diff --git a/.circleci/config.yml b/.circleci/config.yml
index dbcce26a1..1bdd2b21a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -15,7 +15,6 @@ jobs:
# 2CPU / 4GB RAM
resource_class: medium
steps:
-
- checkout
- restore_cache:
@@ -48,7 +47,6 @@ jobs:
# 2CPU / 4GB RAM
resource_class: medium
steps:
-
- checkout
- restore_cache:
@@ -69,15 +67,15 @@ jobs:
- run:
name: enable docker client
command: |
- # all of this to enable "circleci local execute ..." cli commands for /var/run/docker.sock
- mkdir -p ${HOME}/.local/bin
- cat \<< EOF > ${HOME}/.local/bin/docker
- #!/bin/bash
- set -xue
- sudo -E ${HOME}/.local/bin/docker.bin \$@
- EOF
- sudo mv /usr/bin/docker ${HOME}/.local/bin/docker.bin
- chmod 755 ${HOME}/.local/bin/docker
+ # all of this to enable "circleci local execute ..." cli commands for /var/run/docker.sock
+ mkdir -p ${HOME}/.local/bin
+ cat \<< EOF > ${HOME}/.local/bin/docker
+ #!/bin/bash
+ set -xue
+ sudo -E ${HOME}/.local/bin/docker.bin \$@
+ EOF
+ sudo mv /usr/bin/docker ${HOME}/.local/bin/docker.bin
+ chmod 755 ${HOME}/.local/bin/docker
- run:
name: build cache key for java test-fixture blobs
@@ -96,6 +94,10 @@ jobs:
paths:
- "syft/cataloger/java/test-fixtures/java-builds/packages"
+ - run:
+ name: validate syft output against the CycloneDX schema
+ command: make validate-cyclonedx-schema
+
- run:
name: build hash key for integration test-fixtures blobs
command: make integration-fingerprint
@@ -124,4 +126,4 @@ workflows:
version: "1.13"
- run-tests:
name: "Unit & Integration Tests (go-latest)"
- version: "latest"
\ No newline at end of file
+ version: "latest"
diff --git a/Makefile b/Makefile
index 11be5d1e2..83455ecf9 100644
--- a/Makefile
+++ b/Makefile
@@ -60,7 +60,7 @@ all: clean static-analysis test ## Run all linux-based checks (linting, license
@printf '$(SUCCESS)All checks pass!$(RESET)\n'
.PHONY: test
-test: unit integration acceptance-linux ## Run all tests (currently unit, integration, and linux acceptance tests)
+test: unit validate-cyclonedx-schema integration acceptance-linux ## Run all tests (currently unit, integration, and linux acceptance tests)
.PHONY: help
help:
@@ -68,7 +68,7 @@ help:
.PHONY: ci-bootstrap
ci-bootstrap: bootstrap
- sudo apt update && sudo apt install -y bc jq
+ DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y bc jq libxml2-utils
.PHONY: bootstrap
bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./tmp dir)
@@ -111,6 +111,10 @@ lint-fix: ## Auto-format all source code + run golangci lint fixers
check-licenses:
$(TEMPDIR)/bouncer check
+.PHONY: validate-cyclonedx-schema
+validate-cyclonedx-schema:
+ cd schema/cyclonedx && make
+
.PHONY: unit
unit: fixtures ## Run unit tests (with coverage)
$(call title,Running unit tests)
@@ -143,7 +147,7 @@ generate-json-schema: clean-json-schema-examples integration ## Generate a new j
docker run \
-i \
--rm \
- -v $(shell pwd)/json-schema:/work \
+ -v $(shell pwd)/schema/json:/work \
-w /work \
python:3.8 \
bash -x -c "\
@@ -269,4 +273,4 @@ clean-dist:
.PHONY: clean-json-schema-examples
clean-json-schema-examples:
- rm -f json-schema/examples/*
\ No newline at end of file
+ rm -f schema/json/examples/*
\ No newline at end of file
diff --git a/schema/cyclonedx/.gitignore b/schema/cyclonedx/.gitignore
new file mode 100644
index 000000000..0df37ccb4
--- /dev/null
+++ b/schema/cyclonedx/.gitignore
@@ -0,0 +1 @@
+bom.xml
\ No newline at end of file
diff --git a/schema/cyclonedx/Makefile b/schema/cyclonedx/Makefile
new file mode 100644
index 000000000..0000bec8d
--- /dev/null
+++ b/schema/cyclonedx/Makefile
@@ -0,0 +1,5 @@
+.DEFAULT_GOAL := validate-schema
+.PHONY: validate-schema
+validate-schema:
+ go run ../../main.go ubuntu:latest -vv -o cyclonedx > bom.xml
+ xmllint --noout --schema ./cyclonedx.xsd bom.xml
\ No newline at end of file
diff --git a/schema/cyclonedx/README.md b/schema/cyclonedx/README.md
new file mode 100644
index 000000000..200d6393e
--- /dev/null
+++ b/schema/cyclonedx/README.md
@@ -0,0 +1,7 @@
+# CycloneDX Schemas
+
+`syft` generates a CycloneDX BOm output. We want to be able to validate the CycloneDX schemas
+(and dependent schemas) against generated syft output. The best way to do this is with `xmllint`,
+however, this tool does not know how to deal with references from HTTP, only the local filesystem.
+For this reason we've included a copy of all schemas needed to validate `syft` output, modified
+to reference local copies of dependent schemas.
diff --git a/schema/cyclonedx/bd.xsd b/schema/cyclonedx/bd.xsd
new file mode 100644
index 000000000..013f550eb
--- /dev/null
+++ b/schema/cyclonedx/bd.xsd
@@ -0,0 +1,183 @@
+
+
+
+
+
+
+ CycloneDX BOM Descriptor Extension
+ https://cyclonedx.org/ext/bom-descriptor
+ Apache License, Version 2.0
+
+ Steve Springett
+
+
+
+
+
+
+
+
+
+
+ The date and time (timestamp) when the document was created.
+
+
+
+
+ The tool used to create the BOM.
+
+
+
+
+ The person(s) who created the BOM. Authors are common in BOMs created through
+ manual processes. BOMs created through automated means may not have authors.
+
+
+
+
+
+
+
+
+
+ The component that the BOM describes.
+
+
+
+
+ The organization that manufactured the component that the BOM describes.
+
+
+
+
+ The organization that supplied the component that the BOM describes. The
+ supplier may often be the manufacture, but may also be a distributor or repackager.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the organization
+
+
+
+
+ The URL of the organization. Multiple URLs are allowed.
+
+
+
+
+ A contact person at the organization. Multiple contacts are allowed.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Specifies a tool (manual or automated).
+
+
+
+
+ The vendor of the tool used to create the BOM.
+
+
+
+
+ The name of the tool used to create the BOM.
+
+
+
+
+ The version of the tool used to create the BOM.
+
+
+
+
+
+
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the person
+
+
+
+
+ The email address of the person. Multiple email addresses are allowed.
+
+
+
+
+ The phone number of the person. Multiple phone numbers are allowed.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Provides additional information about a BOM.
+
+
+
+
diff --git a/schema/cyclonedx/cyclonedx.xsd b/schema/cyclonedx/cyclonedx.xsd
new file mode 100644
index 000000000..795b0f820
--- /dev/null
+++ b/schema/cyclonedx/cyclonedx.xsd
@@ -0,0 +1,1418 @@
+
+
+
+
+
+
+
+
+ CycloneDX Software Bill-of-Material Specification
+ https://cyclonedx.org/
+ Apache License, Version 2.0
+
+ Steve Springett
+
+
+
+
+
+
+
+
+ The date and time (timestamp) when the document was created.
+
+
+
+
+ The tool(s) used in the creation of the BOM.
+
+
+
+
+
+
+
+
+
+ The person(s) who created the BOM. Authors are common in BOMs created through
+ manual processes. BOMs created through automated means may not have authors.
+
+
+
+
+
+
+
+
+
+ The component that the BOM describes.
+
+
+
+
+ The organization that manufactured the component that the BOM describes.
+
+
+
+
+ The organization that supplied the component that the BOM describes. The
+ supplier may often be the manufacture, but may also be a distributor or repackager.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the organization
+
+
+
+
+ The URL of the organization. Multiple URLs are allowed.
+
+
+
+
+ A contact person at the organization. Multiple contacts are allowed.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Specifies a tool (manual or automated).
+
+
+
+
+ The vendor of the tool used to create the BOM.
+
+
+
+
+ The name of the tool used to create the BOM.
+
+
+
+
+ The version of the tool used to create the BOM.
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the contact
+
+
+
+
+ The email address of the contact. Multiple email addresses are allowed.
+
+
+
+
+ The phone number of the contact. Multiple phone numbers are allowed.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The organization that supplied the component. The supplier may often
+ be the manufacture, but may also be a distributor or repackager.
+
+
+
+
+ The person(s) or organization(s) that authored the component
+
+
+
+
+ The person(s) or organization(s) that published the component
+
+
+
+
+ The grouping name or identifier. This will often be a shortened, single
+ name of the company or project that produced the component, or the source package or
+ domain name. Whitespace and special characters should be avoided. Examples include:
+ apache, org.apache.commons, and apache.org.
+
+
+
+
+ The name of the component. This will often be a shortened, single name
+ of the component. Examples: commons-lang3 and jquery
+
+
+
+
+ The component version. The version should ideally comply with semantic versioning
+ but is not enforced.
+
+
+
+
+ Specifies a description for the component
+
+
+
+
+ Specifies the scope of the component. If scope is not specified, 'runtime'
+ scope should be assumed by the consumer of the BOM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A valid SPDX license expression.
+ Refer to https://spdx.org/specifications for syntax requirements
+
+
+
+
+
+
+
+ An optional copyright notice informing users of the underlying claims to
+ copyright ownership in a published work.
+
+
+
+
+
+ DEPRECATED - DO NOT USE. This will be removed in a future version.
+ Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
+
+
+
+
+
+
+ Specifies the package-url (PURL). The purl, if specified, must be valid and conform
+ to the specification defined at: https://github.com/package-url/purl-spec
+
+
+
+
+
+
+ Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
+
+
+
+
+
+
+ DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree
+ element instead to supply information on exactly how the component was modified.
+ A boolean value indicating is the component has been modified from the original.
+ A value of true indicates the component is a derivative of the original.
+ A value of false indicates the component has not been modified from the original.
+
+
+
+
+
+
+ Component pedigree is a way to document complex supply chain scenarios where components are
+ created, distributed, modified, redistributed, combined with other components, etc.
+
+
+
+
+
+ Provides the ability to document external references related to the
+ component or to the project the component describes.
+
+
+
+
+
+ Specifies optional sub-components. This is not a dependency tree. It provides a way
+ to specify a hierarchical representation of component assemblies, similar to
+ system -> subsystem -> parts assembly in physical supply chains.
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+ Specifies the type of component. For software components, classify as application if no more
+ specific appropriate classification is available or cannot be determined for the component.
+
+
+
+
+
+
+ The optional mime-type of the component. When used on file components, the mime-type
+ can provide additional context about the kind of file being represented such as an image,
+ font, or executable. Some library or framework components may also have an associated mime-type.
+
+
+
+
+
+
+ An optional identifier which can be used to reference the component elsewhere in the BOM.
+ Uniqueness is enforced within all elements and children of the root-level bom element.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+ A valid SPDX license ID
+
+
+
+
+ If SPDX does not define the license used, this field may be used to provide the license name
+
+
+
+
+
+ Specifies the optional full text of the attachment
+
+
+
+
+ The URL to the attachment file. If the attachment is a license or BOM,
+ an externalReference should also be specified for completeness.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ Specifies attributes of the text
+
+
+
+ Specifies the content type of the text. Defaults to text/plain
+ if not specified.
+
+
+
+
+
+ Specifies the optional encoding the text is represented in
+
+
+
+
+
+
+
+
+
+ Specifies the file hash of the component
+
+
+
+
+
+ Specifies the algorithm used to create the hash
+
+
+
+
+
+
+
+
+
+
+ The component is required for runtime
+
+
+
+
+ The component is optional at runtime. Optional components are components that
+ are not capable of being called due to them not be installed or otherwise accessible by any means.
+ Components that are installed but due to configuration or other restrictions are prohibited from
+ being called must be scoped as 'required'.
+
+
+
+
+ Components that are excluded provide the ability to document component usage
+ for test and other non-runtime purposes. Excluded components are not reachable within a call
+ graph at runtime.
+
+
+
+
+
+
+
+
+
+ A software application. Refer to https://en.wikipedia.org/wiki/Application_software
+ for information about applications.
+
+
+
+
+ A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework
+ for information on how frameworks vary slightly from libraries.
+
+
+
+
+ A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing)
+ for information about libraries. All third-party and open source reusable components will likely
+ be a library. If the library also has key features of a framework, then it should be classified
+ as a framework. If not, or is unknown, then specifying library is recommended.
+
+
+
+
+ A packaging and/or runtime format, not specific to any particular technology,
+ which isolates software inside the container from software outside of a container through
+ virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization
+
+
+
+
+ A software operating system without regard to deployment model
+ (i.e. installed on physical hardware, virtual machine, image, etc) Refer to
+ https://en.wikipedia.org/wiki/Operating_system
+
+
+
+
+ A hardware device such as a processor, or chip-set. A hardware device
+ containing firmware should include a component for the physical hardware itself, and another
+ component of type 'firmware' or 'operating-system' (whichever is relevant), describing
+ information about the software running on the device.
+
+
+
+
+ A special type of software that provides low-level control over a devices
+ hardware. Refer to https://en.wikipedia.org/wiki/Firmware
+
+
+
+
+ A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file
+ for information about files.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats.
+ Refer to https://nvd.nist.gov/products/cpe for official specification.
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the full content of the SWID tag.
+
+
+
+
+ The URL to the SWID file.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ Maps to the tagId of a SoftwareIdentity.
+
+
+
+
+ Maps to the name of a SoftwareIdentity.
+
+
+
+
+ Maps to the version of a SoftwareIdentity.
+
+
+
+
+ Maps to the tagVersion of a SoftwareIdentity.
+
+
+
+
+ Maps to the patch of a SoftwareIdentity.
+
+
+
+
+
+
+
+ Defines a string representation of a UUID conforming to RFC 4122.
+
+
+
+
+
+
+
+
+
+
+
+ Version Control System
+
+
+
+
+ Issue or defect tracking system, or an Application Lifecycle Management (ALM) system
+
+
+
+
+ Website
+
+
+
+
+ Security advisories
+
+
+
+
+ Bill-of-material document (CycloneDX, SPDX, SWID, etc)
+
+
+
+
+ Mailing list or discussion group
+
+
+
+
+ Social media account
+
+
+
+
+ Real-time chat platform
+
+
+
+
+ Documentation, guides, or how-to instructions
+
+
+
+
+ Community or commercial support
+
+
+
+
+ Direct or repository download location
+
+
+
+
+ The URL to the license file. If a license URL has been defined in the license
+ node, it should also be defined as an external reference for completeness
+
+
+
+
+ Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)
+
+
+
+
+ URL to an automated build system
+
+
+
+
+ Use this if no other types accurately describe the purpose of the external reference
+
+
+
+
+
+
+
+
+ External references provide a way to document systems, sites, and information that may be relevant
+ but which are not included with the BOM.
+
+
+
+
+
+ Zero or more external references can be defined
+
+
+
+
+
+
+
+
+
+ The URL to the external reference
+
+
+
+
+ An optional comment describing the external reference
+
+
+
+
+
+ Specifies the type of external reference. There are built-in types to describe common
+ references. If a type does not exist for the reference being referred to, use the "other" type.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Zero or more commits can be specified.
+
+
+
+
+ Specifies an individual commit.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ A unique identifier of the commit. This may be version control
+ specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
+
+
+
+
+
+ The URL to the commit. This URL will typically point to a commit
+ in a version control system.
+
+
+
+
+
+ The author who created the changes in the commit
+
+
+
+
+ The person who committed or pushed the commit
+
+
+
+
+ The text description of the contents of the commit
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+ Zero or more patches can be specified.
+
+
+
+
+ Specifies an individual patch.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ The patch file (or diff) that show changes.
+ Refer to https://en.wikipedia.org/wiki/Diff
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ Specifies the purpose for the patch including the resolution of defects,
+ security issues, or new behavior or functionality
+
+
+
+
+
+
+
+
+ A patch which is not developed by the creators or maintainers of the software
+ being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch
+
+
+
+
+ A patch which dynamically modifies runtime behavior.
+ Refer to https://en.wikipedia.org/wiki/Monkey_patch
+
+
+
+
+ A patch which takes code from a newer version of software and applies
+ it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting
+
+
+
+
+ A patch created by selectively applying commits from other versions or
+ branches of the same software.
+
+
+
+
+
+
+
+
+
+ A fault, flaw, or bug in software
+
+
+
+
+ A new feature or behavior in software
+
+
+
+
+ A special type of defect which impacts security
+
+
+
+
+
+
+
+
+
+ Specifies the optional text of the diff
+
+
+
+
+ Specifies the URL to the diff
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ The identifier of the issue assigned by the source of the issue
+
+
+
+
+ The name of the issue
+
+
+
+
+ A description of the issue
+
+
+
+
+
+
+ The source of the issue where it is documented.
+
+
+
+
+
+
+ The name of the source. For example "National Vulnerability Database",
+ "NVD", and "Apache"
+
+
+
+
+
+
+ The url of the issue documentation as provided by the source
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ Specifies the type of issue
+
+
+
+
+
+
+
+
+ The timestamp in which the action occurred
+
+
+
+
+ The name of the individual who performed the action
+
+
+
+
+ The email address of the individual who performed the action
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ Component pedigree is a way to document complex supply chain scenarios where components are created,
+ distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing
+ this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to
+ document variants where the exact relation may not be known.
+
+
+
+
+
+ Describes zero or more components in which a component is derived
+ from. This is commonly used to describe forks from existing projects where the forked version
+ contains a ancestor node containing the original component it was forked from. For example,
+ Component A is the original component. Component B is the component being used and documented
+ in the BOM. However, Component B contains a pedigree node with a single ancestor documenting
+ Component A - the original component from which Component B is derived from.
+
+
+
+
+
+ Descendants are the exact opposite of ancestors. This provides a
+ way to document all forks (and their forks) of an original or root component.
+
+
+
+
+
+ Variants describe relations where the relationship between the
+ components are not known. For example, if Component A contains nearly identical code to
+ Component B. They are both related, but it is unclear if one is derived from the other,
+ or if they share a common ancestor.
+
+
+
+
+
+ A list of zero or more commits which provide a trail describing
+ how the component deviates from an ancestor, descendant, or variant.
+
+
+
+
+ A list of zero or more patches describing how the component
+ deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits
+ or may be used in place of commits.
+
+
+
+
+ Notes, observations, and other non-structured commentary
+ describing the components pedigree.
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+
+
+ References a component or service by the its bom-ref attribute
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ Components that do not have their own dependencies MUST be declared as empty
+ elements within the graph. Components that are not represented in the dependency graph MAY
+ have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque
+ and not an indicator of a component being dependency-free.
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The organization that provides the service.
+
+
+
+
+ The grouping name, namespace, or identifier. This will often be a shortened,
+ single name of the company or project that produced the service or domain name.
+ Whitespace and special characters should be avoided.
+
+
+
+
+ The name of the service. This will often be a shortened, single name
+ of the service.
+
+
+
+
+ The service version.
+
+
+
+
+ Specifies a description for the service.
+
+
+
+
+
+
+
+ A service endpoint URI.
+
+
+
+
+
+
+
+ A boolean value indicating if the service requires authentication.
+ A value of true indicates the service requires authentication prior to use.
+ A value of false indicates the service does not require authentication.
+
+
+
+
+ A boolean value indicating if use of the service crosses a trust zone or boundary.
+ A value of true indicates that by using the service, a trust boundary is crossed.
+ A value of false indicates that by using the service, a trust boundary is not crossed.
+
+
+
+
+
+
+
+ Specifies the data classification.
+
+
+
+
+
+
+
+
+
+
+
+ A valid SPDX license expression.
+ Refer to https://spdx.org/specifications for syntax requirements
+
+
+
+
+
+
+
+ Provides the ability to document external references related to the service.
+
+
+
+
+
+ Specifies optional sub-service. This is not a dependency tree. It provides a way
+ to specify a hierarchical representation of service assemblies, similar to
+ system -> subsystem -> parts assembly in physical supply chains.
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the service elsewhere in the BOM.
+ Uniqueness is enforced within all elements and children of the root-level bom element.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Specifies the data classification.
+
+
+
+
+
+ Specifies the flow direction of the data.
+
+
+
+
+
+
+
+
+ Specifies the flow direction of the data. Valid values are:
+ inbound, outbound, bi-directional, and unknown. Direction is relative to the service.
+ Inbound flow states that data enters the service. Outbound flow states that data
+ leaves the service. Bi-directional states that data flows both ways, and unknown
+ states that the direction is not known.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Provides additional information about a BOM.
+
+
+
+
+ Provides the ability to document a list of components.
+
+
+
+
+ Provides the ability to document a list of external services.
+
+
+
+
+ Provides the ability to document external references related to the BOM or
+ to the project the BOM describes.
+
+
+
+
+ Provides the ability to document dependency relationships.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ The version allows component publishers/authors to make changes to existing
+ BOMs to update various aspects of the document such as description or licenses. When a system
+ is presented with multiple BOMs for the same component, the system should use the most recent
+ version of the BOM. The default version is '1' and should be incremented for each version of the
+ BOM that is published. Each version of a component should have a unique BOM and if no changes are
+ made to the BOMs, then each BOM will have a version of '1'.
+
+
+
+
+ Every BOM generated should have a unique serial number, even if the contents
+ of the BOM being generated have not changed over time. The process or tool responsible for
+ creating the BOM should create random UUID's for every BOM generated.
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
diff --git a/schema/cyclonedx/spdx.xsd b/schema/cyclonedx/spdx.xsd
new file mode 100644
index 000000000..dbd61b161
--- /dev/null
+++ b/schema/cyclonedx/spdx.xsd
@@ -0,0 +1,2429 @@
+
+
+
+
+
+
+
+
+ BSD Zero Clause License
+
+
+
+
+ Attribution Assurance License
+
+
+
+
+ Amazon Digital Services License
+
+
+
+
+ Academic Free License v1.1
+
+
+
+
+ Academic Free License v1.2
+
+
+
+
+ Academic Free License v2.0
+
+
+
+
+ Academic Free License v2.1
+
+
+
+
+ Academic Free License v3.0
+
+
+
+
+ Affero General Public License v1.0
+
+
+
+
+ Affero General Public License v1.0 only
+
+
+
+
+ Affero General Public License v1.0 or later
+
+
+
+
+ GNU Affero General Public License v3.0
+
+
+
+
+ GNU Affero General Public License v3.0 only
+
+
+
+
+ GNU Affero General Public License v3.0 or later
+
+
+
+
+ AMD's plpa_map.c License
+
+
+
+
+ Apple MIT License
+
+
+
+
+ Academy of Motion Picture Arts and Sciences BSD
+
+
+
+
+ ANTLR Software Rights Notice
+
+
+
+
+ Adobe Postscript AFM License
+
+
+
+
+ Adaptive Public License 1.0
+
+
+
+
+ Apple Public Source License 1.0
+
+
+
+
+ Apple Public Source License 1.1
+
+
+
+
+ Apple Public Source License 1.2
+
+
+
+
+ Apple Public Source License 2.0
+
+
+
+
+ Abstyles License
+
+
+
+
+ Adobe Systems Incorporated Source Code License Agreement
+
+
+
+
+ Adobe Glyph List License
+
+
+
+
+ Afmparse License
+
+
+
+
+ Aladdin Free Public License
+
+
+
+
+ Apache License 1.0
+
+
+
+
+ Apache License 1.1
+
+
+
+
+ Apache License 2.0
+
+
+
+
+ Artistic License 1.0
+
+
+
+
+ Artistic License 1.0 (Perl)
+
+
+
+
+ Artistic License 1.0 w/clause 8
+
+
+
+
+ Artistic License 2.0
+
+
+
+
+ BSD 1-Clause License
+
+
+
+
+ BSD 2-Clause "Simplified" License
+
+
+
+
+ BSD 2-Clause FreeBSD License
+
+
+
+
+ BSD 2-Clause NetBSD License
+
+
+
+
+ BSD-2-Clause Plus Patent License
+
+
+
+
+ BSD 2-Clause with views sentence
+
+
+
+
+ BSD 3-Clause "New" or "Revised" License
+
+
+
+
+ BSD with attribution
+
+
+
+
+ BSD 3-Clause Clear License
+
+
+
+
+ Lawrence Berkeley National Labs BSD variant license
+
+
+
+
+ BSD 3-Clause No Nuclear License
+
+
+
+
+ BSD 3-Clause No Nuclear License 2014
+
+
+
+
+ BSD 3-Clause No Nuclear Warranty
+
+
+
+
+ BSD 3-Clause Open MPI variant
+
+
+
+
+ BSD 4-Clause "Original" or "Old" License
+
+
+
+
+ BSD-4-Clause (University of California-Specific)
+
+
+
+
+ BSD Protection License
+
+
+
+
+ BSD Source Code Attribution
+
+
+
+
+ Boost Software License 1.0
+
+
+
+
+ Bahyph License
+
+
+
+
+ Barr License
+
+
+
+
+ Beerware License
+
+
+
+
+ BitTorrent Open Source License v1.0
+
+
+
+
+ BitTorrent Open Source License v1.1
+
+
+
+
+ Blue Oak Model License 1.0.0
+
+
+
+
+ Borceux license
+
+
+
+
+ Cryptographic Autonomy License 1.0
+
+
+
+
+ Cryptographic Autonomy License 1.0 (Combined Work Exception)
+
+
+
+
+ Computer Associates Trusted Open Source License 1.1
+
+
+
+
+ Creative Commons Attribution 1.0 Generic
+
+
+
+
+ Creative Commons Attribution 2.0 Generic
+
+
+
+
+ Creative Commons Attribution 2.5 Generic
+
+
+
+
+ Creative Commons Attribution 3.0 Unported
+
+
+
+
+ Creative Commons Attribution 3.0 Austria
+
+
+
+
+ Creative Commons Attribution 4.0 International
+
+
+
+
+ Creative Commons Attribution Non Commercial 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial 3.0 Unported
+
+
+
+
+ Creative Commons Attribution Non Commercial 4.0 International
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 4.0 International
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 3.0 Unported
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 4.0 International
+
+
+
+
+ Creative Commons Attribution No Derivatives 1.0 Generic
+
+
+
+
+ Creative Commons Attribution No Derivatives 2.0 Generic
+
+
+
+
+ Creative Commons Attribution No Derivatives 2.5 Generic
+
+
+
+
+ Creative Commons Attribution No Derivatives 3.0 Unported
+
+
+
+
+ Creative Commons Attribution No Derivatives 4.0 International
+
+
+
+
+ Creative Commons Attribution Share Alike 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Share Alike 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Share Alike 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Share Alike 3.0 Unported
+
+
+
+
+ Creative Commons Attribution-Share Alike 3.0 Austria
+
+
+
+
+ Creative Commons Attribution Share Alike 4.0 International
+
+
+
+
+ Creative Commons Public Domain Dedication and Certification
+
+
+
+
+ Creative Commons Zero v1.0 Universal
+
+
+
+
+ Common Development and Distribution License 1.0
+
+
+
+
+ Common Development and Distribution License 1.1
+
+
+
+
+ Community Data License Agreement Permissive 1.0
+
+
+
+
+ Community Data License Agreement Sharing 1.0
+
+
+
+
+ CeCILL Free Software License Agreement v1.0
+
+
+
+
+ CeCILL Free Software License Agreement v1.1
+
+
+
+
+ CeCILL Free Software License Agreement v2.0
+
+
+
+
+ CeCILL Free Software License Agreement v2.1
+
+
+
+
+ CeCILL-B Free Software License Agreement
+
+
+
+
+ CeCILL-C Free Software License Agreement
+
+
+
+
+ CERN Open Hardware Licence v1.1
+
+
+
+
+ CERN Open Hardware Licence v1.2
+
+
+
+
+ CERN Open Hardware Licence Version 2 - Permissive
+
+
+
+
+ CERN Open Hardware Licence Version 2 - Strongly Reciprocal
+
+
+
+
+ CERN Open Hardware Licence Version 2 - Weakly Reciprocal
+
+
+
+
+ CNRI Jython License
+
+
+
+
+ CNRI Python License
+
+
+
+
+ CNRI Python Open Source GPL Compatible License Agreement
+
+
+
+
+ Common Public Attribution License 1.0
+
+
+
+
+ Common Public License 1.0
+
+
+
+
+ Code Project Open License 1.02
+
+
+
+
+ CUA Office Public License v1.0
+
+
+
+
+ Caldera License
+
+
+
+
+ Clarified Artistic License
+
+
+
+
+ Condor Public License v1.1
+
+
+
+
+ Crossword License
+
+
+
+
+ CrystalStacker License
+
+
+
+
+ Cube License
+
+
+
+
+ Deutsche Freie Software Lizenz
+
+
+
+
+ DOC License
+
+
+
+
+ DSDP License
+
+
+
+
+ Dotseqn License
+
+
+
+
+ Educational Community License v1.0
+
+
+
+
+ Educational Community License v2.0
+
+
+
+
+ Eiffel Forum License v1.0
+
+
+
+
+ Eiffel Forum License v2.0
+
+
+
+
+ EPICS Open License
+
+
+
+
+ Eclipse Public License 1.0
+
+
+
+
+ Eclipse Public License 2.0
+
+
+
+
+ EU DataGrid Software License
+
+
+
+
+ European Union Public License 1.0
+
+
+
+
+ European Union Public License 1.1
+
+
+
+
+ European Union Public License 1.2
+
+
+
+
+ Entessa Public License v1.0
+
+
+
+
+ Erlang Public License v1.1
+
+
+
+
+ Eurosym License
+
+
+
+
+ FSF All Permissive License
+
+
+
+
+ FSF Unlimited License
+
+
+
+
+ FSF Unlimited License (with License Retention)
+
+
+
+
+ Freetype Project License
+
+
+
+
+ Fair License
+
+
+
+
+ Frameworx Open License 1.0
+
+
+
+
+ FreeImage Public License v1.0
+
+
+
+
+ GNU Free Documentation License v1.1
+
+
+
+
+ GNU Free Documentation License v1.1 only - invariants
+
+
+
+
+ GNU Free Documentation License v1.1 or later - invariants
+
+
+
+
+ GNU Free Documentation License v1.1 only - no invariants
+
+
+
+
+ GNU Free Documentation License v1.1 or later - no invariants
+
+
+
+
+ GNU Free Documentation License v1.1 only
+
+
+
+
+ GNU Free Documentation License v1.1 or later
+
+
+
+
+ GNU Free Documentation License v1.2
+
+
+
+
+ GNU Free Documentation License v1.2 only - invariants
+
+
+
+
+ GNU Free Documentation License v1.2 or later - invariants
+
+
+
+
+ GNU Free Documentation License v1.2 only - no invariants
+
+
+
+
+ GNU Free Documentation License v1.2 or later - no invariants
+
+
+
+
+ GNU Free Documentation License v1.2 only
+
+
+
+
+ GNU Free Documentation License v1.2 or later
+
+
+
+
+ GNU Free Documentation License v1.3
+
+
+
+
+ GNU Free Documentation License v1.3 only - invariants
+
+
+
+
+ GNU Free Documentation License v1.3 or later - invariants
+
+
+
+
+ GNU Free Documentation License v1.3 only - no invariants
+
+
+
+
+ GNU Free Documentation License v1.3 or later - no invariants
+
+
+
+
+ GNU Free Documentation License v1.3 only
+
+
+
+
+ GNU Free Documentation License v1.3 or later
+
+
+
+
+ GL2PS License
+
+
+
+
+ Good Luck With That Public License
+
+
+
+
+ GNU General Public License v1.0 only
+
+
+
+
+ GNU General Public License v1.0 or later
+
+
+
+
+ GNU General Public License v1.0 only
+
+
+
+
+ GNU General Public License v1.0 or later
+
+
+
+
+ GNU General Public License v2.0 only
+
+
+
+
+ GNU General Public License v2.0 or later
+
+
+
+
+ GNU General Public License v2.0 only
+
+
+
+
+ GNU General Public License v2.0 or later
+
+
+
+
+ GNU General Public License v2.0 w/GCC Runtime Library exception
+
+
+
+
+ GNU General Public License v2.0 w/Autoconf exception
+
+
+
+
+ GNU General Public License v2.0 w/Bison exception
+
+
+
+
+ GNU General Public License v2.0 w/Classpath exception
+
+
+
+
+ GNU General Public License v2.0 w/Font exception
+
+
+
+
+ GNU General Public License v3.0 only
+
+
+
+
+ GNU General Public License v3.0 or later
+
+
+
+
+ GNU General Public License v3.0 only
+
+
+
+
+ GNU General Public License v3.0 or later
+
+
+
+
+ GNU General Public License v3.0 w/GCC Runtime Library exception
+
+
+
+
+ GNU General Public License v3.0 w/Autoconf exception
+
+
+
+
+ Giftware License
+
+
+
+
+ 3dfx Glide License
+
+
+
+
+ Glulxe License
+
+
+
+
+ Historical Permission Notice and Disclaimer
+
+
+
+
+ Historical Permission Notice and Disclaimer - sell variant
+
+
+
+
+ Haskell Language Report License
+
+
+
+
+ Hippocratic License 2.1
+
+
+
+
+ IBM PowerPC Initialization and Boot Software
+
+
+
+
+ ICU License
+
+
+
+
+ Independent JPEG Group License
+
+
+
+
+ IPA Font License
+
+
+
+
+ IBM Public License v1.0
+
+
+
+
+ ISC License
+
+
+
+
+ ImageMagick License
+
+
+
+
+ Imlib2 License
+
+
+
+
+ Info-ZIP License
+
+
+
+
+ Intel Open Source License
+
+
+
+
+ Intel ACPI Software License Agreement
+
+
+
+
+ Interbase Public License v1.0
+
+
+
+
+ Japan Network Information Center License
+
+
+
+
+ JSON License
+
+
+
+
+ JasPer License
+
+
+
+
+ Licence Art Libre 1.2
+
+
+
+
+ Licence Art Libre 1.3
+
+
+
+
+ GNU Library General Public License v2 only
+
+
+
+
+ GNU Library General Public License v2 or later
+
+
+
+
+ GNU Library General Public License v2 only
+
+
+
+
+ GNU Library General Public License v2 or later
+
+
+
+
+ GNU Lesser General Public License v2.1 only
+
+
+
+
+ GNU Library General Public License v2.1 or later
+
+
+
+
+ GNU Lesser General Public License v2.1 only
+
+
+
+
+ GNU Lesser General Public License v2.1 or later
+
+
+
+
+ GNU Lesser General Public License v3.0 only
+
+
+
+
+ GNU Lesser General Public License v3.0 or later
+
+
+
+
+ GNU Lesser General Public License v3.0 only
+
+
+
+
+ GNU Lesser General Public License v3.0 or later
+
+
+
+
+ Lesser General Public License For Linguistic Resources
+
+
+
+
+ Lucent Public License Version 1.0
+
+
+
+
+ Lucent Public License v1.02
+
+
+
+
+ LaTeX Project Public License v1.0
+
+
+
+
+ LaTeX Project Public License v1.1
+
+
+
+
+ LaTeX Project Public License v1.2
+
+
+
+
+ LaTeX Project Public License v1.3a
+
+
+
+
+ LaTeX Project Public License v1.3c
+
+
+
+
+ Latex2e License
+
+
+
+
+ Leptonica License
+
+
+
+
+ Licence Libre du Québec – Permissive version 1.1
+
+
+
+
+ Licence Libre du Québec – Réciprocité version 1.1
+
+
+
+
+ Licence Libre du Québec – Réciprocité forte version 1.1
+
+
+
+
+ libpng License
+
+
+
+
+ Linux Kernel Variant of OpenIB.org license
+
+
+
+
+ MIT License
+
+
+
+
+ MIT No Attribution
+
+
+
+
+ CMU License
+
+
+
+
+ Enlightenment License (e16)
+
+
+
+
+ enna License
+
+
+
+
+ feh License
+
+
+
+
+ MIT +no-false-attribs license
+
+
+
+
+ Mozilla Public License 1.0
+
+
+
+
+ Mozilla Public License 1.1
+
+
+
+
+ Mozilla Public License 2.0
+
+
+
+
+ Mozilla Public License 2.0 (no copyleft exception)
+
+
+
+
+ Microsoft Public License
+
+
+
+
+ Microsoft Reciprocal License
+
+
+
+
+ Matrix Template Library License
+
+
+
+
+ MakeIndex License
+
+
+
+
+ The MirOS Licence
+
+
+
+
+ Motosoto License
+
+
+
+
+ Mulan Permissive Software License, Version 1
+
+
+
+
+ Mulan Permissive Software License, Version 2
+
+
+
+
+ Multics License
+
+
+
+
+ Mup License
+
+
+
+
+ NASA Open Source Agreement 1.3
+
+
+
+
+ Net Boolean Public License v1
+
+
+
+
+ Non-Commercial Government Licence
+
+
+
+
+ University of Illinois/NCSA Open Source License
+
+
+
+
+ Nethack General Public License
+
+
+
+
+ NIST Public Domain Notice
+
+
+
+
+ NIST Public Domain Notice with license fallback
+
+
+
+
+ Norwegian Licence for Open Government Data
+
+
+
+
+ No Limit Public License
+
+
+
+
+ Netizen Open Source License
+
+
+
+
+ Netscape Public License v1.0
+
+
+
+
+ Netscape Public License v1.1
+
+
+
+
+ Non-Profit Open Software License 3.0
+
+
+
+
+ NRL License
+
+
+
+
+ NTP License
+
+
+
+
+ NTP No Attribution
+
+
+
+
+ Naumen Public License
+
+
+
+
+ Net-SNMP License
+
+
+
+
+ NetCDF license
+
+
+
+
+ Newsletr License
+
+
+
+
+ Nokia Open Source License
+
+
+
+
+ Noweb License
+
+
+
+
+ Nunit License
+
+
+
+
+ Open Use of Data Agreement v1.0
+
+
+
+
+ Open CASCADE Technology Public License
+
+
+
+
+ OCLC Research Public License 2.0
+
+
+
+
+ Open Data Commons Attribution License v1.0
+
+
+
+
+ ODC Open Database License v1.0
+
+
+
+
+ SIL Open Font License 1.0
+
+
+
+
+ SIL Open Font License 1.0 with Reserved Font Name
+
+
+
+
+ SIL Open Font License 1.0 with no Reserved Font Name
+
+
+
+
+ SIL Open Font License 1.1
+
+
+
+
+ SIL Open Font License 1.1 with Reserved Font Name
+
+
+
+
+ SIL Open Font License 1.1 with no Reserved Font Name
+
+
+
+
+ OGC Software License, Version 1.0
+
+
+
+
+ Open Government Licence - Canada
+
+
+
+
+ Open Government Licence v1.0
+
+
+
+
+ Open Government Licence v2.0
+
+
+
+
+ Open Government Licence v3.0
+
+
+
+
+ Open Group Test Suite License
+
+
+
+
+ Open LDAP Public License v1.1
+
+
+
+
+ Open LDAP Public License v1.2
+
+
+
+
+ Open LDAP Public License v1.3
+
+
+
+
+ Open LDAP Public License v1.4
+
+
+
+
+ Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B)
+
+
+
+
+ Open LDAP Public License v2.0.1
+
+
+
+
+ Open LDAP Public License v2.1
+
+
+
+
+ Open LDAP Public License v2.2
+
+
+
+
+ Open LDAP Public License v2.2.1
+
+
+
+
+ Open LDAP Public License 2.2.2
+
+
+
+
+ Open LDAP Public License v2.3
+
+
+
+
+ Open LDAP Public License v2.4
+
+
+
+
+ Open LDAP Public License v2.5
+
+
+
+
+ Open LDAP Public License v2.6
+
+
+
+
+ Open LDAP Public License v2.7
+
+
+
+
+ Open LDAP Public License v2.8
+
+
+
+
+ Open Market License
+
+
+
+
+ Open Public License v1.0
+
+
+
+
+ OSET Public License version 2.1
+
+
+
+
+ Open Software License 1.0
+
+
+
+
+ Open Software License 1.1
+
+
+
+
+ Open Software License 2.0
+
+
+
+
+ Open Software License 2.1
+
+
+
+
+ Open Software License 3.0
+
+
+
+
+ OpenSSL License
+
+
+
+
+ ODC Public Domain Dedication & License 1.0
+
+
+
+
+ PHP License v3.0
+
+
+
+
+ PHP License v3.01
+
+
+
+
+ Python Software Foundation License 2.0
+
+
+
+
+ The Parity Public License 6.0.0
+
+
+
+
+ The Parity Public License 7.0.0
+
+
+
+
+ Plexus Classworlds License
+
+
+
+
+ PolyForm Noncommercial License 1.0.0
+
+
+
+
+ PolyForm Small Business License 1.0.0
+
+
+
+
+ PostgreSQL License
+
+
+
+
+ Python License 2.0
+
+
+
+
+ Q Public License 1.0
+
+
+
+
+ Qhull License
+
+
+
+
+ Red Hat eCos Public License v1.1
+
+
+
+
+ Reciprocal Public License 1.1
+
+
+
+
+ Reciprocal Public License 1.5
+
+
+
+
+ RealNetworks Public Source License v1.0
+
+
+
+
+ RSA Message-Digest License
+
+
+
+
+ Ricoh Source Code Public License
+
+
+
+
+ Rdisc License
+
+
+
+
+ Ruby License
+
+
+
+
+ Sax Public Domain Notice
+
+
+
+
+ SCEA Shared Source License
+
+
+
+
+ SGI Free Software License B v1.0
+
+
+
+
+ SGI Free Software License B v1.1
+
+
+
+
+ SGI Free Software License B v2.0
+
+
+
+
+ Solderpad Hardware License v0.5
+
+
+
+
+ Solderpad Hardware License, Version 0.51
+
+
+
+
+ Sun Industry Standards Source License v1.1
+
+
+
+
+ Sun Industry Standards Source License v1.2
+
+
+
+
+ Standard ML of New Jersey License
+
+
+
+
+ Secure Messaging Protocol Public License
+
+
+
+
+ SNIA Public License 1.1
+
+
+
+
+ Sun Public License v1.0
+
+
+
+
+ SSH OpenSSH license
+
+
+
+
+ SSH short notice
+
+
+
+
+ Server Side Public License, v 1
+
+
+
+
+ Scheme Widget Library (SWL) Software License Agreement
+
+
+
+
+ Saxpath License
+
+
+
+
+ Sendmail License
+
+
+
+
+ Sendmail License 8.23
+
+
+
+
+ Simple Public License 2.0
+
+
+
+
+ Sleepycat License
+
+
+
+
+ Spencer License 86
+
+
+
+
+ Spencer License 94
+
+
+
+
+ Spencer License 99
+
+
+
+
+ Standard ML of New Jersey License
+
+
+
+
+ SugarCRM Public License v1.1.3
+
+
+
+
+ TAPR Open Hardware License v1.0
+
+
+
+
+ TCL/TK License
+
+
+
+
+ TCP Wrappers License
+
+
+
+
+ TMate Open Source License
+
+
+
+
+ TORQUE v2.5+ Software License v1.1
+
+
+
+
+ Trusster Open Source License
+
+
+
+
+ Technische Universitaet Berlin License 1.0
+
+
+
+
+ Technische Universitaet Berlin License 2.0
+
+
+
+
+ Upstream Compatibility License v1.0
+
+
+
+
+ Universal Permissive License v1.0
+
+
+
+
+ Unicode License Agreement - Data Files and Software (2015)
+
+
+
+
+ Unicode License Agreement - Data Files and Software (2016)
+
+
+
+
+ Unicode Terms of Use
+
+
+
+
+ The Unlicense
+
+
+
+
+ VOSTROM Public License for Open Source
+
+
+
+
+ Vovida Software License v1.0
+
+
+
+
+ Vim License
+
+
+
+
+ W3C Software Notice and License (2002-12-31)
+
+
+
+
+ W3C Software Notice and License (1998-07-20)
+
+
+
+
+ W3C Software Notice and Document License (2015-05-13)
+
+
+
+
+ Do What The F*ck You Want To Public License
+
+
+
+
+ Sybase Open Watcom Public License 1.0
+
+
+
+
+ Wsuipa License
+
+
+
+
+ X11 License
+
+
+
+
+ XFree86 License 1.1
+
+
+
+
+ XSkat License
+
+
+
+
+ Xerox License
+
+
+
+
+ X.Net License
+
+
+
+
+ Yahoo! Public License v1.0
+
+
+
+
+ Yahoo! Public License v1.1
+
+
+
+
+ Zope Public License 1.1
+
+
+
+
+ Zope Public License 2.0
+
+
+
+
+ Zope Public License 2.1
+
+
+
+
+ Zed License
+
+
+
+
+ Zend License v2.0
+
+
+
+
+ Zimbra Public License v1.3
+
+
+
+
+ Zimbra Public License v1.4
+
+
+
+
+ zlib License
+
+
+
+
+ SQLite Blessing
+
+
+
+
+ bzip2 and libbzip2 License v1.0.5
+
+
+
+
+ bzip2 and libbzip2 License v1.0.6
+
+
+
+
+ copyleft-next 0.3.0
+
+
+
+
+ copyleft-next 0.3.1
+
+
+
+
+ curl License
+
+
+
+
+ diffmark license
+
+
+
+
+ dvipdfm License
+
+
+
+
+ eCos license version 2.0
+
+
+
+
+ eGenix.com Public License 1.1.0
+
+
+
+
+ Etalab Open License 2.0
+
+
+
+
+ gSOAP Public License v1.3b
+
+
+
+
+ gnuplot License
+
+
+
+
+ iMatix Standard Function Library Agreement
+
+
+
+
+ PNG Reference Library version 2
+
+
+
+
+ libselinux public domain notice
+
+
+
+
+ libtiff License
+
+
+
+
+ mpich2 License
+
+
+
+
+ psfrag License
+
+
+
+
+ psutils License
+
+
+
+
+ wxWindows Library License
+
+
+
+
+ xinetd License
+
+
+
+
+ XPP License
+
+
+
+
+ zlib/libpng License with Acknowledgement
+
+
+
+
+
+ GCC Runtime Library exception 2.0
+
+
+
+
+ OpenVPN OpenSSL Exception
+
+
+
+
+ Nokia Qt LGPL exception 1.1
+
+
+
+
+ GPL-3.0 Linking Exception
+
+
+
+
+ Fawkes Runtime Exception
+
+
+
+
+ U-Boot exception 2.0
+
+
+
+
+ PS/PDF font exception (2017-08-17)
+
+
+
+
+ GNU JavaMail exception
+
+
+
+
+ LGPL-3.0 Linking Exception
+
+
+
+
+ DigiRule FOSS License Exception
+
+
+
+
+ LLVM Exception
+
+
+
+
+ Linux Syscall Note
+
+
+
+
+ GPL-3.0 Linking Exception (with Corresponding Source)
+
+
+
+
+ Qwt exception 1.0
+
+
+
+
+ 389 Directory Server Exception
+
+
+
+
+ Macros and Inline Functions Exception
+
+
+
+
+ eCos exception 2.0
+
+
+
+
+ CLISP exception 2.0
+
+
+
+
+ Bison exception 2.2
+
+
+
+
+ Libtool Exception
+
+
+
+
+ LZMA exception
+
+
+
+
+ OpenJDK Assembly exception 1.0
+
+
+
+
+ Font exception 2.0
+
+
+
+
+ OCaml LGPL Linking Exception
+
+
+
+
+ GCC Runtime Library exception 3.1
+
+
+
+
+ Bootloader Distribution Exception
+
+
+
+
+ Solderpad Hardware License v2.0
+
+
+
+
+ Classpath exception 2.0
+
+
+
+
+ Swift Exception
+
+
+
+
+ Autoconf exception 2.0
+
+
+
+
+ FLTK exception
+
+
+
+
+ FreeRTOS Exception 2.0
+
+
+
+
+ Universal FOSS Exception, Version 1.0
+
+
+
+
+ WxWindows Library Exception 3.1
+
+
+
+
+ Open CASCADE Exception 1.0
+
+
+
+
+ Autoconf exception 3.0
+
+
+
+
+ i2p GPL+Java Exception
+
+
+
+
+ GPL Cooperation Commitment 1.0
+
+
+
+
+ Qt LGPL exception 1.1
+
+
+
+
+ Solderpad Hardware License v2.1
+
+
+
+
+ Qt GPL exception 1.0
+
+
+
+
+
+
\ No newline at end of file
diff --git a/json-schema/.gitignore b/schema/json/.gitignore
similarity index 100%
rename from json-schema/.gitignore
rename to schema/json/.gitignore
diff --git a/json-schema/generate.py b/schema/json/generate.py
similarity index 100%
rename from json-schema/generate.py
rename to schema/json/generate.py
diff --git a/json-schema/requirements.txt b/schema/json/requirements.txt
similarity index 100%
rename from json-schema/requirements.txt
rename to schema/json/requirements.txt
diff --git a/json-schema/schema.json b/schema/json/schema.json
similarity index 100%
rename from json-schema/schema.json
rename to schema/json/schema.json
diff --git a/syft/presenter/cyclonedx/document.go b/syft/presenter/cyclonedx/document.go
index 74a18f467..cc3f68161 100644
--- a/syft/presenter/cyclonedx/document.go
+++ b/syft/presenter/cyclonedx/document.go
@@ -13,6 +13,7 @@ import (
type Document struct {
XMLName xml.Name `xml:"bom"`
XMLNs string `xml:"xmlns,attr"`
+ XMLNsBd string `xml:"xmlns:bd,attr"`
Version int `xml:"version,attr"`
SerialNumber string `xml:"serialNumber,attr"`
Components []Component `xml:"components>component"` // The BOM contents
@@ -23,6 +24,7 @@ type Document struct {
func NewDocument() Document {
return Document{
XMLNs: "http://cyclonedx.org/schema/bom/1.2",
+ XMLNsBd: "http://cyclonedx.org/schema/ext/bom-descriptor/1.0",
Version: 1,
SerialNumber: uuid.New().URN(),
}
diff --git a/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxDirsPresenter.golden b/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxDirsPresenter.golden
index e238f8626..70937744b 100644
--- a/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxDirsPresenter.golden
+++ b/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxDirsPresenter.golden
@@ -1,5 +1,5 @@
-
+
package-1
@@ -19,7 +19,7 @@
- 2020-08-24T17:37:37-04:00
+ 2020-08-26T15:31:39-04:00
anchore
syft
diff --git a/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxImgsPresenter.golden b/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxImgsPresenter.golden
index 875d40546..df69a93b7 100644
--- a/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxImgsPresenter.golden
+++ b/syft/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxImgsPresenter.golden
@@ -1,5 +1,5 @@
-
+
package-1
@@ -19,7 +19,7 @@
- 2020-08-24T17:37:37-04:00
+ 2020-08-26T15:31:39-04:00
anchore
syft
diff --git a/test/integration/json_schema_test.go b/test/integration/json_schema_test.go
index a1ecc74da..187b2941c 100644
--- a/test/integration/json_schema_test.go
+++ b/test/integration/json_schema_test.go
@@ -5,21 +5,23 @@ package integration
import (
"bytes"
"fmt"
- "github.com/anchore/go-testutils"
- "github.com/anchore/syft/syft"
- "github.com/anchore/syft/syft/pkg"
- "github.com/anchore/syft/syft/presenter"
- "github.com/anchore/syft/syft/scope"
- "github.com/xeipuuv/gojsonschema"
"os"
"os/exec"
"path"
"path/filepath"
"strings"
"testing"
+
+ "github.com/anchore/go-testutils"
+ "github.com/anchore/syft/syft"
+ "github.com/anchore/syft/syft/pkg"
+ "github.com/anchore/syft/syft/presenter"
+ "github.com/anchore/syft/syft/scope"
+ "github.com/xeipuuv/gojsonschema"
)
-const jsonSchemaExamplesPath = "json-schema/examples"
+const jsonSchemaPath = "schema/json"
+const jsonSchemaExamplesPath = jsonSchemaPath + "/examples"
func repoRoot(t *testing.T) string {
t.Helper()
@@ -35,7 +37,7 @@ func repoRoot(t *testing.T) string {
}
func validateAgainstV1Schema(t *testing.T, json string) {
- fullSchemaPath := path.Join(repoRoot(t), "json-schema", "schema.json")
+ fullSchemaPath := path.Join(repoRoot(t), jsonSchemaPath, "schema.json")
schemaLoader := gojsonschema.NewReferenceLoader(fmt.Sprintf("file://%s", fullSchemaPath))
documentLoader := gojsonschema.NewStringLoader(json)