variant", + "HPND-doc-sell": "Historical Permission Notice and Disclaimer - documentation sell variant", + "HPND-export-US": "HPND with US Government export control warning", + "HPND-export-US-acknowledgement": "HPND with US Government export control warning and acknowledgment", + "HPND-export-US-modify": "HPND with US Government export control warning and modification rqmt", + "HPND-export2-US": "HPND with US Government export control and 2 disclaimers", + "HPND-Fenneberg-Livingston": "Historical Permission Notice and Disclaimer - Fenneberg-Livingston variant", + "HPND-INRIA-IMAG": "Historical Permission Notice and Disclaimer - INRIA-IMAG variant", + "HPND-Intel": "Historical Permission Notice and Disclaimer - Intel variant", + "HPND-Kevlin-Henney": "Historical Permission Notice and Disclaimer - Kevlin Henney variant", + "HPND-Markus-Kuhn": "Historical Permission Notice and Disclaimer - Markus Kuhn variant", + "HPND-merchantability-variant": "Historical Permission Notice and Disclaimer - merchantability variant", + "HPND-MIT-disclaimer": "Historical Permission Notice and Disclaimer with MIT disclaimer", + "HPND-Netrek": "Historical Permission Notice and Disclaimer - Netrek variant", + "HPND-Pbmplus": "Historical Permission Notice and Disclaimer - Pbmplus variant", + "HPND-sell-MIT-disclaimer-xserver": "Historical Permission Notice and Disclaimer - sell xserver variant with MIT disclaimer", + "HPND-sell-regexpr": "Historical Permission Notice and Disclaimer - sell regexpr variant", + "HPND-sell-variant": "Historical Permission Notice and Disclaimer - sell variant", + "HPND-sell-variant-critical-systems": "HPND - sell variant with safety critical systems clause", + "HPND-sell-variant-MIT-disclaimer": "HPND sell variant with MIT disclaimer", + "HPND-sell-variant-MIT-disclaimer-rev": "HPND sell variant with MIT disclaimer - reverse", + "HPND-SMC": "Historical Permission Notice and Disclaimer - SMC variant", + "HPND-UC": "Historical Permission Notice and Disclaimer - University of California variant", + "HPND-UC-export-US": "Historical Permission Notice and Disclaimer - University of California, US export warning", + "HTMLTIDY": "HTML Tidy License", + "hyphen-bulgarian": "hyphen-bulgarian License", + "IBM-pibs": "IBM PowerPC Initialization and Boot Software", + "ICU": "ICU License", + "IEC-Code-Components-EULA": "IEC Code Components End-user licence agreement", + "IJG": "Independent JPEG Group License", + "IJG-short": "Independent JPEG Group License - short", + "ImageMagick": "ImageMagick License", + "iMatix": "iMatix Standard Function Library Agreement", + "Imlib2": "Imlib2 License", + "Info-ZIP": "Info-ZIP License", + "Inner-Net-2.0": "Inner Net License v2.0", + "InnoSetup": "Inno Setup License", + "Intel": "Intel Open Source License", + "Intel-ACPI": "Intel ACPI Software License Agreement", + "Interbase-1.0": "Interbase Public License v1.0", + "IPA": "IPA Font License", + "IPL-1.0": "IBM Public License v1.0", + "ISC": "ISC License", + "ISC-Veillard": "ISC Veillard variant", + "ISO-permission": "ISO permission notice", + "Jam": "Jam License", + "JasPer-2.0": "JasPer License", + "jove": "Jove License", + "JPL-image": "JPL Image Use Policy", + "JPNIC": "Japan Network Information Center License", + "JSON": "JSON License", + "Kastrup": "Kastrup License", + "Kazlib": "Kazlib License", + "Knuth-CTAN": "Knuth CTAN License", + "LAL-1.2": "Licence Art Libre 1.2", + "LAL-1.3": "Licence Art Libre 1.3", + "Latex2e": "Latex2e License", + "Latex2e-translated-notice": "Latex2e with translated notice permission", + "Leptonica": "Leptonica License", + "LGPL-2.0": "GNU Library General Public License v2 only", + "LGPL-2.0+": "GNU Library General Public License v2 or later", + "LGPL-2.0-only": "GNU Library General Public License v2 only", + "LGPL-2.0-or-later": "GNU Library General Public License v2 or later", + "LGPL-2.1": "GNU Lesser General Public License v2.1 only", + "LGPL-2.1+": "GNU Lesser General Public License v2.1 or later", + "LGPL-2.1-only": "GNU Lesser General Public License v2.1 only", + "LGPL-2.1-or-later": "GNU Lesser General Public License v2.1 or later", + "LGPL-3.0": "GNU Lesser General Public License v3.0 only", + "LGPL-3.0+": "GNU Lesser General Public License v3.0 or later", + "LGPL-3.0-only": "GNU Lesser General Public License v3.0 only", + "LGPL-3.0-or-later": "GNU Lesser General Public License v3.0 or later", + "LGPLLR": "Lesser General Public License For Linguistic Resources", + "Libpng": "libpng License", + "libpng-1.6.35": "PNG Reference Library License v1 (for libpng 0.5 through 1.6.35)", + "libpng-2.0": "PNG Reference Library version 2", + "libselinux-1.0": "libselinux public domain notice", + "libtiff": "libtiff License", + "libutil-David-Nugent": "libutil David Nugent License", + "LiLiQ-P-1.1": "Licence Libre du Qu\u00E9bec \u2013 Permissive version 1.1", + "LiLiQ-R-1.1": "Licence Libre du Qu\u00E9bec \u2013 R\u00E9ciprocit\u00E9 version 1.1", + "LiLiQ-Rplus-1.1": "Licence Libre du Qu\u00E9bec \u2013 R\u00E9ciprocit\u00E9 forte version 1.1", + "Linux-man-pages-1-para": "Linux man-pages - 1 paragraph", + "Linux-man-pages-copyleft": "Linux man-pages Copyleft", + "Linux-man-pages-copyleft-2-para": "Linux man-pages Copyleft - 2 paragraphs", + "Linux-man-pages-copyleft-var": "Linux man-pages Copyleft Variant", + "Linux-OpenIB": "Linux Kernel Variant of OpenIB.org license", + "LOOP": "Common Lisp LOOP License", + "LPD-document": "LPD Documentation License", + "LPL-1.0": "Lucent Public License Version 1.0", + "LPL-1.02": "Lucent Public License v1.02", + "LPPL-1.0": "LaTeX Project Public License v1.0", + "LPPL-1.1": "LaTeX Project Public License v1.1", + "LPPL-1.2": "LaTeX Project Public License v1.2", + "LPPL-1.3a": "LaTeX Project Public License v1.3a", + "LPPL-1.3c": "LaTeX Project Public License v1.3c", + "lsof": "lsof License", + "Lucida-Bitmap-Fonts": "Lucida Bitmap Fonts License", + "LZMA-SDK-9.11-to-9.20": "LZMA SDK License (versions 9.11 to 9.20)", + "LZMA-SDK-9.22": "LZMA SDK License (versions 9.22 and beyond)", + "Mackerras-3-Clause": "Mackerras 3-Clause License", + "Mackerras-3-Clause-acknowledgment": "Mackerras 3-Clause - acknowledgment variant", + "magaz": "magaz License", + "mailprio": "mailprio License", + "MakeIndex": "MakeIndex License", + "man2html": "man2html License", + "Martin-Birgmeier": "Martin Birgmeier License", + "McPhee-slideshow": "McPhee Slideshow License", + "metamail": "metamail License", + "Minpack": "Minpack License", + "MIPS": "MIPS License", + "MirOS": "The MirOS Licence", + "MIT": "MIT License", + "MIT-0": "MIT No Attribution", + "MIT-advertising": "Enlightenment License (e16)", + "MIT-Click": "MIT Click License", + "MIT-CMU": "CMU License", + "MIT-enna": "enna License", + "MIT-feh": "feh License", + "MIT-Festival": "MIT Festival Variant", + "MIT-Khronos-old": "MIT Khronos - old variant", + "MIT-Modern-Variant": "MIT License Modern Variant", + "MIT-open-group": "MIT Open Group variant", + "MIT-STK": "MIT-STK License", + "MIT-testregex": "MIT testregex Variant", + "MIT-Wu": "MIT Tom Wu Variant", + "MITNFA": "MIT +no-false-attribs license", + "MMIXware": "MMIXware License", + "MMPL-1.0.1": "Minecraft Mod Public License v1.0.1", + "Motosoto": "Motosoto License", + "MPEG-SSG": "MPEG Software Simulation", + "mpi-permissive": "mpi Permissive License", + "mpich2": "mpich2 License", + "MPL-1.0": "Mozilla Public License 1.0", + "MPL-1.1": "Mozilla Public License 1.1", + "MPL-2.0": "Mozilla Public License 2.0", + "MPL-2.0-no-copyleft-exception": "Mozilla Public License 2.0 (no copyleft exception)", + "mplus": "mplus Font License", + "MS-LPL": "Microsoft Limited Public License", + "MS-PL": "Microsoft Public License", + "MS-RL": "Microsoft Reciprocal License", + "MTLL": "Matrix Template Library License", + "MulanPSL-1.0": "Mulan Permissive Software License, Version 1", + "MulanPSL-2.0": "Mulan Permissive Software License, Version 2", + "Multics": "Multics License", + "Mup": "Mup License", + "NAIST-2003": "Nara Institute of Science and Technology License (2003)", + "NASA-1.3": "NASA Open Source Agreement 1.3", + "Naumen": "Naumen Public License", + "NBPL-1.0": "Net Boolean Public License v1", + "NCBI-PD": "NCBI Public Domain Notice", + "NCGL-UK-2.0": "Non-Commercial Government Licence", + "NCL": "NCL Source Code License", + "NCSA": "University of Illinois\/NCSA Open Source License", + "Net-SNMP": "Net-SNMP License", + "NetCDF": "NetCDF license", + "Newsletr": "Newsletr License", + "NGPL": "Nethack General Public License", + "ngrep": "ngrep License", + "NICTA-1.0": "NICTA Public Software License, Version 1.0", + "NIST-PD": "NIST Public Domain Notice", + "NIST-PD-fallback": "NIST Public Domain Notice with license fallback", + "NIST-PD-TNT": "NIST Public Domain Notice TNT variant", + "NIST-Software": "NIST Software License", + "NLOD-1.0": "Norwegian Licence for Open Government Data (NLOD) 1.0", + "NLOD-2.0": "Norwegian Licence for Open Government Data (NLOD) 2.0", + "NLPL": "No Limit Public License", + "Nokia": "Nokia Open Source License", + "NOSL": "Netizen Open Source License", + "Noweb": "Noweb License", + "NPL-1.0": "Netscape Public License v1.0", + "NPL-1.1": "Netscape Public License v1.1", + "NPOSL-3.0": "Non-Profit Open Software License 3.0", + "NRL": "NRL License", + "NTIA-PD": "NTIA Public Domain Notice", + "NTP": "NTP License", + "NTP-0": "NTP No Attribution", + "Nunit": "Nunit License", + "O-UDA-1.0": "Open Use of Data Agreement v1.0", + "OAR": "OAR License", + "OCCT-PL": "Open CASCADE Technology Public License", + "OCLC-2.0": "OCLC Research Public License 2.0", + "ODbL-1.0": "Open Data Commons Open Database License v1.0", + "ODC-By-1.0": "Open Data Commons Attribution License v1.0", + "OFFIS": "OFFIS License", + "OFL-1.0": "SIL Open Font License 1.0", + "OFL-1.0-no-RFN": "SIL Open Font License 1.0 with no Reserved Font Name", + "OFL-1.0-RFN": "SIL Open Font License 1.0 with Reserved Font Name", + "OFL-1.1": "SIL Open Font License 1.1", + "OFL-1.1-no-RFN": "SIL Open Font License 1.1 with no Reserved Font Name", + "OFL-1.1-RFN": "SIL Open Font License 1.1 with Reserved Font Name", + "OGC-1.0": "OGC Software License, Version 1.0", + "OGDL-Taiwan-1.0": "Taiwan Open Government Data License, version 1.0", + "OGL-Canada-2.0": "Open Government Licence - Canada", + "OGL-UK-1.0": "Open Government Licence v1.0", + "OGL-UK-2.0": "Open Government Licence v2.0", + "OGL-UK-3.0": "Open Government Licence v3.0", + "OGTSL": "Open Group Test Suite License", + "OLDAP-1.1": "Open LDAP Public License v1.1", + "OLDAP-1.2": "Open LDAP Public License v1.2", + "OLDAP-1.3": "Open LDAP Public License v1.3", + "OLDAP-1.4": "Open LDAP Public License v1.4", + "OLDAP-2.0": "Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B)", + "OLDAP-2.0.1": "Open LDAP Public License v2.0.1", + "OLDAP-2.1": "Open LDAP Public License v2.1", + "OLDAP-2.2": "Open LDAP Public License v2.2", + "OLDAP-2.2.1": "Open LDAP Public License v2.2.1", + "OLDAP-2.2.2": "Open LDAP Public License 2.2.2", + "OLDAP-2.3": "Open LDAP Public License v2.3", + "OLDAP-2.4": "Open LDAP Public License v2.4", + "OLDAP-2.5": "Open LDAP Public License v2.5", + "OLDAP-2.6": "Open LDAP Public License v2.6", + "OLDAP-2.7": "Open LDAP Public License v2.7", + "OLDAP-2.8": "Open LDAP Public License v2.8", + "OLFL-1.3": "Open Logistics Foundation License Version 1.3", + "OML": "Open Market License", + "OpenMDW-1.0": "OpenMDW License Agreement v1.0", + "OpenPBS-2.3": "OpenPBS v2.3 Software License", + "OpenSSL": "OpenSSL License", + "OpenSSL-standalone": "OpenSSL License - standalone", + "OpenVision": "OpenVision License", + "OPL-1.0": "Open Public License v1.0", + "OPL-UK-3.0": "United Kingdom Open Parliament Licence v3.0", + "OPUBL-1.0": "Open Publication License v1.0", + "OSC-1.0": "OSC License 1.0", + "OSET-PL-2.1": "OSET Public License version 2.1", + "OSL-1.0": "Open Software License 1.0", + "OSL-1.1": "Open Software License 1.1", + "OSL-2.0": "Open Software License 2.0", + "OSL-2.1": "Open Software License 2.1", + "OSL-3.0": "Open Software License 3.0", + "OSSP": "OSSP License", + "PADL": "PADL License", + "ParaType-Free-Font-1.3": "ParaType Free Font Licensing Agreement v1.3", + "Parity-6.0.0": "The Parity Public License 6.0.0", + "Parity-7.0.0": "The Parity Public License 7.0.0", + "PDDL-1.0": "Open Data Commons Public Domain Dedication & License 1.0", + "PHP-3.0": "PHP License v3.0", + "PHP-3.01": "PHP License v3.01", + "Pixar": "Pixar License", + "pkgconf": "pkgconf License", + "Plexus": "Plexus Classworlds License", + "pnmstitch": "pnmstitch License", + "PolyForm-Noncommercial-1.0.0": "PolyForm Noncommercial License 1.0.0", + "PolyForm-Small-Business-1.0.0": "PolyForm Small Business License 1.0.0", + "PostgreSQL": "PostgreSQL License", + "PPL": "Peer Production License", + "PSF-2.0": "Python Software Foundation License 2.0", + "psfrag": "psfrag License", + "psutils": "psutils License", + "Python-2.0": "Python License 2.0", + "Python-2.0.1": "Python License 2.0.1", + "python-ldap": "Python ldap License", + "Qhull": "Qhull License", + "QPL-1.0": "Q Public License 1.0", + "QPL-1.0-INRIA-2004": "Q Public License 1.0 - INRIA 2004 variant", + "radvd": "radvd License", + "Rdisc": "Rdisc License", + "RHeCos-1.1": "Red Hat eCos Public License v1.1", + "RPL-1.1": "Reciprocal Public License 1.1", + "RPL-1.5": "Reciprocal Public License 1.5", + "RPSL-1.0": "RealNetworks Public Source License v1.0", + "RSA-MD": "RSA Message-Digest License", + "RSCPL": "Ricoh Source Code Public License", + "Ruby": "Ruby License", + "Ruby-pty": "Ruby pty extension license", + "SAX-PD": "Sax Public Domain Notice", + "SAX-PD-2.0": "Sax Public Domain Notice 2.0", + "Saxpath": "Saxpath License", + "SCEA": "SCEA Shared Source License", + "SchemeReport": "Scheme Language Report License", + "Sendmail": "Sendmail License", + "Sendmail-8.23": "Sendmail License 8.23", + "Sendmail-Open-Source-1.1": "Sendmail Open Source License v1.1", + "SGI-B-1.0": "SGI Free Software License B v1.0", + "SGI-B-1.1": "SGI Free Software License B v1.1", + "SGI-B-2.0": "SGI Free Software License B v2.0", + "SGI-OpenGL": "SGI OpenGL License", + "SGMLUG-PM": "SGMLUG Parser Materials License", + "SGP4": "SGP4 Permission Notice", + "SHL-0.5": "Solderpad Hardware License v0.5", + "SHL-0.51": "Solderpad Hardware License, Version 0.51", + "SimPL-2.0": "Simple Public License 2.0", + "SISSL": "Sun Industry Standards Source License v1.1", + "SISSL-1.2": "Sun Industry Standards Source License v1.2", + "SL": "SL License", + "Sleepycat": "Sleepycat License", + "SMAIL-GPL": "SMAIL General Public License", + "SMLNJ": "Standard ML of New Jersey License", + "SMPPL": "Secure Messaging Protocol Public License", + "SNIA": "SNIA Public License 1.1", + "snprintf": "snprintf License", + "SOFA": "SOFA Software License", + "softSurfer": "softSurfer License", + "Soundex": "Soundex License", + "Spencer-86": "Spencer License 86", + "Spencer-94": "Spencer License 94", + "Spencer-99": "Spencer License 99", + "SPL-1.0": "Sun Public License v1.0", + "ssh-keyscan": "ssh-keyscan License", + "SSH-OpenSSH": "SSH OpenSSH license", + "SSH-short": "SSH short notice", + "SSLeay-standalone": "SSLeay License - standalone", + "SSPL-1.0": "Server Side Public License, v 1", + "StandardML-NJ": "Standard ML of New Jersey License", + "SugarCRM-1.1.3": "SugarCRM Public License v1.1.3", + "SUL-1.0": "Sustainable Use License v1.0", + "Sun-PPP": "Sun PPP License", + "Sun-PPP-2000": "Sun PPP License (2000)", + "SunPro": "SunPro License", + "SWL": "Scheme Widget Library (SWL) Software License Agreement", + "swrule": "swrule License", + "Symlinks": "Symlinks License", + "TAPR-OHL-1.0": "TAPR Open Hardware License v1.0", + "TCL": "TCL\/TK License", + "TCP-wrappers": "TCP Wrappers License", + "TekHVC": "TekHVC License", + "TermReadKey": "TermReadKey License", + "TGPPL-1.0": "Transitive Grace Period Public Licence 1.0", + "ThirdEye": "ThirdEye License", + "threeparttable": "threeparttable License", + "TMate": "TMate Open Source License", + "TORQUE-1.1": "TORQUE v2.5+ Software License v1.1", + "TOSL": "Trusster Open Source License", + "TPDL": "Time::ParseDate License", + "TPL-1.0": "THOR Public License 1.0", + "TrustedQSL": "TrustedQSL License", + "TTWL": "Text-Tabs+Wrap License", + "TTYP0": "TTYP0 License", + "TU-Berlin-1.0": "Technische Universitaet Berlin License 1.0", + "TU-Berlin-2.0": "Technische Universitaet Berlin License 2.0", + "Ubuntu-font-1.0": "Ubuntu Font Licence v1.0", + "UCAR": "UCAR License", + "UCL-1.0": "Upstream Compatibility License v1.0", + "ulem": "ulem License", + "UMich-Merit": "Michigan\/Merit Networks License", + "Unicode-3.0": "Unicode License v3", + "Unicode-DFS-2015": "Unicode License Agreement - Data Files and Software (2015)", + "Unicode-DFS-2016": "Unicode License Agreement - Data Files and Software (2016)", + "Unicode-TOU": "Unicode Terms of Use", + "UnixCrypt": "UnixCrypt License", + "Unlicense": "The Unlicense", + "Unlicense-libtelnet": "Unlicense - libtelnet variant", + "Unlicense-libwhirlpool": "Unlicense - libwhirlpool variant", + "UnRAR": "UnRAR License", + "UPL-1.0": "Universal Permissive License v1.0", + "URT-RLE": "Utah Raster Toolkit Run Length Encoded License", + "Vim": "Vim License", + "Vixie-Cron": "Vixie Cron License", + "VOSTROM": "VOSTROM Public License for Open Source", + "VSL-1.0": "Vovida Software License v1.0", + "W3C": "W3C Software Notice and License (2002-12-31)", + "W3C-19980720": "W3C Software Notice and License (1998-07-20)", + "W3C-20150513": "W3C Software Notice and Document License (2015-05-13)", + "w3m": "w3m License", + "Watcom-1.0": "Sybase Open Watcom Public License 1.0", + "Widget-Workshop": "Widget Workshop License", + "WordNet": "WordNet License", + "Wsuipa": "Wsuipa License", + "WTFNMFPL": "Do What The F*ck You Want To But It's Not My Fault Public License", + "WTFPL": "Do What The F*ck You Want To Public License", + "wwl": "WWL License", + "wxWindows": "wxWindows Library License", + "X11": "X11 License", + "X11-distribute-modifications-variant": "X11 License Distribution Modification Variant", + "X11-no-permit-persons": "X11 no permit persons clause", + "X11-swapped": "X11 swapped final paragraphs", + "Xdebug-1.03": "Xdebug License v 1.03", + "Xerox": "Xerox License", + "Xfig": "Xfig License", + "XFree86-1.1": "XFree86 License 1.1", + "xinetd": "xinetd License", + "xkeyboard-config-Zinoviev": "xkeyboard-config Zinoviev License", + "xlock": "xlock License", + "Xnet": "X.Net License", + "xpp": "XPP License", + "XSkat": "XSkat License", + "xzoom": "xzoom License", + "YPL-1.0": "Yahoo! Public License v1.0", + "YPL-1.1": "Yahoo! Public License v1.1", + "Zed": "Zed License", + "Zeeff": "Zeeff License", + "Zend-2.0": "Zend License v2.0", + "Zimbra-1.3": "Zimbra Public License v1.3", + "Zimbra-1.4": "Zimbra Public License v1.4", + "Zlib": "zlib License", + "zlib-acknowledgement": "zlib\/libpng License with Acknowledgement", + "ZPL-1.1": "Zope Public License 1.1", + "ZPL-2.0": "Zope Public License 2.0", + "ZPL-2.1": "Zope Public License 2.1", + "389-exception": "389 Directory Server Exception", + "Asterisk-exception": "Asterisk exception", + "Asterisk-linking-protocols-exception": "Asterisk linking protocols exception", + "Autoconf-exception-2.0": "Autoconf exception 2.0", + "Autoconf-exception-3.0": "Autoconf exception 3.0", + "Autoconf-exception-generic": "Autoconf generic exception", + "Autoconf-exception-generic-3.0": "Autoconf generic exception for GPL-3.0", + "Autoconf-exception-macro": "Autoconf macro exception", + "Bison-exception-1.24": "Bison exception 1.24", + "Bison-exception-2.2": "Bison exception 2.2", + "Bootloader-exception": "Bootloader Distribution Exception", + "CGAL-linking-exception": "CGAL Linking Exception", + "Classpath-exception-2.0": "Classpath exception 2.0", + "Classpath-exception-2.0-short": "Classpath exception 2.0 - short", + "CLISP-exception-2.0": "CLISP exception 2.0", + "cryptsetup-OpenSSL-exception": "cryptsetup OpenSSL exception", + "Digia-Qt-LGPL-exception-1.1": "Digia Qt LGPL Exception version 1.1", + "DigiRule-FOSS-exception": "DigiRule FOSS License Exception", + "eCos-exception-2.0": "eCos exception 2.0", + "erlang-otp-linking-exception": "Erlang\/OTP Linking Exception", + "Fawkes-Runtime-exception": "Fawkes Runtime Exception", + "FLTK-exception": "FLTK exception", + "fmt-exception": "fmt exception", + "Font-exception-2.0": "Font exception 2.0", + "freertos-exception-2.0": "FreeRTOS Exception 2.0", + "GCC-exception-2.0": "GCC Runtime Library exception 2.0", + "GCC-exception-2.0-note": "GCC Runtime Library exception 2.0 - note variant", + "GCC-exception-3.1": "GCC Runtime Library exception 3.1", + "Gmsh-exception": "Gmsh exception", + "GNAT-exception": "GNAT exception", + "GNOME-examples-exception": "GNOME examples exception", + "GNU-compiler-exception": "GNU Compiler Exception", + "gnu-javamail-exception": "GNU JavaMail exception", + "GPL-3.0-389-ds-base-exception": "GPL-3.0 389 DS Base Exception", + "GPL-3.0-interface-exception": "GPL-3.0 Interface Exception", + "GPL-3.0-linking-exception": "GPL-3.0 Linking Exception", + "GPL-3.0-linking-source-exception": "GPL-3.0 Linking Exception (with Corresponding Source)", + "GPL-CC-1.0": "GPL Cooperation Commitment 1.0", + "GStreamer-exception-2005": "GStreamer Exception (2005)", + "GStreamer-exception-2008": "GStreamer Exception (2008)", + "harbour-exception": "harbour exception", + "i2p-gpl-java-exception": "i2p GPL+Java Exception", + "Independent-modules-exception": "Independent Module Linking exception", + "KiCad-libraries-exception": "KiCad Libraries Exception", + "kvirc-openssl-exception": "kvirc OpenSSL Exception", + "LGPL-3.0-linking-exception": "LGPL-3.0 Linking Exception", + "libpri-OpenH323-exception": "libpri OpenH323 exception", + "Libtool-exception": "Libtool Exception", + "Linux-syscall-note": "Linux Syscall Note", + "LLGPL": "LLGPL Preamble", + "LLVM-exception": "LLVM Exception", + "LZMA-exception": "LZMA exception", + "mif-exception": "Macros and Inline Functions Exception", + "mxml-exception": "mxml Exception", + "Nokia-Qt-exception-1.1": "Nokia Qt LGPL exception 1.1", + "OCaml-LGPL-linking-exception": "OCaml LGPL Linking Exception", + "OCCT-exception-1.0": "Open CASCADE Exception 1.0", + "OpenJDK-assembly-exception-1.0": "OpenJDK Assembly exception 1.0", + "openvpn-openssl-exception": "OpenVPN OpenSSL Exception", + "PCRE2-exception": "PCRE2 exception", + "polyparse-exception": "Polyparse Exception", + "PS-or-PDF-font-exception-20170817": "PS\/PDF font exception (2017-08-17)", + "QPL-1.0-INRIA-2004-exception": "INRIA QPL 1.0 2004 variant exception", + "Qt-GPL-exception-1.0": "Qt GPL exception 1.0", + "Qt-LGPL-exception-1.1": "Qt LGPL exception 1.1", + "Qwt-exception-1.0": "Qwt exception 1.0", + "romic-exception": "Romic Exception", + "RRDtool-FLOSS-exception-2.0": "RRDtool FLOSS exception 2.0", + "rsync-linking-exception": "rsync Linking Exception", + "SANE-exception": "SANE Exception", + "SHL-2.0": "Solderpad Hardware License v2.0", + "SHL-2.1": "Solderpad Hardware License v2.1", + "Simple-Library-Usage-exception": "Simple Library Usage Exception", + "sqlitestudio-OpenSSL-exception": "sqlitestudio OpenSSL exception", + "stunnel-exception": "stunnel Exception", + "SWI-exception": "SWI exception", + "Swift-exception": "Swift Exception", + "Texinfo-exception": "Texinfo exception", + "u-boot-exception-2.0": "U-Boot exception 2.0", + "UBDL-exception": "Unmodified Binary Distribution exception", + "Universal-FOSS-exception-1.0": "Universal FOSS Exception, Version 1.0", + "vsftpd-openssl-exception": "vsftpd OpenSSL exception", + "WxWindows-exception-3.1": "WxWindows Library Exception 3.1", + "x11vnc-openssl-exception": "x11vnc OpenSSL Exception" + } +} \ No newline at end of file diff --git a/schema/cyclonedx/spdx.xsd b/schema/cyclonedx/spdx.xsd index 41a27b02d..e94c265bd 100644 --- a/schema/cyclonedx/spdx.xsd +++ b/schema/cyclonedx/spdx.xsd @@ -2,7 +2,7 @@ + version="1.0-3.28.0"> @@ -57,6 +57,11 @@ Amazon Digital Services License + + + Advanced Cryptics Dictionary License + + Academic Free License v1.1 @@ -122,6 +127,11 @@ Aladdin Free Public License + + + ALGLIB Documentation License + + AMD newlib License @@ -327,6 +337,11 @@ Boehm-Demers-Weiser GC License (without fee) + + + Buena Onda License Agreement v1.1 + + Borceux license @@ -457,6 +472,11 @@ BSD 3-Clause Sun Microsystems + + + BSD 3-Clause Tso variant + + BSD 4-Clause "Original" or "Old" License @@ -497,6 +517,11 @@ BSD-Inferno-Nettverk + + + BSD Mark Modifications License + + BSD Protection License @@ -527,6 +552,11 @@ Boost Software License 1.0 + + + Buddy License + + Business Source License 1.1 @@ -567,6 +597,11 @@ Caldera License (without preamble) + + + Common Attack Pattern Enumeration and Classification License + + Catharon License @@ -1212,6 +1247,21 @@ Erlang Public License v1.1 + + + European Space Agency Public License – v2.4 – Permissive (Type 3) + + + + + European Space Agency Public License (ESA-PL) - V2.4 - Strong Copyleft (Type 1) + + + + + European Space Agency Public License – v2.4 – Weak Copyleft (Type 2) + + Etalab Open License 2.0 @@ -1737,6 +1787,11 @@ Historical Permission Notice and Disclaimer - sell variant + + + HPND - sell variant with safety critical systems clause + + HPND sell variant with MIT disclaimer @@ -1747,6 +1802,11 @@ HPND sell variant with MIT disclaimer - reverse + + + Historical Permission Notice and Disclaimer - SMC variant + + Historical Permission Notice and Disclaimer - University of California variant @@ -1762,6 +1822,11 @@ HTML Tidy License + + + hyphen-bulgarian License + + IBM PowerPC Initialization and Boot Software @@ -1852,6 +1917,11 @@ ISC Veillard variant + + + ISO permission notice + + Jam License @@ -2237,6 +2307,11 @@ MIT Open Group variant + + + MIT-STK License + + MIT testregex Variant @@ -2257,6 +2332,11 @@ MMIXware License + + + Minecraft Mod Public License v1.0.1 + + Motosoto License @@ -2422,6 +2502,11 @@ NIST Public Domain Notice with license fallback + + + NIST Public Domain Notice TNT variant + + NIST Software License @@ -2687,6 +2772,11 @@ Open Market License + + + OpenMDW License Agreement v1.0 + + OpenPBS v2.3 Software License @@ -2722,6 +2812,11 @@ Open Publication License v1.0 + + + OSC License 1.0 + + OSET Public License version 2.1 @@ -2752,11 +2847,21 @@ Open Software License 3.0 + + + OSSP License + + PADL License + + + ParaType Free Font Licensing Agreement v1.3 + + The Parity Public License 6.0.0 @@ -2977,6 +3082,11 @@ SGI OpenGL License + + + SGMLUG Parser Materials License + + SGP4 Permission Notice @@ -3162,6 +3272,11 @@ TCP Wrappers License + + + TekHVC License + + TermReadKey License @@ -3297,6 +3412,11 @@ Unlicense - libwhirlpool variant + + + UnRAR License + + Universal Permissive License v1.0 @@ -3312,6 +3432,11 @@ Vim License + + + Vixie Cron License + + VOSTROM Public License for Open Source @@ -3352,11 +3477,21 @@ Widget Workshop License + + + WordNet License + + Wsuipa License + + + Do What The F*ck You Want To But It's Not My Fault Public License + + Do What The F*ck You Want To Public License @@ -3382,6 +3517,11 @@ X11 License Distribution Modification Variant + + + X11 no permit persons clause + + X11 swapped final paragraphs @@ -3568,6 +3708,11 @@ Classpath exception 2.0 + + + Classpath exception 2.0 - short + + CLISP exception 2.0 @@ -3718,6 +3863,11 @@ KiCad Libraries Exception + + + kvirc OpenSSL Exception + + LGPL-3.0 Linking Exception @@ -3833,6 +3983,11 @@ RRDtool FLOSS exception 2.0 + + + rsync Linking Exception + + SANE Exception @@ -3848,6 +4003,16 @@ Solderpad Hardware License v2.1 + + + Simple Library Usage Exception + + + + + sqlitestudio OpenSSL exception + + stunnel Exception diff --git a/syft/format/cyclonedxjson/testdata/identify/1.7.json b/syft/format/cyclonedxjson/testdata/identify/1.7.json new file mode 100644 index 000000000..fc4b33720 --- /dev/null +++ b/syft/format/cyclonedxjson/testdata/identify/1.7.json @@ -0,0 +1,59 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:5208fea9-73dd-4624-b596-69fddccdb9e7", + "version": 1, + "metadata": { + "timestamp": "2023-09-29T12:02:02-04:00", + "tools": [ + { + "vendor": "anchore", + "name": "syft", + "version": "[not provided]" + } + ], + "component": { + "bom-ref": "a0ff99a6af10f11f", + "type": "file", + "name": "go.mod", + "version": "sha256:sha256:dc333f342905248a52e424d8dfd061251d01867d01a4f9d7397144a775ff9ebd" + } + }, + "components": [ + { + "bom-ref": "pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651?package-id=2ff71a67fb024c86", + "type": "library", + "name": "github.com/wagoodman/go-partybus", + "version": "v0.0.0-20230516145632-8ccac152c651", + "cpe": "cpe:2.3:a:wagoodman:go-partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*", + "purl": "pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651", + "properties": [ + { + "name": "syft:package:foundBy", + "value": "go-module-file-cataloger" + }, + { + "name": "syft:package:language", + "value": "go" + }, + { + "name": "syft:package:metadataType", + "value": "GolangModMetadata" + }, + { + "name": "syft:package:type", + "value": "go-module" + }, + { + "name": "syft:cpe23", + "value": "cpe:2.3:a:wagoodman:go_partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*" + }, + { + "name": "syft:location:0:path", + "value": "/go.mod" + } + ] + } + ] +} diff --git a/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden index 7bdb196b9..f37de90e8 100644 --- a/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,7 +1,7 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", - "specVersion": "1.6", + "specVersion": "1.7", "serialNumber": "urn:uuid:redacted", "version": 1, "metadata": { diff --git a/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxImageEncoder.golden index fab1acd75..075961803 100644 --- a/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxImageEncoder.golden @@ -1,7 +1,7 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", - "specVersion": "1.6", + "specVersion": "1.7", "serialNumber": "urn:uuid:redacted", "version": 1, "metadata": { diff --git a/syft/format/cyclonedxxml/testdata/identify/1.7.xml b/syft/format/cyclonedxxml/testdata/identify/1.7.xml new file mode 100644 index 000000000..2b62fee67 --- /dev/null +++ b/syft/format/cyclonedxxml/testdata/identify/1.7.xml @@ -0,0 +1,33 @@ + + + + 2023-09-29T11:48:10-04:00 + + + anchore + syft + [not provided] + + + + go.mod + sha256:sha256:dc333f342905248a52e424d8dfd061251d01867d01a4f9d7397144a775ff9ebd + + + + + github.com/wagoodman/go-partybus + v0.0.0-20230516145632-8ccac152c651 + cpe:2.3:a:wagoodman:go-partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:* + pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651 + + go-module-file-cataloger + go + GolangModMetadata + go-module + cpe:2.3:a:wagoodman:go_partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:* + /go.mod + + + + \ No newline at end of file diff --git a/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden index 6d4345882..43b80fdeb 100644 --- a/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,5 +1,5 @@ - + redacted diff --git a/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxImageEncoder.golden index 7680d294d..58a21fc10 100644 --- a/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxImageEncoder.golden @@ -1,5 +1,5 @@ - + redacted diff --git a/syft/format/internal/cyclonedxutil/encoder.go b/syft/format/internal/cyclonedxutil/encoder.go index 26da2de00..dc843734c 100644 --- a/syft/format/internal/cyclonedxutil/encoder.go +++ b/syft/format/internal/cyclonedxutil/encoder.go @@ -9,8 +9,6 @@ import ( "github.com/anchore/syft/syft/sbom" ) -const DefaultVersion = "1.6" - type Encoder struct { version cyclonedx.SpecVersion format cyclonedx.BOMFileFormat diff --git a/syft/format/internal/cyclonedxutil/versions.go b/syft/format/internal/cyclonedxutil/versions.go index 7c6e74bab..990eb6987 100644 --- a/syft/format/internal/cyclonedxutil/versions.go +++ b/syft/format/internal/cyclonedxutil/versions.go @@ -2,6 +2,10 @@ package cyclonedxutil import ( "fmt" + "maps" + "slices" + "strconv" + "strings" "github.com/CycloneDX/cyclonedx-go" @@ -13,59 +17,81 @@ const ( JSONFormatID sbom.FormatID = "cyclonedx-json" ) +const DefaultVersion = "1.7" + +var commonVersions = map[string]cyclonedx.SpecVersion{ + "1.2": cyclonedx.SpecVersion1_2, + "1.3": cyclonedx.SpecVersion1_3, + "1.4": cyclonedx.SpecVersion1_4, + "1.5": cyclonedx.SpecVersion1_5, + "1.6": cyclonedx.SpecVersion1_6, + DefaultVersion: cyclonedx.SpecVersion1_7, +} + +var allVersions = func() map[string]cyclonedx.SpecVersion { + out := map[string]cyclonedx.SpecVersion{ + "1.0": cyclonedx.SpecVersion1_0, + "1.1": cyclonedx.SpecVersion1_1, + } + maps.Copy(out, commonVersions) + return out +}() + func SupportedVersions(id sbom.FormatID) []string { - versions := []string{ - "1.2", - "1.3", - "1.4", - "1.5", - "1.6", + versionSet := commonVersions + if id == XMLFormatID { + versionSet = allVersions } - - if id != JSONFormatID { - // JSON format not supported for version < 1.2 - versions = append([]string{"1.0", "1.1"}, versions...) + versions := make([]string, 0, len(versionSet)) + for _, v := range versionSet { + versions = append(versions, v.String()) } - + slices.SortFunc(versions, versionSort) return versions } func SpecVersionFromString(v string) (cyclonedx.SpecVersion, error) { - switch v { - case "1.0": - return cyclonedx.SpecVersion1_0, nil - case "1.1": - return cyclonedx.SpecVersion1_1, nil - case "1.2": - return cyclonedx.SpecVersion1_2, nil - case "1.3": - return cyclonedx.SpecVersion1_3, nil - case "1.4": - return cyclonedx.SpecVersion1_4, nil - case "1.5": - return cyclonedx.SpecVersion1_5, nil - case "1.6": - return cyclonedx.SpecVersion1_6, nil + if specVersion, ok := allVersions[v]; ok { + return specVersion, nil } return -1, fmt.Errorf("unsupported CycloneDX version %q", v) } func VersionFromSpecVersion(spec cyclonedx.SpecVersion) string { - switch spec { - case cyclonedx.SpecVersion1_0: - return "1.0" - case cyclonedx.SpecVersion1_1: - return "1.1" - case cyclonedx.SpecVersion1_2: - return "1.2" - case cyclonedx.SpecVersion1_3: - return "1.3" - case cyclonedx.SpecVersion1_4: - return "1.4" - case cyclonedx.SpecVersion1_5: - return "1.5" - case cyclonedx.SpecVersion1_6: - return "1.6" + for version, specVersion := range allVersions { + if specVersion == spec { + return version + } } return "" } + +func versionSort(a string, b string) int { + partsA := strings.Split(a, ".") + partsB := strings.Split(b, ".") + lenA := len(partsA) + lenB := len(partsB) + for i := range max(lenA, lenB) { + if i >= lenA { + return -1 // 1 < 1.x + } + if i >= lenB { + return 1 // 1.x > 1 + } + partA, errA := strconv.ParseInt(partsA[i], 10, 64) + partB, errB := strconv.ParseInt(partsB[i], 10, 64) + if errA != nil || errB != nil { + // string compare if we can't parse one of the sides + strcmp := strings.Compare(partsA[i], partsB[i]) + if strcmp == 0 { + continue + } + return strcmp // not equal + } + if partA == partB { + continue + } + return int(partA - partB) + } + return 0 +} diff --git a/syft/format/internal/cyclonedxutil/versions_test.go b/syft/format/internal/cyclonedxutil/versions_test.go new file mode 100644 index 000000000..43582f121 --- /dev/null +++ b/syft/format/internal/cyclonedxutil/versions_test.go @@ -0,0 +1,107 @@ +package cyclonedxutil + +import ( + "go/constant" + "go/types" + "regexp" + "slices" + "testing" + + "github.com/CycloneDX/cyclonedx-go" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "golang.org/x/tools/go/packages" +) + +// Test_allSpecVersionsMapped loads the cyclonedx-go package's type information and enumerates every +// SpecVersion* constant it declares, asserting each one is present in our version maps. Upgrading +// cyclonedx-go to a release that adds a new spec version will fail this test until versions.go is updated. +func Test_allSpecVersionsMapped(t *testing.T) { + const pkgPath = "github.com/CycloneDX/cyclonedx-go" + + pkgs, err := packages.Load(&packages.Config{Mode: packages.NeedName | packages.NeedTypes}, pkgPath) + require.NoError(t, err) + require.Len(t, pkgs, 1) + + pkg := pkgs[0] + require.Empty(t, pkg.Errors, "errors loading %s", pkgPath) + require.NotNil(t, pkg.Types, "no type info loaded for %s", pkgPath) + + // allVersions is the superset (json/common versions merged in), so it covers every spec version we map. + mapped := make(map[cyclonedx.SpecVersion]struct{}) + for syftVersion, sv := range allVersions { + // make sure the key matches the version it's mapped to + require.Contains(t, sv.String(), syftVersion, "version %q is not correctly mapped to cyclonedx SpecVersion %q", syftVersion, sv.String()) + mapped[sv] = struct{}{} + } + + specVersionConst := regexp.MustCompile(`^SpecVersion\d`) + scope := pkg.Types.Scope() + found := 0 + for _, name := range scope.Names() { + if !specVersionConst.MatchString(name) { + continue + } + c, ok := scope.Lookup(name).(*types.Const) + if !ok { + continue + } + found++ + val, ok := constant.Int64Val(c.Val()) + require.Truef(t, ok, "could not read int value of cyclonedx.%s", name) + _, ok = mapped[cyclonedx.SpecVersion(val)] + + assert.Truef(t, ok, "cyclonedx.%s is not mapped in versions.go; add it when upgrading cyclonedx-go", name) + } + require.NotZero(t, found, "no SpecVersion* constants found in %s", pkgPath) +} + +func Test_versionSort(t *testing.T) { + // versionSort returns <0 when a0 when a>b; assert on sign rather than exact value. + sign := func(n int) int { + switch { + case n < 0: + return -1 + case n > 0: + return 1 + default: + return 0 + } + } + + tests := []struct { + name string + a string + b string + want int + }{ + {name: "equal single part", a: "1", b: "1", want: 0}, + {name: "equal two parts", a: "1.4", b: "1.4", want: 0}, + {name: "minor less than", a: "1.3", b: "1.4", want: -1}, + {name: "minor greater than", a: "1.6", b: "1.5", want: 1}, + {name: "major less than", a: "1.7", b: "2.0", want: -1}, + {name: "major greater than", a: "2.0", b: "1.7", want: 1}, + {name: "fewer parts sorts first", a: "1", b: "1.0", want: -1}, + {name: "more parts sorts last", a: "1.0", b: "1", want: 1}, + {name: "numeric not lexical (10 > 9)", a: "1.10", b: "1.9", want: 1}, + {name: "multi-digit major", a: "10.0", b: "9.0", want: 1}, + {name: "three parts equal", a: "1.4.0", b: "1.4.0", want: 0}, + {name: "three parts patch differs", a: "1.4.1", b: "1.4.0", want: 1}, + {name: "non-numeric equal falls through", a: "1.x", b: "1.x", want: 0}, + {name: "non-numeric string compare", a: "1.a", b: "1.b", want: -1}, + {name: "non-numeric side string compare", a: "1.2", b: "1.x", want: -1}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equal(t, tt.want, sign(versionSort(tt.a, tt.b))) + // comparator must be antisymmetric: swapping operands negates the sign. + assert.Equal(t, -tt.want, sign(versionSort(tt.b, tt.a))) + }) + } +} + +func Test_versionSort_sortsSlice(t *testing.T) { + versions := []string{"1.10", "1.2", "1", "2.0", "1.9", "1.0"} + slices.SortFunc(versions, versionSort) + assert.Equal(t, []string{"1", "1.0", "1.2", "1.9", "1.10", "2.0"}, versions) +}