From 138e2496a27025ad4ee100aa704d68157cc70836 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Fri, 16 Feb 2024 16:14:09 +0100
Subject: [PATCH] feat: external reference type for RFC9116

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 schema/bom-1.6.proto       | 2 ++
 schema/bom-1.6.schema.json | 2 ++
 schema/bom-1.6.xsd         | 5 +++++
 3 files changed, 9 insertions(+)

diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
index 1c6f842c..047a7f79 100644
--- a/schema/bom-1.6.proto
+++ b/schema/bom-1.6.proto
@@ -280,6 +280,8 @@ enum ExternalReferenceType {
   EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39;
   // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.
   EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40;
+  // Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)
+  EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41;
 }
 
 enum HashAlg {
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
index f607294d..3d19af00 100644
--- a/schema/bom-1.6.schema.json
+++ b/schema/bom-1.6.schema.json
@@ -1687,6 +1687,7 @@
             "poam",
             "electronic-signature",
             "digital-signature",
+            "rfc-9116",
             "other"
           ],
           "meta:enum": {
@@ -1731,6 +1732,7 @@
             "poam": "Plans of Action and Milestones (POAM) complement an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".",
             "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.",
             "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.",
+            "rfc-9116": "Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)",
             "other": "Use this if no other types accurately describe the purpose of the external reference."
           }
 
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
index 2254dad6..ba755b2b 100644
--- a/schema/bom-1.6.xsd
+++ b/schema/bom-1.6.xsd
@@ -1434,6 +1434,11 @@ limitations under the License.
                     <xs:documentation>A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
+            <xs:enumeration value="rfc-9116">
+                <xs:annotation>
+                    <xs:documentation>Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)</xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
             <xs:enumeration value="other">
                 <xs:annotation>
                     <xs:documentation>Use this if no other types accurately describe the purpose of the external reference</xs:documentation>