diff --git a/.gitignore b/.gitignore index 2628a539..18e73886 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.DS_Store .idea/ .vscode/ tools/target/ diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index f48b23cb..54f292d0 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","required":["modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"modelTypes":{"type":"array","minItems":1,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","minItems":1,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"perspectives":{"type":"array","description":"Different viewpoints or perspectives used in the model analysis","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/perspective"}},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata"},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"zones":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"assumptions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0"},{"properties":{"assets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets involved in this use case"},"flows":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to flows that are part of this use case"},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirements implemented by this use case"}}}]},"description":"Use cases analyzed as part of the model"},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"description":"External references related to the blueprint"},"properties":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},"description":"Additional properties and extensions"}},"$defs":{"modelType":{"type":"object","oneOf":[{"required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["architecture","dataFlow","process","deployment","network","threat","risk","privacy","operational","conceptual","logical","physical","behavioral","structural"],"meta:enum":{"architecture":"System or software architecture model","dataFlow":"Data flow model showing how data moves through the system","process":"Business or system process model","deployment":"Deployment or infrastructure model","network":"Network topology or connectivity model","threat":"Security threat model","risk":"Risk assessment model","privacy":"Privacy impact assessment model","operational":"Operational model","conceptual":"High-level conceptual model","logical":"Logical system model","physical":"Physical infrastructure model","behavioral":"System behavior model","structural":"System structure model"}}}},{"required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Custom model type name"},"description":{"type":"string","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","oneOf":[{"required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["C4","UML","TOGAF","Archimate","BPMN","DFD","ERD","4+1","Zachman","SABSA","DODAF","MODAF","NAF","Kruchten","IDEF","SysML","STRIDE","PASTA","LINDDUN","OCTAVE","ISO27005","NIST","FAIR"],"meta:enum":{"C4":"C4 Model for software architecture","UML":"Unified Modeling Language","TOGAF":"The Open Group Architecture Framework","Archimate":"Enterprise architecture modeling language","BPMN":"Business Process Model and Notation","DFD":"Data Flow Diagrams","ERD":"Entity Relationship Diagrams","4+1":"4+1 Architectural View Model","Zachman":"Zachman Framework","SABSA":"Sherwood Applied Business Security Architecture","DODAF":"Department of Defense Architecture Framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","Kruchten":"Kruchten's 4+1 View Model","IDEF":"Integration Definition Methods","SysML":"Systems Modeling Language","STRIDE":"Microsoft's threat modeling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","LINDDUN":"Privacy threat modeling methodology","OCTAVE":"Operationally Critical Threat, Asset, and Vulnerability Evaluation","ISO27005":"ISO/IEC 27005 Information security risk management","NIST":"NIST Risk Management Framework","FAIR":"Factor Analysis of Information Risk"}},"version":{"type":"string","description":"Version of the methodology"}}},{"required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Custom methodology name"},"version":{"type":"string","description":"Version of the methodology"},"description":{"type":"string","description":"Description of the custom methodology"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"perspective":{"type":"object","required":["bom-ref","type","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the perspective"},"type":{"type":"string","enum":["business","technical","user","operational","development","architectural","functional","informational","contextual","conceptual","logical","physical","security","compliance","risk","stakeholder","custom"],"meta:enum":{"business":"Business stakeholder perspective","technical":"Technical implementation perspective","user":"End user or customer perspective","operational":"Operations and maintenance perspective","development":"Software development perspective","architectural":"System architecture perspective","functional":"Functional requirements perspective","informational":"Information and data perspective","contextual":"Business context perspective","conceptual":"High-level conceptual perspective","logical":"Logical design perspective","physical":"Physical implementation perspective","security":"Security perspective","compliance":"Regulatory compliance perspective","risk":"Risk management perspective","stakeholder":"General stakeholder perspective","custom":"Custom or other perspective"}},"name":{"type":"string","description":"Name of the perspective"},"description":{"type":"string","description":"Detailed description of the perspective and its focus"},"role":{"type":"string","description":"The role or persona associated with this perspective"},"objectives":{"type":"array","items":{"type":"string"},"description":"Primary objectives or goals from this perspective"},"concerns":{"type":"array","items":{"type":"string"},"description":"Primary concerns from this perspective"},"viewpoint":{"type":"string","description":"The architectural viewpoint this perspective represents"},"scope":{"type":"string","description":"The scope of this perspective"},"properties":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"blueprintMetadata":{"type":"object","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","additionalProperties":false,"properties":{"start":{"type":"string","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the scope"},"description":{"type":"string","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","items":{"type":"string"},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","required":["bom-ref","type","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","enum":["component","service","dataStore","data","actor","process","infrastructure","device","network","container","function","api","queue","stream","system","subsystem","module","interface","endpoint","resource"],"meta:enum":{"component":"Software component or application","service":"Service or microservice","dataStore":"Database, file system, or data repository","data":"Data asset or dataset","actor":"User, system, or external entity","process":"Business or system process","infrastructure":"Infrastructure component","device":"Physical or IoT device","network":"Network segment or resource","container":"Container or orchestration unit","function":"Serverless function or lambda","api":"API endpoint or interface","queue":"Message queue or event bus","stream":"Data stream or event stream","system":"Complete system or application","subsystem":"Part of a larger system","module":"Software module or package","interface":"System interface or contract","endpoint":"Service endpoint or URL","resource":"Generic resource or artifact"}},"name":{"type":"string","description":"Name of the asset"},"description":{"type":"string","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"attributes":{"type":"array","items":{"type":"string"},"description":"Generic attributes or tags for the asset"},"responsibilities":{"type":"array","items":{"type":"string"},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use cases that involve this asset"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType","description":"Authorization model used"},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the zone"},"description":{"type":"string","description":"Description of the zone's characteristics"},"type":{"type":"string","enum":["trust","network","physical","logical","deployment","organizational","functional","security"],"meta:enum":{"trust":"Security trust zone","network":"Network segmentation zone","physical":"Physical location or boundary","logical":"Logical grouping or boundary","deployment":"Deployment environment (e.g., dev, staging, prod)","organizational":"Organizational or administrative boundary","functional":"Functional grouping","security":"Security zone or perimeter"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the boundary"},"type":{"type":"string","enum":["trust","network","process","data","physical","organizational","functional"],"meta:enum":{"trust":"Trust boundary between different security zones","network":"Network boundary or firewall","process":"Process or execution boundary","data":"Data classification boundary","physical":"Physical security boundary","organizational":"Organizational boundary","functional":"Functional boundary"}},"zones":{"type":"array","minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","additionalProperties":false,"properties":{"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType","description":"Authorization model at this boundary"},"dataValidation":{"type":"boolean","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","description":"Whether data is transformed when crossing this boundary"},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType","description":"Encryption requirements for crossing this boundary"},"logging":{"type":"boolean","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","description":"Rate limiting policy"},"protocols":{"type":"array","items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or description of the flow"},"description":{"type":"string","description":"Detailed description of what flows and why"},"type":{"type":"string","enum":["data","control","process","message","event","dependency","interaction"],"meta:enum":{"data":"Data or information flow","control":"Control or command flow","process":"Business process flow","message":"Message or communication flow","event":"Event or notification flow","dependency":"Dependency relationship","interaction":"User or system interaction"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","description":"Expected volume or frequency of flow"},"timing":{"type":"string","description":"Timing characteristics (real-time, batch, scheduled)"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Format of data in the flow"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","description":"The assumption being made"},"category":{"type":"string","enum":["technical","business","operational","security","compliance","performance","availability"],"description":"Category of the assumption"},"relatedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this assumption relates to"},"validity":{"type":"string","enum":["unknown","verified","unverified","invalid"],"default":"unknown","description":"Whether the assumption has been validated"},"impact":{"type":"string","description":"Impact if this assumption proves false"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who owns or is responsible for this assumption"},"validationMethod":{"type":"string","description":"How this assumption can be validated"},"validationDate":{"type":"string","format":"date-time","description":"When the assumption was last validated"}}},"visualization":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or title of the visualization"},"description":{"type":"string","description":"Description of what the visualization shows"},"type":{"type":"string","enum":["architecture","dataFlow","sequence","state","deployment","network","process","useCase","component","class","entity","activity","collaboration","context","container","code"],"meta:enum":{"architecture":"System architecture diagram","dataFlow":"Data flow diagram (DFD)","sequence":"Sequence or interaction diagram","state":"State machine diagram","deployment":"Deployment or infrastructure diagram","network":"Network topology diagram","process":"Business process diagram","useCase":"Use case diagram","component":"Component diagram","class":"Class or object diagram","entity":"Entity relationship diagram","activity":"Activity or workflow diagram","collaboration":"Collaboration diagram","context":"Context diagram","container":"Container diagram (C4)","code":"Code structure diagram"}},"format":{"type":"string","enum":["mermaid","graphviz","plantuml","drawio","svg","png","jpeg","d3","cytoscape","visio","archimate"],"meta:enum":{"mermaid":"Mermaid diagram language","graphviz":"GraphViz DOT language","plantuml":"PlantUML diagram language","drawio":"Draw.io/diagrams.net format","svg":"Scalable Vector Graphics","png":"Portable Network Graphics","jpeg":"JPEG image format","d3":"D3.js visualization","cytoscape":"Cytoscape graph format","visio":"Microsoft Visio format","archimate":"ArchiMate model format"}},"content":{"type":"string","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","enum":["overview","high","medium","detailed"],"description":"Level of detail in the visualization"},"perspective":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the perspective this visualization represents"},"elements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","description":"Whether the visualization is interactive"},"layers":{"type":"array","items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataClassification":{"type":"object","additionalProperties":false,"properties":{"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Specific types of data"},"handling":{"type":"string","description":"Data handling requirements"},"retention":{"type":"string","description":"Data retention requirements"},"disposal":{"type":"string","description":"Data disposal requirements"},"regulations":{"type":"array","items":{"type":"string"},"description":"Applicable regulations"}}},"ownership":{"type":"object","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary users of the asset"}}},"authenticationType":{"type":"string","enum":["none","basic","bearer","digest","certificate","apiKey","oauth1","oauth2","openIdConnect","saml","kerberos","ntlm","jwt","custom"],"description":"Authentication method","meta:enum":{"none":"No authentication required","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","digest":"Digest authentication","certificate":"Certificate-based authentication","apiKey":"API key authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","openIdConnect":"OpenID Connect authentication","saml":"SAML authentication","kerberos":"Kerberos authentication","ntlm":"NTLM authentication","jwt":"JSON Web Token authentication","custom":"Custom authentication method"}},"authorizationType":{"type":"string","enum":["none","acl","rbac","abac","mac","dac","pbac","cbac","custom"],"description":"Authorization model","meta:enum":{"none":"No authorization controls","acl":"Access Control Lists","rbac":"Role-Based Access Control","abac":"Attribute-Based Access Control","mac":"Mandatory Access Control","dac":"Discretionary Access Control","pbac":"Policy-Based Access Control","cbac":"Claims-Based Access Control","custom":"Custom authorization model"}},"encryptionType":{"type":"object","additionalProperties":false,"properties":{"inTransit":{"type":"boolean","description":"Whether data is encrypted in transit"},"atRest":{"type":"boolean","description":"Whether data is encrypted at rest"},"inProcessing":{"type":"boolean","description":"Whether data is encrypted during processing"}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","enum":["public","internal","confidential","restricted","secret"],"description":"Data sensitivity classification","meta:enum":{"public":"Public information that can be freely shared","internal":"Internal use only within the organization","confidential":"Confidential information requiring protection","restricted":"Highly restricted information with limited access","secret":"Secret information requiring special handling"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Security threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"category":{"type":"string","description":"Category or classification of the scenario"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["veryLow","low","medium","high","veryHigh","certain"],"description":"Likelihood level","meta:enum":{"veryLow":"Very unlikely to occur (< 10%)","low":"Unlikely to occur (10-30%)","medium":"Possible to occur (30-60%)","high":"Likely to occur (60-90%)","veryHigh":"Very likely to occur (> 90%)","certain":"Will certainly occur (100%)"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","high","severe","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","high":"Significant impact with serious consequences","severe":"Severe impact with critical consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":0,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"mitigation":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the mitigation"},"description":{"type":"string","description":"Description of what the mitigation does"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Protective measure","practice":"Risk management practice","procedure":"Documented procedure"}},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this mitigation addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this mitigation"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":100,"description":"Effectiveness as percentage"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"findings":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/finding"},"description":"Specific findings from the assessment"},"overallRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore","description":"Overall risk score/level"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"finding":{"type":"object","required":["title","severity"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"title":{"type":"string","description":"Title of the finding"},"description":{"type":"string","description":"Detailed description of the finding"},"severity":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/severity"},"relatedScenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Scenarios related to this finding"},"relatedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this finding"},"remediation":{"type":"string","description":"Recommended remediation"},"status":{"type":"string","enum":["open","inProgress","resolved","accepted"],"meta:enum":{"open":"Finding is open and unaddressed","inProgress":"Remediation is in progress","resolved":"Finding has been resolved","accepted":"Risk has been accepted"}}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"capability":{"type":"string","enum":["minimal","limited","moderate","significant","advanced"],"description":"Overall capability level"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"severity":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/severity"},"likelihood":{"type":"string","enum":["low","medium","high"],"description":"Likelihood of this pattern being used"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","properties":{"bom-ref":{"type":"string","title":"BOM Reference","description":"An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name or title of the use case."},"description":{"type":"string","title":"Description","description":"A detailed description of the use case."},"actors":{"type":"array","title":"Actors","description":"The stakeholders or users who interact with the system in this use case.","items":{"type":"string"}},"preconditions":{"type":"array","title":"Preconditions","description":"Conditions that must be true before the use case can be executed.","items":{"type":"string"}},"postconditions":{"type":"array","title":"Postconditions","description":"Conditions that will be true after the use case has been successfully executed.","items":{"type":"string"}},"mainFlow":{"type":"array","title":"Main Flow","description":"The primary sequence of steps that describe the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"}},"alternativeFlows":{"type":"array","title":"Alternative Flows","description":"Alternative sequences of steps that may occur in the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"}},"exceptions":{"type":"array","title":"Exceptions","description":"Error scenarios that may occur during the execution of the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"}},"successCriteria":{"type":"array","title":"Success Criteria","description":"Criteria that determine whether the use case has been successfully executed.","items":{"type":"string"}},"notes":{"type":"array","title":"Notes","description":"Additional information or comments about the use case.","items":{"type":"string"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/property"}}},"$defs":{"step":{"type":"object","title":"Step","description":"A single step in a use case flow.","additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","description":"The sequence number of the step."},"description":{"type":"string","title":"Description","description":"A description of the step."},"actor":{"type":"string","title":"Actor","description":"The actor who performs this step."}}},"flow":{"type":"object","title":"Flow","description":"A sequence of steps in a use case.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the flow."},"description":{"type":"string","title":"Description","description":"A description of the flow."},"condition":{"type":"string","title":"Condition","description":"The condition under which this alternative flow is executed."},"steps":{"type":"array","title":"Steps","description":"The sequence of steps in the flow.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"}}}},"exception":{"type":"object","title":"Exception","description":"An error scenario in a use case.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the exception."},"description":{"type":"string","title":"Description","description":"A description of the exception."},"condition":{"type":"string","title":"Condition","description":"The condition under which this exception occurs."},"handling":{"type":"string","title":"Handling","description":"How the exception is handled."}}},"property":{"type":"object","title":"Property","description":"A name-value property.","additionalProperties":false,"required":["name","value"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property."},"value":{"type":"string","title":"Value","description":"The value of the property."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index e9f8174f..8c216fec 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -777,2207 +777,3578 @@ } } }, - "cyclonedx-citation-2.0": { + "cyclonedx-blueprint-2.0": { "type": "null", - "title": "CycloneDX Citation Model", - "$defs": { - "citations": { + "title": "CycloneDX Blueprint Model", + "required": [ + "modelTypes", + "methodologies" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "modelTypes": { "type": "array", + "minItems": 1, + "description": "The types of models being represented", "items": { - "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "minItems": 1, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/methodology" + } + }, + "perspectives": { + "type": "array", + "description": "Different viewpoints or perspectives used in the model analysis", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/perspective" + } + }, + "metadata": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata" + }, + "scope": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/scope" + }, + "assets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/asset" }, - "uniqueItems": true, - "title": "Citations", - "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." + "description": "The assets (components, services, data, actors) included in the model" }, - "citation": { + "zones": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "assumptions": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "items": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-usecase-2.0" + }, + { + "properties": { + "assets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to assets involved in this use case" + }, + "flows": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to flows that are part of this use case" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirements implemented by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + }, + "description": "External references related to the blueprint" + }, + "properties": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + "description": "Additional properties and extensions" + } + }, + "$defs": { + "modelType": { "type": "object", - "title": "Citation", - "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "oneOf": [ + { + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "process", + "deployment", + "network", + "threat", + "risk", + "privacy", + "operational", + "conceptual", + "logical", + "physical", + "behavioral", + "structural" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "dataFlow": "Data flow model showing how data moves through the system", + "process": "Business or system process model", + "deployment": "Deployment or infrastructure model", + "network": "Network topology or connectivity model", + "threat": "Security threat model", + "risk": "Risk assessment model", + "privacy": "Privacy impact assessment model", + "operational": "Operational model", + "conceptual": "High-level conceptual model", + "logical": "Logical system model", + "physical": "Physical infrastructure model", + "behavioral": "System behavior model", + "structural": "System structure model" + } + } + } + }, + { + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom model type name" + }, + "description": { + "type": "string", + "description": "Description of the custom model type" + } + } + } + ] + }, + "methodology": { + "type": "object", + "oneOf": [ + { + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "C4", + "UML", + "TOGAF", + "Archimate", + "BPMN", + "DFD", + "ERD", + "4+1", + "Zachman", + "SABSA", + "DODAF", + "MODAF", + "NAF", + "Kruchten", + "IDEF", + "SysML", + "STRIDE", + "PASTA", + "LINDDUN", + "OCTAVE", + "ISO27005", + "NIST", + "FAIR" + ], + "meta:enum": { + "C4": "C4 Model for software architecture", + "UML": "Unified Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "Archimate": "Enterprise architecture modeling language", + "BPMN": "Business Process Model and Notation", + "DFD": "Data Flow Diagrams", + "ERD": "Entity Relationship Diagrams", + "4+1": "4+1 Architectural View Model", + "Zachman": "Zachman Framework", + "SABSA": "Sherwood Applied Business Security Architecture", + "DODAF": "Department of Defense Architecture Framework", + "MODAF": "Ministry of Defence Architecture Framework", + "NAF": "NATO Architecture Framework", + "Kruchten": "Kruchten's 4+1 View Model", + "IDEF": "Integration Definition Methods", + "SysML": "Systems Modeling Language", + "STRIDE": "Microsoft's threat modeling methodology", + "PASTA": "Process for Attack Simulation and Threat Analysis", + "LINDDUN": "Privacy threat modeling methodology", + "OCTAVE": "Operationally Critical Threat, Asset, and Vulnerability Evaluation", + "ISO27005": "ISO/IEC 27005 Information security risk management", + "NIST": "NIST Risk Management Framework", + "FAIR": "Factor Analysis of Information Risk" + } + }, + "version": { + "type": "string", + "description": "Version of the methodology" + } + } + }, + { + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom methodology name" + }, + "version": { + "type": "string", + "description": "Version of the methodology" + }, + "description": { + "type": "string", + "description": "Description of the custom methodology" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + } + ] + }, + "perspective": { + "type": "object", + "required": [ + "bom-ref", + "type", + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference" + "description": "Unique identifier for the perspective" }, - "pointers": { + "type": { + "type": "string", + "enum": [ + "business", + "technical", + "user", + "operational", + "development", + "architectural", + "functional", + "informational", + "contextual", + "conceptual", + "logical", + "physical", + "security", + "compliance", + "risk", + "stakeholder", + "custom" + ], + "meta:enum": { + "business": "Business stakeholder perspective", + "technical": "Technical implementation perspective", + "user": "End user or customer perspective", + "operational": "Operations and maintenance perspective", + "development": "Software development perspective", + "architectural": "System architecture perspective", + "functional": "Functional requirements perspective", + "informational": "Information and data perspective", + "contextual": "Business context perspective", + "conceptual": "High-level conceptual perspective", + "logical": "Logical design perspective", + "physical": "Physical implementation perspective", + "security": "Security perspective", + "compliance": "Regulatory compliance perspective", + "risk": "Risk management perspective", + "stakeholder": "General stakeholder perspective", + "custom": "Custom or other perspective" + } + }, + "name": { + "type": "string", + "description": "Name of the perspective" + }, + "description": { + "type": "string", + "description": "Detailed description of the perspective and its focus" + }, + "role": { + "type": "string", + "description": "The role or persona associated with this perspective" + }, + "objectives": { "type": "array", "items": { - "type": "string", - "title": "Field Reference", - "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." + "type": "string" }, - "minItems": 1, - "title": "Field References", - "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + "description": "Primary objectives or goals from this perspective" }, - "expressions": { + "concerns": { "type": "array", "items": { - "type": "string", - "title": "Path Expression", - "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." + "type": "string" }, - "minItems": 1, - "title": "Path Expressions", - "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + "description": "Primary concerns from this perspective" + }, + "viewpoint": { + "type": "string", + "description": "The architectural viewpoint this perspective represents" }, + "scope": { + "type": "string", + "description": "The scope of this perspective" + }, + "properties": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + } + } + }, + "blueprintMetadata": { + "type": "object", + "additionalProperties": false, + "properties": { "timestamp": { "type": "string", "format": "date-time", - "title": "Timestamp", - "description": "The date and time when the attribution was made or the information was supplied." + "description": "When the blueprint was created or last updated" }, - "attributedTo": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Attributed To", - "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + "authors": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who created the blueprint" }, - "process": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Process Reference", - "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + "reviewer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who reviewed the blueprint" }, - "note": { + "reviewDate": { "type": "string", - "title": "Note", - "description": "A description or comment about the context or quality of the data attribution." + "format": "date-time", + "description": "When the blueprint was reviewed" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "A digital signature verifying the authenticity or integrity of the attribution." - } - }, - "required": [ - "timestamp" - ], - "anyOf": [ - { - "required": [ - "attributedTo" - ] + "approver": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who approved the blueprint" }, - { - "required": [ - "process" - ] - } - ], - "oneOf": [ - { - "required": [ - "pointers" - ] + "approvalDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was approved" }, - { - "required": [ - "expressions" - ] + "ordinalVersion": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod" } - ] - } - } - }, - "cyclonedx-common-2.0": { - "type": "null", - "title": "CycloneDX Common Model", - "$defs": { - "refType": { - "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "type": "string", - "minLength": 1, - "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" - }, - "refLinkType": { - "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "bomLinkDocumentType": { - "title": "BOM-Link Document", - "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" - }, - "bomLinkElementType": { - "title": "BOM-Link Element", - "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + } }, - "bomLink": { - "title": "BOM-Link", - "anyOf": [ - { - "title": "BOM-Link Document", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType" + "validityPeriod": { + "type": "object", + "additionalProperties": false, + "properties": { + "start": { + "type": "string", + "format": "date-time", + "description": "When the blueprint becomes valid" }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + "end": { + "type": "string", + "format": "date-time", + "description": "When the blueprint expires" + }, + "reviewFrequency": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" } - ] + } }, - "hash": { + "scope": { "type": "object", - "title": "Hash", "required": [ - "alg", - "content" + "name" ], "additionalProperties": false, "properties": { - "alg": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "content": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue" + "name": { + "type": "string", + "description": "Name of the scope" + }, + "description": { + "type": "string", + "description": "Description of what is included and excluded from the model" + }, + "boundaries": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Explicit boundaries of the model" + }, + "includedComponents": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to components explicitly included" + }, + "excludedComponents": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to components explicitly excluded" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "hashAlgorithm": { - "type": "string", - "title": "Hash Algorithm", - "description": "The algorithm that generated the hash value.", - "enum": [ - "MD5", - "SHA-1", - "SHA-256", - "SHA-384", - "SHA-512", - "SHA3-256", - "SHA3-384", - "SHA3-512", - "BLAKE2b-256", - "BLAKE2b-384", - "BLAKE2b-512", - "BLAKE3", - "Streebog-256", - "Streebog-512" - ] - }, - "hashValue": { - "type": "string", - "title": "Hash Value", - "description": "The value of the hash.", - "examples": [ - "3942447fac867ae5cdb3229b658f4d48" - ], - "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" - }, - "mediaType": { - "type": "string", - "title": "Media Type", - "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", - "examples": [ - "text/plain", - "application/json", - "image/png" - ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" - }, - "attachment": { + "asset": { "type": "object", - "title": "Attachment", - "description": "Specifies the metadata and content for an attachment.", "required": [ - "content" + "bom-ref", + "type", + "name" ], "additionalProperties": false, "properties": { - "mediaType": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for the asset" }, - "encoding": { + "componentRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the component this asset represents" + }, + "serviceRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the service this asset represents" + }, + "type": { "type": "string", - "title": "Encoding", - "description": "Specifies the optional encoding the text is represented in.", "enum": [ - "base64" + "component", + "service", + "dataStore", + "data", + "actor", + "process", + "infrastructure", + "device", + "network", + "container", + "function", + "api", + "queue", + "stream", + "system", + "subsystem", + "module", + "interface", + "endpoint", + "resource" ], "meta:enum": { - "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + "component": "Software component or application", + "service": "Service or microservice", + "dataStore": "Database, file system, or data repository", + "data": "Data asset or dataset", + "actor": "User, system, or external entity", + "process": "Business or system process", + "infrastructure": "Infrastructure component", + "device": "Physical or IoT device", + "network": "Network segment or resource", + "container": "Container or orchestration unit", + "function": "Serverless function or lambda", + "api": "API endpoint or interface", + "queue": "Message queue or event bus", + "stream": "Data stream or event stream", + "system": "Complete system or application", + "subsystem": "Part of a larger system", + "module": "Software module or package", + "interface": "System interface or contract", + "endpoint": "Service endpoint or URL", + "resource": "Generic resource or artifact" } }, - "content": { + "name": { "type": "string", - "title": "Attachment Text", - "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + "description": "Name of the asset" + }, + "description": { + "type": "string", + "description": "Description of the asset's role and purpose" + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the zone containing this asset" + }, + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to parent asset if this is a sub-component" + }, + "classification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Generic attributes or tags for the asset" + }, + "responsibilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Responsibilities or functions of this asset" + }, + "interfaces": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/interface" + }, + "description": "Interfaces exposed by this asset" + }, + "dependencies": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to assets this asset depends on" + }, + "useCases": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to use cases that involve this asset" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication methods supported/required" + }, + "authorization": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType", + "description": "Authorization model used" + }, + "encryption": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType" + }, + "ownership": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/ownership" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } } } }, - "base64": { - "type": "string", - "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", - "description": "A Base64-encoded string." - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - }, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "externalReference": { + "interface": { "type": "object", - "title": "External Reference", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", "required": [ - "url", + "name", "type" ], "additionalProperties": false, "properties": { - "url": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLink" - } - ], - "title": "URL", - "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." - }, - "comment": { + "name": { "type": "string", - "title": "Comment", - "description": "A comment describing the external reference" + "description": "Name of the interface" }, "type": { "type": "string", - "title": "Type", - "description": "Specifies the type of external reference.", "enum": [ - "vcs", - "issue-tracker", - "website", - "advisories", - "bom", - "mailing-list", - "social", - "chat", - "documentation", - "support", - "source-distribution", - "distribution", - "distribution-intake", - "license", - "build-meta", - "build-system", - "release-notes", - "security-contact", - "model-card", - "log", - "configuration", - "evidence", - "formulation", - "attestation", - "threat-model", - "adversary-model", - "risk-assessment", - "vulnerability-assertion", - "exploitability-statement", - "pentest-report", - "static-analysis-report", - "dynamic-analysis-report", - "runtime-analysis-report", - "component-analysis-report", - "maturity-report", - "certification-report", - "codified-infrastructure", - "quality-metrics", - "poam", - "electronic-signature", - "digital-signature", - "rfc-9116", - "patent", - "patent-family", - "patent-assertion", - "citation", - "other" + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" ], - "meta:enum": { - "vcs": "Version Control System", - "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", - "website": "Website", - "advisories": "Security advisories", - "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", - "mailing-list": "Mailing list or discussion group", - "social": "Social media account", - "chat": "Real-time chat platform", - "documentation": "Documentation, guides, or how-to instructions", - "support": "Community or commercial support", - "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", - "distribution": "Direct or repository download location", - "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", - "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", - "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", - "build-system": "Reference to an automated build system", - "release-notes": "Reference to release notes", - "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", - "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", - "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", - "configuration": "Parameters or settings that may be used by other components or services.", - "evidence": "Information used to substantiate a claim.", - "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", - "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", - "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", - "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", - "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", - "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", - "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", - "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", - "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", - "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", - "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", - "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", - "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", - "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", - "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", - "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", - "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", - "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", - "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", - "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-assertion": "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", - "other": "Use this if no other types accurately describe the purpose of the external reference." + "description": "Type of interface" + }, + "description": { + "type": "string", + "description": "Description of the interface" + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" } }, - "hashes": { + "operations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash" + "type": "string" }, - "title": "Hashes", - "description": "The hashes of the external reference (if applicable)." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": "Operations or methods exposed" } } }, - "postalAddress": { + "zone": { "type": "object", - "title": "Postal address", - "description": "An address used to identify a contactable location.", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "country": { + "name": { "type": "string", - "title": "Country", - "description": "The country name or the two-letter ISO 3166-1 country code." + "description": "Name of the zone" }, - "region": { + "description": { "type": "string", - "title": "Region", - "description": "The region or state in the country.", - "examples": [ - "Texas" - ] + "description": "Description of the zone's characteristics" }, - "locality": { + "type": { "type": "string", - "title": "Locality", - "description": "The locality or city within the country.", - "examples": [ - "Austin" - ] + "enum": [ + "trust", + "network", + "physical", + "logical", + "deployment", + "organizational", + "functional", + "security" + ], + "meta:enum": { + "trust": "Security trust zone", + "network": "Network segmentation zone", + "physical": "Physical location or boundary", + "logical": "Logical grouping or boundary", + "deployment": "Deployment environment (e.g., dev, staging, prod)", + "organizational": "Organizational or administrative boundary", + "functional": "Functional grouping", + "security": "Security zone or perimeter" + } }, - "postOfficeBoxNumber": { - "type": "string", - "title": "Post Office Box Number", - "description": "The post office box number.", - "examples": [ - "901" - ] + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to parent zone if this is a sub-zone" }, - "postalCode": { - "type": "string", - "title": "Postal Code", - "description": "The postal code.", - "examples": [ - "78758" - ] + "characteristics": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone" }, - "streetAddress": { - "type": "string", - "title": "Street Address", - "description": "The street address.", - "examples": [ - "100 Main Street" - ] + "constraints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "organizationalEntity": { + "boundary": { "type": "object", - "title": "Organizational Entity", + "required": [ + "bom-ref", + "zones" + ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", - "title": "Organization Name", - "description": "The name of the organization", - "examples": [ - "Example Inc." - ] + "description": "Name of the boundary" }, - "address": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", - "title": "Organization Address", - "description": "The physical address (location) of the organization" + "type": { + "type": "string", + "enum": [ + "trust", + "network", + "process", + "data", + "physical", + "organizational", + "functional" + ], + "meta:enum": { + "trust": "Trust boundary between different security zones", + "network": "Network boundary or firewall", + "process": "Process or execution boundary", + "data": "Data classification boundary", + "physical": "Physical security boundary", + "organizational": "Organizational boundary", + "functional": "Functional boundary" + } }, - "url": { + "zones": { "type": "array", + "minItems": 2, "items": { - "type": "string", - "format": "iri-reference" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "title": "Organization URL(s)", - "description": "The URL of the organization. Multiple URLs are allowed.", - "examples": [ - "https://example.com" - ] + "description": "The zones this boundary connects or separates" }, - "contact": { - "type": "array", - "title": "Organizational Contact", - "description": "A contact at the organization. Multiple contacts are allowed.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "crossingRequirements": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "organizationalContact": { + "crossingRequirements": { "type": "object", - "title": "Organizational Contact", "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary" }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of a contact", - "examples": [ - "Contact name" - ] + "authorization": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType", + "description": "Authorization model at this boundary" }, - "email": { - "type": "string", - "format": "idn-email", - "title": "Email Address", - "description": "The email address of the contact.", - "examples": [ - "firstname.lastname@example.com" - ] + "dataValidation": { + "type": "boolean", + "description": "Whether data is validated when crossing this boundary" }, - "phone": { + "dataTransformation": { + "type": "boolean", + "description": "Whether data is transformed when crossing this boundary" + }, + "encryption": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType", + "description": "Encryption requirements for crossing this boundary" + }, + "logging": { + "type": "boolean", + "description": "Whether crossings are logged" + }, + "monitoring": { + "type": "boolean", + "description": "Whether crossings are monitored" + }, + "rateLimit": { "type": "string", - "title": "Phone", - "description": "The phone number of the contact.", - "examples": [ - "800-555-1212" - ] + "description": "Rate limiting policy" + }, + "protocols": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing" } } }, - "organizationalEntityOrContact": {}, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } - }, - "property": { + "flow": { "type": "object", - "title": "Lightweight name-value pair", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "required": [ - "name" + "bom-ref", + "name", + "source", + "destination", + "type" ], + "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, "name": { "type": "string", - "title": "Name", - "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + "description": "Name or description of the flow" }, - "value": { + "description": { "type": "string", - "title": "Value", - "description": "The value of the property." - } - }, - "additionalProperties": false - }, - "extensibleProperties": { - "type": "object", - "title": "Extensible Properties", - "patternProperties": { - "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { - "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", - "examples": [ - "ext::", - "ext:example.org:myExtension" + "description": "Detailed description of what flows and why" + }, + "type": { + "type": "string", + "enum": [ + "data", + "control", + "process", + "message", + "event", + "dependency", + "interaction" ], - "if": { - "type": [ - "object", - "array" - ] - }, - "then": { - "type": "object", - "required": [ - "$schema" - ], - "properties": { - "$schema": { - "type": "string", - "format": "uri" - } - } - }, - "else": { - "type": [ - "string", - "number", - "boolean", - "null" - ] + "meta:enum": { + "data": "Data or information flow", + "control": "Control or command flow", + "process": "Business process flow", + "message": "Message or communication flow", + "event": "Event or notification flow", + "dependency": "Dependency relationship", + "interaction": "User or system interaction" } - } - } - }, - "baseObject": { - "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", - "allOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" - } - ], - "properties": { - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - } - } - }, - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", - "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." - }, - "lifecycle": { - "type": "object", - "title": "Lifecycle", - "description": "The product lifecycle(s) that this BOM represents.", - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the source asset" }, - { - "title": "Custom Lifecycle Phase", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the lifecycle phase" - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the lifecycle phase" - } + "destination": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the destination asset" + }, + "bidirectional": { + "type": "boolean", + "default": false, + "description": "Whether flow occurs in both directions" + }, + "synchronous": { + "type": "boolean", + "description": "Whether the flow is synchronous or asynchronous" + }, + "volume": { + "type": "string", + "description": "Expected volume or frequency of flow" + }, + "timing": { + "type": "string", + "description": "Timing characteristics (real-time, batch, scheduled)" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Format of data in the flow" + }, + "classification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" } + }, + "encryption": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } - ] - }, - "lifecycles": { - "type": "array", - "title": "Lifecycles", - "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" } }, - "preDefinedLifecyclePhase": { - "title": "Pre-Defined Phase", + "assumption": { + "type": "object", "required": [ - "phase" + "description" ], "additionalProperties": false, "properties": { - "phase": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": { + "type": "string", + "description": "The assumption being made" + }, + "category": { "type": "string", - "title": "Phase", - "description": "A pre-defined phase in the product lifecycle.", "enum": [ - "design", - "pre-build", - "build", - "post-build", - "operations", - "discovery", - "decommission" + "technical", + "business", + "operational", + "security", + "compliance", + "performance", + "availability" ], - "meta:enum": { - "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", - "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", - "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", - "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", - "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", - "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", - "decommission": "BOM containing inventory that will be, or has been retired from operations." - } - } - } - }, - "tags": { - "type": "array", - "items": { - "type": "string" - }, - "title": "Tags", - "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", - "examples": [ - "json-parser", - "object-persistence", - "text-to-image", - "translation", - "object-detection" - ] - }, - "commit": { - "type": "object", - "title": "Commit", - "description": "Specifies an individual commit", - "additionalProperties": false, - "properties": { - "uid": { + "description": "Category of the assumption" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets this assumption relates to" + }, + "validity": { "type": "string", - "title": "UID", - "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + "enum": [ + "unknown", + "verified", + "unverified", + "invalid" + ], + "default": "unknown", + "description": "Whether the assumption has been validated" }, - "url": { + "impact": { "type": "string", - "title": "URL", - "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", - "format": "iri-reference" + "description": "Impact if this assumption proves false" }, - "author": { - "title": "Author", - "description": "The author who created the changes in the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Who owns or is responsible for this assumption" }, - "committer": { - "title": "Committer", - "description": "The person who committed or pushed the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + "validationMethod": { + "type": "string", + "description": "How this assumption can be validated" }, - "message": { + "validationDate": { "type": "string", - "title": "Message", - "description": "The text description of the contents of the commit" + "format": "date-time", + "description": "When the assumption was last validated" } } }, - "patch": { + "visualization": { "type": "object", - "title": "Patch", - "description": "Specifies an individual patch", "required": [ + "name", "type" ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or title of the visualization" + }, + "description": { + "type": "string", + "description": "Description of what the visualization shows" + }, "type": { "type": "string", "enum": [ - "unofficial", - "monkey", - "backport", - "cherry-pick" + "architecture", + "dataFlow", + "sequence", + "state", + "deployment", + "network", + "process", + "useCase", + "component", + "class", + "entity", + "activity", + "collaboration", + "context", + "container", + "code" ], "meta:enum": { - "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", - "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", - "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", - "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + "architecture": "System architecture diagram", + "dataFlow": "Data flow diagram (DFD)", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "deployment": "Deployment or infrastructure diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "useCase": "Use case diagram", + "component": "Component diagram", + "class": "Class or object diagram", + "entity": "Entity relationship diagram", + "activity": "Activity or workflow diagram", + "collaboration": "Collaboration diagram", + "context": "Context diagram", + "container": "Container diagram (C4)", + "code": "Code structure diagram" + } + }, + "format": { + "type": "string", + "enum": [ + "mermaid", + "graphviz", + "plantuml", + "drawio", + "svg", + "png", + "jpeg", + "d3", + "cytoscape", + "visio", + "archimate" + ], + "meta:enum": { + "mermaid": "Mermaid diagram language", + "graphviz": "GraphViz DOT language", + "plantuml": "PlantUML diagram language", + "drawio": "Draw.io/diagrams.net format", + "svg": "Scalable Vector Graphics", + "png": "Portable Network Graphics", + "jpeg": "JPEG image format", + "d3": "D3.js visualization", + "cytoscape": "Cytoscape graph format", + "visio": "Microsoft Visio format", + "archimate": "ArchiMate model format" + } + }, + "content": { + "type": "string", + "description": "The diagram content (source code or base64 encoded image)" + }, + "url": { + "type": "string", + "format": "iri-reference", + "description": "URL to the diagram if stored externally" + }, + "level": { + "type": "string", + "enum": [ + "overview", + "high", + "medium", + "detailed" + ], + "description": "Level of detail in the visualization" + }, + "perspective": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the perspective this visualization represents" + }, + "elements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "title": "Patch Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + "description": "References to elements shown in this visualization" }, - "diff": { - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" + "interactive": { + "type": "boolean", + "description": "Whether the visualization is interactive" }, - "resolves": { + "layers": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "type": "string" }, - "title": "Resolves", - "description": "A collection of issues the patch resolves" + "description": "Layers or views available in the visualization" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "diff": { + "assetClassification": { "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", "additionalProperties": false, "properties": { - "text": { - "title": "Diff text", - "description": "Specifies the optional text of the diff", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "criticality": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality" }, - "url": { + "sensitivity": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" + }, + "dataClassification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification" + }, + "tier": { "type": "string", - "title": "URL", - "description": "Specifies the URL to the diff", - "format": "iri-reference" + "enum": [ + "tier0", + "tier1", + "tier2", + "tier3", + "tier4" + ], + "meta:enum": { + "tier0": "Mission critical - highest priority", + "tier1": "Business critical - high priority", + "tier2": "Business important - medium priority", + "tier3": "Business supporting - low priority", + "tier4": "Non-critical - minimal priority" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search" } } }, - "issue": { + "dataClassification": { "type": "object", - "title": "Issue", - "description": "An individual issue that has been resolved.", - "required": [ - "type" - ], "additionalProperties": false, "properties": { - "type": { - "type": "string", - "enum": [ - "defect", - "enhancement", - "security" - ], - "meta:enum": { - "defect": "A fault, flaw, or bug in software.", - "enhancement": "A new feature or behavior in software.", - "security": "A special type of defect which impacts security." + "sensitivity": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" }, - "title": "Issue Type", - "description": "Specifies the type of issue" + "description": "Specific types of data" }, - "id": { + "handling": { "type": "string", - "title": "Issue ID", - "description": "The identifier of the issue assigned by the source of the issue" + "description": "Data handling requirements" }, - "name": { + "retention": { "type": "string", - "title": "Issue Name", - "description": "The name of the issue" + "description": "Data retention requirements" }, - "description": { + "disposal": { "type": "string", - "title": "Issue Description", - "description": "A description of the issue" - }, - "source": { - "type": "object", - "title": "Source", - "description": "The source of the issue where it is documented", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the source.", - "examples": [ - "National Vulnerability Database", - "NVD", - "Apache" - ] - }, - "url": { - "type": "string", - "title": "URL", - "description": "The url of the issue documentation as provided by the source", - "format": "iri-reference" - } - } + "description": "Data disposal requirements" }, - "references": { + "regulations": { "type": "array", "items": { - "type": "string", - "format": "iri-reference" + "type": "string" }, - "title": "References", - "description": "A collection of URL's for reference. Multiple URLs are allowed.", - "examples": [ - "https://example.com" - ] + "description": "Applicable regulations" } } }, - "identifiableAction": { + "ownership": { "type": "object", - "title": "Identifiable Action", - "description": "Specifies an individual commit", "additionalProperties": false, "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The timestamp in which the action occurred" + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Primary owner of the asset" }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the individual who performed the action" + "steward": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Steward responsible for the asset" }, - "email": { - "type": "string", - "format": "idn-email", - "title": "E-mail", - "description": "The email address of the individual who performed the action" + "custodian": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Custodian responsible for protecting the asset" + }, + "users": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Primary users of the asset" } } }, - "locale": { + "authenticationType": { "type": "string", - "pattern": "^([a-z]{2})(-[A-Z]{2})?$", - "title": "Locale", - "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + "enum": [ + "none", + "basic", + "bearer", + "digest", + "certificate", + "apiKey", + "oauth1", + "oauth2", + "openIdConnect", + "saml", + "kerberos", + "ntlm", + "jwt", + "custom" + ], + "description": "Authentication method", + "meta:enum": { + "none": "No authentication required", + "basic": "Basic authentication (username/password)", + "bearer": "Bearer token authentication", + "digest": "Digest authentication", + "certificate": "Certificate-based authentication", + "apiKey": "API key authentication", + "oauth1": "OAuth 1.0 authentication", + "oauth2": "OAuth 2.0 authentication", + "openIdConnect": "OpenID Connect authentication", + "saml": "SAML authentication", + "kerberos": "Kerberos authentication", + "ntlm": "NTLM authentication", + "jwt": "JSON Web Token authentication", + "custom": "Custom authentication method" + } }, - "signature": { - "$ref": "../jsf-0.82.schema.json#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "authorizationType": { + "type": "string", + "enum": [ + "none", + "acl", + "rbac", + "abac", + "mac", + "dac", + "pbac", + "cbac", + "custom" + ], + "description": "Authorization model", + "meta:enum": { + "none": "No authorization controls", + "acl": "Access Control Lists", + "rbac": "Role-Based Access Control", + "abac": "Attribute-Based Access Control", + "mac": "Mandatory Access Control", + "dac": "Discretionary Access Control", + "pbac": "Policy-Based Access Control", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model" + } + }, + "encryptionType": { + "type": "object", + "additionalProperties": false, + "properties": { + "inTransit": { + "type": "boolean", + "description": "Whether data is encrypted in transit" + }, + "atRest": { + "type": "boolean", + "description": "Whether data is encrypted at rest" + }, + "inProcessing": { + "type": "boolean", + "description": "Whether data is encrypted during processing" + } + } } } }, - "cyclonedx-component-2.0": { + "cyclonedx-citation-2.0": { "type": "null", - "title": "CycloneDX Component Model", + "title": "CycloneDX Citation Model", "$defs": { - "components": { + "citations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" }, "uniqueItems": true, - "title": "Components" + "title": "Citations", + "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." }, - "component": { + "citation": { "type": "object", - "title": "Component", - "required": [ - "type", - "name" - ], + "title": "Citation", + "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", "additionalProperties": false, "properties": { - "type": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference" + }, + "pointers": { + "type": "array", + "items": { + "type": "string", + "title": "Field Reference", + "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." + }, + "minItems": 1, + "title": "Field References", + "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "expressions": { + "type": "array", + "items": { + "type": "string", + "title": "Path Expression", + "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." + }, + "minItems": 1, + "title": "Path Expressions", + "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "timestamp": { "type": "string", - "enum": [ - "application", - "framework", - "library", - "container", - "platform", - "operating-system", - "device", - "device-driver", - "firmware", - "file", - "machine-learning-model", - "data", - "cryptographic-asset" - ], - "meta:enum": { - "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", - "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", - "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", - "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", - "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", - "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", - "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", - "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", - "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", - "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", - "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", - "data": "A collection of discrete values that convey information.", - "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." - }, - "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", - "examples": [ - "library" - ] - }, - "mime-type": { - "type": "string", - "title": "Mime-Type", - "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", - "examples": [ - "image/jpeg" - ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "supplier": { - "title": "Component Supplier", - "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "format": "date-time", + "title": "Timestamp", + "description": "The date and time when the attribution was made or the information was supplied." }, - "manufacturer": { - "title": "Component Manufacturer", - "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "attributedTo": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Attributed To", + "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." }, - "authors": { - "type": "array", - "title": "Component Authors", - "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "process": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Process Reference", + "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." }, - "publisher": { + "note": { "type": "string", - "title": "Component Publisher", - "description": "The person(s) or organization(s) that published the component", - "examples": [ - "Acme Inc" - ] + "title": "Note", + "description": "A description or comment about the context or quality of the data attribution." }, - "group": { - "type": "string", - "title": "Component Group", - "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", - "examples": [ - "com.acme" + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "A digital signature verifying the authenticity or integrity of the attribution." + } + }, + "required": [ + "timestamp" + ], + "anyOf": [ + { + "required": [ + "attributedTo" ] }, - "name": { - "type": "string", - "title": "Component Name", - "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", - "examples": [ - "tomcat-catalina" + { + "required": [ + "process" + ] + } + ], + "oneOf": [ + { + "required": [ + "pointers" ] }, - "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." - }, - "versionRange": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", - "title": "Component Version Range", - "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" - } - }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Notes, observations, and other non-structured commentary describing the components pedigree." - } - } - }, - "components": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true, - "title": "Components", - "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." - }, - "evidence": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ + "100 Main Street" + ] + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] }, - "modelCard": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", - "title": "AI/ML Model Card" + "address": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" }, - "data": { + "url": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + "type": "string", + "format": "iri-reference" }, - "title": "Data", - "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." - }, - "cryptoProperties": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", - "title": "Cryptographic Properties" - }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - }, - "allOf": [ - { - "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", - "not": { - "required": [ - "version", - "versionRange" - ] + "contact": { + "type": "array", + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" } - }, - { - "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", - "if": { - "properties": { - "isExternal": { - "const": false - } - } - }, - "then": { - "not": { - "required": [ - "versionRange" - ] - } - }, - "else": true - } - ] - }, - "version": { - "description": "A single disjunctive version identifier, for a component or service.", - "type": "string", - "maxLength": 1024, - "examples": [ - "9.0.14", - "v1.33.7", - "7.0.0-M1", - "2.0pre1", - "1.0.0-beta1", - "0.8.15" - ] - }, - "versionRange": { - "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", - "type": "string", - "minLength": 1, - "maxLength": 4096, - "examples": [ - "vers:cargo/9.0.14", - "vers:npm/1.2.3|>=2.0.0|<5.0.0", - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" - ] - }, - "copyrightText": { - "type": "string", - "title": "Component Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "examples": [ - "Acme Inc" - ] - }, - "copyright": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" - }, - "title": "Copyright", - "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." - }, - "copyrightObject": { - "type": "object", - "title": "Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "required": [ - "text" - ], - "additionalProperties": false, - "properties": { - "text": { - "type": "string", - "title": "Copyright Text", - "description": "The textual content of the copyright." } } }, - "swid": { + "organizationalContact": { "type": "object", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", - "required": [ - "tagId", - "name" - ], + "title": "Organizational Contact", "additionalProperties": false, "properties": { - "tagId": { - "type": "string", - "title": "Tag ID", - "description": "Maps to the tagId of a SoftwareIdentity." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", "title": "Name", - "description": "Maps to the name of a SoftwareIdentity." + "description": "The name of a contact", + "examples": [ + "Contact name" + ] }, - "version": { + "email": { "type": "string", - "title": "Version", - "default": "0.0", - "description": "Maps to the version of a SoftwareIdentity." - }, - "tagVersion": { - "type": "integer", - "title": "Tag Version", - "default": 0, - "description": "Maps to the tagVersion of a SoftwareIdentity." + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": [ + "firstname.lastname@example.com" + ] }, - "patch": { - "type": "boolean", - "title": "Patch", - "default": false, - "description": "Maps to the patch of a SoftwareIdentity." - }, - "text": { - "title": "Attachment text", - "description": "Specifies the metadata and content of the SWID tag.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { + "phone": { "type": "string", - "title": "URL", - "description": "The URL to the SWID file.", - "format": "iri-reference" + "title": "Phone", + "description": "The phone number of the contact.", + "examples": [ + "800-555-1212" + ] } } }, - "componentEvidence": { + "organizationalEntityOrContact": {}, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + }, + "property": { "type": "object", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", - "additionalProperties": false, + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "required": [ + "name" + ], "properties": { - "identity": { - "type": "array", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" - } + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." }, - "occurrences": { - "type": "array", - "title": "Occurrences", - "description": "Evidence of individual instances of a component spread across multiple locations.", - "items": { + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + }, + "additionalProperties": false + }, + "extensibleProperties": { + "type": "object", + "title": "Extensible Properties", + "patternProperties": { + "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { + "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", + "examples": [ + "ext::", + "ext:example.org:myExtension" + ], + "if": { + "type": [ + "object", + "array" + ] + }, + "then": { "type": "object", "required": [ - "location" + "$schema" ], - "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "location": { - "type": "string", - "title": "Location", - "description": "The location or path to where the component was found." - }, - "line": { - "type": "integer", - "minimum": 0, - "title": "Line Number", - "description": "The line number where the component was found." - }, - "offset": { - "type": "integer", - "minimum": 0, - "title": "Offset", - "description": "The offset where the component was found." - }, - "symbol": { - "type": "string", - "title": "Symbol", - "description": "The symbol name that was found associated with the component." - }, - "additionalContext": { + "$schema": { "type": "string", - "title": "Additional Context", - "description": "Any additional context of the detected component (e.g. a code snippet)." + "format": "uri" } } + }, + "else": { + "type": [ + "string", + "number", + "boolean", + "null" + ] } + } + } + }, + "baseObject": { + "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" + } + ], + "properties": { + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, - "callstack": { - "type": "object", - "title": "Call Stack", - "description": "Evidence of the components use through the callstack.", + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", + "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." + }, + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, + "lifecycle": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" + }, + { + "title": "Custom Lifecycle Phase", + "required": [ + "name" + ], "additionalProperties": false, "properties": { - "frames": { - "type": "array", - "title": "Frames", - "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", - "items": { - "type": "object", - "required": [ - "module" - ], - "additionalProperties": false, - "properties": { - "package": { - "title": "Package", - "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", - "type": "string" - }, - "module": { - "title": "Module", - "description": "A module or class that encloses functions/methods and other code.", - "type": "string" - }, - "function": { - "title": "Function", - "description": "A block of code designed to perform a particular task.", - "type": "string" - }, - "parameters": { - "title": "Parameters", - "description": "Arguments that are passed to the module or function.", - "type": "array", - "items": { - "type": "string" - } - }, - "line": { - "title": "Line", - "description": "The line number the code that is called resides on.", - "type": "integer" - }, - "column": { - "title": "Column", - "description": "The column the code that is called resides.", - "type": "integer" - }, - "fullFilename": { - "title": "Full Filename", - "description": "The full path and filename of the module.", - "type": "string" - } - } - } + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" } } - }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "License Evidence" - }, - "copyright": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" } + ] + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" } }, - "componentIdentityEvidence": { - "type": "object", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component.", + "preDefinedLifecyclePhase": { + "title": "Pre-Defined Phase", "required": [ - "field" + "phase" ], "additionalProperties": false, "properties": { - "field": { + "phase": { "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", "enum": [ - "group", - "name", - "version", - "purl", - "cpe", - "omniborId", - "swhid", - "swid", - "hash" + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" ], - "title": "Field", - "description": "The identity field of the component which the evidence describes." + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" }, - "concludedValue": { + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "message": { "type": "string", - "title": "Concluded Value", - "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." }, - "methods": { - "type": "array", - "title": "Methods", - "description": "The methods used to extract and/or analyze the evidence.", - "items": { - "type": "object", - "required": [ - "technique", - "confidence" - ], - "additionalProperties": false, - "properties": { - "technique": { - "title": "Technique", - "description": "The technique used in this method of analysis.", - "type": "string", - "enum": [ - "source-code-analysis", - "binary-analysis", - "manifest-analysis", - "ast-fingerprint", - "hash-comparison", - "instrumentation", - "dynamic-analysis", - "filename", - "attestation", - "other" - ] - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value or contents of the evidence." - } - } - } + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" }, - "tools": { + "resolves": { "type": "array", - "uniqueItems": true, "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" }, - "title": "BOM References", - "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + "title": "Resolves", + "description": "A collection of issues the patch resolves" } } }, - "componentData": { + "diff": { "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", "required": [ "type" ], + "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, "type": { "type": "string", - "title": "Type of Data", - "description": "The general theme or subject matter of the data being specified.", "enum": [ - "source-code", - "configuration", - "dataset", - "definition", - "other" + "defect", + "enhancement", + "security" ], "meta:enum": { - "source-code": "Any type of code, code snippet, or data-as-code.", - "configuration": "Parameters or settings that may be used by other components.", - "dataset": "A collection of data.", - "definition": "Data that can be used to create new instances of what the definition defines.", - "other": "Any other type of data that does not fit into existing definitions." - } + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" }, "name": { - "title": "Dataset Name", - "description": "The name of the dataset.", - "type": "string" + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" }, - "contents": { + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", + "title": "Source", + "description": "The source of the issue where it is documented", "additionalProperties": false, "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { + "name": { "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] }, - "properties": { - "type": "array", - "title": "Configuration Properties", - "description": "Provides the ability to document name-value parameters used for configuration.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" } } }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "sensitiveData": { + "references": { "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data in a dataset.", "items": { - "type": "string" - } - }, - "graphics": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" }, - "description": { - "title": "Dataset Description", - "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", - "type": "string" + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" } } + }, + "locale": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "signature": { + "$ref": "../jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "cyclonedx-composition-2.0": { + "cyclonedx-component-2.0": { "type": "null", - "title": "CycloneDX Composition Model", + "title": "CycloneDX Component Model", "$defs": { - "compositions": { + "components": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" }, "uniqueItems": true, - "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + "title": "Components" }, - "composition": { + "component": { "type": "object", - "title": "Compositions", + "title": "Component", "required": [ - "aggregate" + "type", + "name" ], "additionalProperties": false, "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data", + "cryptographic-asset" + ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information.", + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + }, + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": [ + "library" + ] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": [ + "image/jpeg" + ], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "aggregate": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", - "title": "Aggregate", - "description": "Specifies an aggregate type that describes how complete a relationship is." + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "assemblies": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "dependencies": { + "authors": { "type": "array", - "uniqueItems": true, + "title": "Component Authors", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": [ + "Acme Inc" + ] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": [ + "com.acme" + ] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": [ + "tomcat-catalina" + ] + }, + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "versionRange": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", + "title": "Component Version Range", + "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", "items": { - "type": "string", - "enum": [ - "none", - "fips140-1-l1", - "fips140-1-l2", - "fips140-1-l3", - "fips140-1-l4", - "fips140-2-l1", - "fips140-2-l2", - "fips140-2-l3", - "fips140-2-l4", - "fips140-3-l1", - "fips140-3-l2", - "fips140-3-l3", - "fips140-3-l4", - "cc-eal1", - "cc-eal1+", - "cc-eal2", - "cc-eal2+", - "cc-eal3", - "cc-eal3+", - "cc-eal4", - "cc-eal4+", - "cc-eal5", - "cc-eal5+", - "cc-eal6", - "cc-eal6+", - "cc-eal7", - "cc-eal7+", - "other", - "unknown" - ], - "meta:enum": { - "none": "No certification obtained", - "fips140-1-l1": "FIPS 140-1 Level 1", - "fips140-1-l2": "FIPS 140-1 Level 2", - "fips140-1-l3": "FIPS 140-1 Level 3", - "fips140-1-l4": "FIPS 140-1 Level 4", - "fips140-2-l1": "FIPS 140-2 Level 1", - "fips140-2-l2": "FIPS 140-2 Level 2", - "fips140-2-l3": "FIPS 140-2 Level 3", - "fips140-2-l4": "FIPS 140-2 Level 4", - "fips140-3-l1": "FIPS 140-3 Level 1", - "fips140-3-l2": "FIPS 140-3 Level 2", - "fips140-3-l3": "FIPS 140-3 Level 3", - "fips140-3-l4": "FIPS 140-3 Level 4", - "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", - "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", - "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", - "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", - "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", - "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", - "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", - "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", - "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", - "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", - "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", - "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", - "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", - "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", - "other": "Another certification", - "unknown": "The certification level is not known" - } - } - }, - "mode": { - "type": "string", - "title": "Mode", - "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", - "enum": [ - "cbc", - "ecb", - "ccm", - "gcm", - "cfb", - "ofb", - "ctr", - "other", - "unknown" - ], - "meta:enum": { - "cbc": "Cipher block chaining", - "ecb": "Electronic codebook", - "ccm": "Counter with cipher block chaining message authentication code", - "gcm": "Galois/counter", - "cfb": "Cipher feedback", - "ofb": "Output feedback", - "ctr": "Counter", - "other": "Another mode of operation", - "unknown": "The mode of operation is not known" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" } }, - "padding": { + "notes": { "type": "string", - "title": "Padding", - "description": "The padding scheme that is used for the cryptographic algorithm.", - "enum": [ - "pkcs5", - "pkcs7", - "pkcs1v15", - "oaep", - "raw", - "other", - "unknown" - ], - "meta:enum": { - "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", - "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", - "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", - "oaep": "Optimal asymmetric encryption padding", - "raw": "Raw", - "other": "Another padding scheme", - "unknown": "The padding scheme is not known" - } - }, - "cryptoFunctions": { - "type": "array", - "title": "Cryptographic functions", - "description": "The cryptographic functions implemented by the cryptographic algorithm.", - "items": { - "type": "string", - "enum": [ - "generate", - "keygen", - "encrypt", - "decrypt", - "digest", - "tag", - "keyderive", - "sign", - "verify", - "encapsulate", - "decapsulate", - "other", - "unknown" - ] - } - }, - "classicalSecurityLevel": { - "type": "integer", - "title": "classical security level", - "description": "The classical security level that a cryptographic algorithm provides (in bits).", - "minimum": 0 - }, - "nistQuantumSecurityLevel": { - "type": "integer", - "title": "NIST security strength category", - "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", - "minimum": 0, - "maximum": 6 + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." } } }, - "certificateProperties": { - "type": "object", - "title": "Certificate Properties", - "description": "Properties for cryptographic assets of asset type 'certificate'.", - "additionalProperties": false, - "properties": { - "serialNumber": { - "type": "string", - "title": "Serial Number", - "description": "The serial number is a unique identifier for the certificate issued by a CA." - }, - "subjectName": { - "type": "string", - "title": "Subject Name", - "description": "The subject name for the certificate." - }, - "issuerName": { - "type": "string", - "title": "Issuer Name", - "description": "The issuer name for the certificate." - }, - "notValidBefore": { - "type": "string", - "format": "date-time", - "title": "Not Valid Before", - "description": "The date and time according to ISO-8601 standard from which the certificate is valid." - }, - "notValidAfter": { - "type": "string", - "format": "date-time", - "title": "Not Valid After", - "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." - }, - "certificateFormat": { - "type": "string", - "title": "Certificate Format", - "description": "The format of the certificate.", - "examples": [ - "X.509", - "PEM", - "DER", - "CVC" - ] - }, - "certificateFileExtension": { - "type": "string", - "title": "Certificate File Extension", - "description": "The file extension of the certificate.", - "examples": [ - "crt", - "pem", - "cer", - "der", - "p12" - ] - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", - "title": "Certificate Fingerprint", - "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." - }, - "certificateState": { - "type": "array", - "title": "Certificate Lifecycle State", - "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", - "items": { - "type": "object", - "title": "State", - "description": "The state of the certificate.", - "oneOf": [ - { - "title": "Pre-Defined State", - "required": [ - "state" - ], - "additionalProperties": false, - "properties": { - "state": { - "type": "string", - "title": "State", - "description": "A pre-defined state in the certificate lifecycle.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "revoked", - "destroyed" - ], - "meta:enum": { - "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", - "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", - "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", - "suspended": "The use of a certificate may be suspended for several possible reasons.", - "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", - "destroyed": "The certificate has been destroyed." - } - }, - "reason": { - "type": "string", - "title": "Reason", - "description": "A reason for the certificate being in this state." - } - } - }, + "components": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "modelCard": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", + "title": "AI/ML Model Card" + }, + "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + }, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." + }, + "cryptoProperties": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", + "title": "Cryptographic Properties" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "allOf": [ + { + "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", + "not": { + "required": [ + "version", + "versionRange" + ] + } + }, + { + "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", + "if": { + "properties": { + "isExternal": { + "const": false + } + } + }, + "then": { + "not": { + "required": [ + "versionRange" + ] + } + }, + "else": true + } + ] + }, + "version": { + "description": "A single disjunctive version identifier, for a component or service.", + "type": "string", + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] + }, + "versionRange": { + "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 4096, + "examples": [ + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "copyrightText": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": [ + "Acme Inc" + ] + }, + "copyright": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" + }, + "title": "Copyright", + "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." + }, + "copyrightObject": { + "type": "object", + "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text", + "description": "The textual content of the copyright." + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "type": "array", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" + } + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ + "location" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + }, + "line": { + "type": "integer", + "minimum": 0, + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "minimum": 0, + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." + } + } + } + }, + "callstack": { + "type": "object", + "title": "Call Stack", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "License Evidence" + }, + "copyright": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" + } + } + }, + "componentIdentityEvidence": { + "type": "object", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component.", + "required": [ + "field" + ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", + "name", + "version", + "purl", + "cpe", + "omniborId", + "swhid", + "swid", + "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique", + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } + }, + "name": { + "title": "Dataset Name", + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" + }, + "description": { + "title": "Dataset Description", + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + } + } + } + } + }, + "cyclonedx-composition-2.0": { + "type": "null", + "title": "CycloneDX Composition Model", + "$defs": { + "compositions": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" + }, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "composition": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "aggregate": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describes how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } + } + } + }, + "cyclonedx-cryptography-2.0": { + "type": "null", + "title": "CycloneDX Cryptography Model", + "$defs": { + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "enum": [ + "drbg", + "mac", + "block-cipher", + "stream-cipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "key-agree", + "kem", + "ae", + "combiner", + "key-wrap", + "other", + "unknown" + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } + }, + "algorithmFamily": { + "$ref": "../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", + "examples": [ + "3DES", + "Blowfish", + "ECDH" + ] + }, + "parameterSetIdentifier": { + "type": "string", + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + }, + "ellipticCurve": { + "$ref": "../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." + }, + "executionEnvironment": { + "type": "string", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.", + "enum": [ + "software-plain-ram", + "software-encrypted-ram", + "software-tee", + "hardware", + "other", + "unknown" + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } + }, + "implementationPlatform": { + "type": "string", + "title": "Implementation platform", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "armv9-a", + "armv9-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "array", + "title": "Certification Level", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } + } + }, + "mode": { + "type": "string", + "title": "Mode", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } + }, + "padding": { + "type": "string", + "title": "Padding", + "description": "The padding scheme that is used for the cryptographic algorithm.", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } + }, + "cryptoFunctions": { + "type": "array", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'.", + "additionalProperties": false, + "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the certificate." + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the certificate." + }, + "notValidBefore": { + "type": "string", + "format": "date-time", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid." + }, + "notValidAfter": { + "type": "string", + "format": "date-time", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." + }, + "certificateFormat": { + "type": "string", + "title": "Certificate Format", + "description": "The format of the certificate.", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, { "title": "Custom State", "required": [ @@ -3002,3397 +4373,5590 @@ } } } - ] + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactivated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revocation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "commonExtensionName", + "commonExtensionValue" + ], + "additionalProperties": false, + "properties": { + "commonExtensionName": { + "type": "string", + "title": "name", + "description": "The name of the extension.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "commonExtensionValue": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", + "required": [ + "customExtensionName" + ], + "additionalProperties": false, + "properties": { + "customExtensionName": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "customExtensionValue": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material.", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "digest": "The output of the hash function.", + "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", + "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", + "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", + "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", + "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", + "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", + "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", + "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", + "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", + "token": "An object encapsulating a security identity.", + "other": "Another type of cryptographic asset.", + "unknown": "The type of cryptographic asset is not known." + } + }, + "id": { + "type": "string", + "title": "ID", + "description": "The unique identifier for the related cryptographic material." + }, + "state": { + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." + }, + "size": { + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." + }, + "format": { + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + }, + "securedBy": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "protocolProperties": { + "type": "object", + "title": "Protocol Properties", + "description": "Properties specific to cryptographic assets of type: `protocol`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The concrete protocol type.", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "dtls", + "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", + "other", + "unknown" + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } + }, + "version": { + "type": "string", + "title": "Protocol Version", + "description": "The version of the protocol.", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher Suites", + "description": "A list of cipher suites related to the protocol.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", + "title": "Cipher Suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", + "additionalProperties": false, + "properties": { + "encr": { + "type": "array", + "title": "Encryption Algorithms (ENCR)", + "description": "Transform Type 1: encryption algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + "prf": { + "type": "array", + "title": "Pseudorandom Functions (PRF)", + "description": "Transform Type 2: pseudorandom functions.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + "integ": { + "type": "array", + "title": "Integrity Algorithms (INTEG)", + "description": "Transform Type 3: integrity algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + "ke": { + "type": "array", + "title": "Key Exchange Methods (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" + } + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number (ESN)", + "description": "Specifies if an Extended Sequence Number (ESN) is used." + }, + "auth": { + "type": "array", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + } + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "The object identifier (OID) of the cryptographic asset." + } + } + }, + "cipherSuite": { + "type": "object", + "title": "Cipher Suite", + "description": "Object representing a cipher suite.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Common Name", + "description": "A common name for the cipher suite.", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "identifiers": { + "type": "array", + "title": "Cipher Suite Identifiers", + "description": "A list of common identifiers for the cipher suite.", + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier.", + "examples": [ + "0xC0", + "0x9E" + ] + } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group.", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme.", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } + } + } + }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE).", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, + "securedBy": { + "type": "object", + "title": "Secured By", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "Mechanism", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." + } + } + } + } + }, + "cyclonedx-data-2.0": { + "type": "null", + "title": "CycloneDX Data Model", + "$defs": { + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "dataSensitivity": { + "type": "string", + "enum": [ + "public", + "internal", + "confidential", + "restricted", + "secret" + ], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access", + "secret": "Secret information requiring special handling" + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "contact": { + "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "contact" + ] + } + ] + }, + "dataFlowDirection": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "meta:enum": { + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "bi-directional": "Data flows in and out of the service.", + "unknown": "The directional flow of data is not known." + }, + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service." + } + } + }, + "cyclonedx-declaration-2.0": { + "type": "null", + "title": "CycloneDX Declaration Model", + "$defs": { + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "title": "Attestation", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "title": "Map", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterClaims": { + "type": "array", + "title": "Counter Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + } + } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "title": "Claim", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Target", + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "title": "Evidence", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Property Name", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "title": "Data", + "additionalProperties": false, + "properties": { + "name": { + "title": "Data Name", + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" } }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the certificate was created or pre-activated." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the certificate was activated." - }, - "deactivationDate": { - "type": "string", - "format": "date-time", - "title": "Deactivation Date", - "description": "The date and time (timestamp) when the related certificate was deactivated." - }, - "revocationDate": { - "type": "string", - "format": "date-time", - "title": "Revocation Date", - "description": "The date and time (timestamp) when the certificate was revoked." + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + } }, - "destructionDate": { + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + } + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "additionalProperties": false, + "properties": { + "statement": { "type": "string", - "format": "date-time", - "title": "Destruction Date", - "description": "The date and time (timestamp) when the certificate was destroyed." + "title": "Statement", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ + "I certify, to the best of my knowledge, that all information is correct." + ] }, - "certificateExtensions": { + "signatories": { "type": "array", - "title": "Certificate Extensions", - "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", "items": { "type": "object", - "title": "Extension", - "description": "", + "title": "Signatory", + "additionalProperties": false, "oneOf": [ { - "title": "Common Extensions", "required": [ - "commonExtensionName", - "commonExtensionValue" - ], - "additionalProperties": false, - "properties": { - "commonExtensionName": { - "type": "string", - "title": "name", - "description": "The name of the extension.", - "enum": [ - "basicConstraints", - "keyUsage", - "extendedKeyUsage", - "subjectAlternativeName", - "authorityKeyIdentifier", - "subjectKeyIdentifier", - "authorityInformationAccess", - "certificatePolicies", - "crlDistributionPoints", - "signedCertificateTimestamp" - ], - "meta:enum": { - "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", - "keyUsage": "Specifies the allowed uses of the public key in the certificate.", - "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", - "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", - "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", - "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", - "authorityInformationAccess": "Contains CA issuers and OCSP information.", - "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", - "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", - "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." - } - }, - "commonExtensionValue": { - "type": "string", - "title": "Value", - "description": "The value of the certificate extension." - } - } + "signature" + ] }, { - "title": "Custom Extensions", - "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", "required": [ - "customExtensionName" - ], - "additionalProperties": false, - "properties": { - "customExtensionName": { - "type": "string", - "title": "Name", - "description": "The name for the custom certificate extension." - }, - "customExtensionValue": { - "type": "string", - "title": "Value", - "description": "The description of the custom certificate extension." - } - } + "externalReference", + "organization" + ] } - ] + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } } }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "relatedCryptoMaterialProperties": { - "type": "object", - "title": "Related Cryptographic Material Properties", - "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related cryptographic material.", - "enum": [ - "private-key", - "public-key", - "secret-key", - "key", - "ciphertext", - "signature", - "digest", - "initialization-vector", - "nonce", - "seed", - "salt", - "shared-secret", - "tag", - "additional-data", - "password", - "credential", - "token", - "other", - "unknown" - ], - "meta:enum": { - "private-key": "The confidential key of a key pair used in asymmetric cryptography.", - "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", - "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", - "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", - "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", - "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", - "digest": "The output of the hash function.", - "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", - "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", - "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", - "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", - "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", - "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", - "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", - "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", - "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", - "token": "An object encapsulating a security identity.", - "other": "Another type of cryptographic asset.", - "unknown": "The type of cryptographic asset is not known." - } - }, - "id": { - "type": "string", - "title": "ID", - "description": "The unique identifier for the related cryptographic material." - }, - "state": { - "type": "string", - "title": "State", - "description": "The key state as defined by NIST SP 800-57.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the related cryptographic material was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the related cryptographic material was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "Update Date", - "description": "The date and time (timestamp) when the related cryptographic material was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "Expiration Date", - "description": "The date and time (timestamp) when the related cryptographic material expires." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The associated value of the cryptographic material." - }, - "size": { - "type": "integer", - "title": "Size", - "description": "The size of the cryptographic asset (in bits)." - }, - "format": { - "type": "string", - "title": "Format", - "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." - }, - "securedBy": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", - "title": "Secured By", - "description": "The mechanism by which the cryptographic asset is secured by." - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", - "title": "Fingerprint", - "description": "The fingerprint is a cryptographic hash of the asset." - }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" - } + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + } + }, + "cyclonedx-definition-2.0": { + "type": "null", + "title": "CycloneDX Definition Model", + "$defs": { + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" + }, + "patents": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + } + } + } + } + }, + "cyclonedx-dependency-2.0": { + "type": "null", + "title": "CycloneDX Dependency Model", + "$defs": { + "dependencies": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships including provided & implemented components." + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + } + } + } + } + }, + "cyclonedx-formulation-2.0": { + "type": "null", + "title": "CycloneDX Formulation Model", + "$defs": { + "formulation": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" + }, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" } }, - "protocolProperties": { - "type": "object", - "title": "Protocol Properties", - "description": "Properties specific to cryptographic assets of type: `protocol`.", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "Type", - "description": "The concrete protocol type.", - "enum": [ - "tls", - "ssh", - "ipsec", - "ike", - "sstp", - "wpa", - "dtls", - "quic", - "eap-aka", - "eap-aka-prime", - "prins", - "5g-aka", - "other", - "unknown" - ], - "meta:enum": { - "tls": "Transport Layer Security", - "ssh": "Secure Shell", - "ipsec": "Internet Protocol Security", - "ike": "Internet Key Exchange", - "sstp": "Secure Socket Tunneling Protocol", - "wpa": "Wi-Fi Protected Access", - "dtls": "Datagram Transport Layer Security", - "quic": "Quick UDP Internet Connections", - "eap-aka": "Extensible Authentication Protocol variant", - "eap-aka-prime": "Enhanced version of EAP-AKA", - "prins": "Protection of Inter-Network Signaling", - "5g-aka": "Authentication and Key Agreement for 5G", - "other": "Another protocol type", - "unknown": "The protocol type is not known" - } - }, - "version": { - "type": "string", - "title": "Protocol Version", - "description": "The version of the protocol.", - "examples": [ - "1.0", - "1.2", - "1.99" - ] - }, - "cipherSuites": { - "type": "array", - "title": "Cipher Suites", - "description": "A list of cipher suites related to the protocol.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", - "title": "Cipher Suite" - } - }, - "ikev2TransformTypes": { - "type": "object", - "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", - "additionalProperties": false, - "properties": { - "encr": { - "type": "array", - "title": "Encryption Algorithms (ENCR)", - "description": "Transform Type 1: encryption algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", - "title": "Encryption Algorithm (ENCR)" - } - }, - "prf": { - "type": "array", - "title": "Pseudorandom Functions (PRF)", - "description": "Transform Type 2: pseudorandom functions.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", - "title": "Pseudorandom Function (PRF)" - } - }, - "integ": { - "type": "array", - "title": "Integrity Algorithms (INTEG)", - "description": "Transform Type 3: integrity algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", - "title": "Integrity Algorithm (INTEG)" - } - }, - "ke": { - "type": "array", - "title": "Key Exchange Methods (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" - } - }, - "esn": { - "type": "boolean", - "title": "Extended Sequence Number (ESN)", - "description": "Specifies if an Extended Sequence Number (ESN) is used." - }, - "auth": { - "type": "array", - "title": "IKEv2 Authentication methods", - "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", - "title": "IKEv2 Authentication Method" - } - } - } - }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" - } + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" } }, - "oid": { - "type": "string", - "title": "OID", - "description": "The object identifier (OID) of the cryptographic asset." + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "cipherSuite": { + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", "type": "object", - "title": "Cipher Suite", - "description": "Object representing a cipher suite.", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], "additionalProperties": false, "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", - "title": "Common Name", - "description": "A common name for the cipher suite.", - "examples": [ - "TLS_DHE_RSA_WITH_AES_128_CCM" - ] + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" }, - "algorithms": { + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the cipher suite.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" } }, - "identifiers": { + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", "type": "array", - "title": "Cipher Suite Identifiers", - "description": "A list of common identifiers for the cipher suite.", "items": { - "type": "string", - "title": "identifier", - "description": "Cipher suite identifier.", - "examples": [ - "0xC0", - "0x9E" - ] + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" } }, - "tlsGroups": { + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", "type": "array", - "title": "TLS Groups", - "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", "items": { - "type": "string", - "title": "Group Name", - "description": "The name of the TLS group.", - "examples": [ - "x25519", - "ffdhe2048" - ] - } + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true }, - "tlsSignatureSchemes": { + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], "type": "array", - "title": "TLS Signature Schemes", - "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", "items": { - "type": "string", - "title": "Signature Scheme", - "description": "The name of the TLS signature scheme.", - "examples": [ - "ecdsa_secp256r1_sha256", - "rsa_pss_rsae_sha256", - "ed25519" - ] + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Enc": { + "command": { "type": "object", - "title": "Encryption Algorithm (ENCR)", - "description": "Object representing an encryption algorithm (ENCR).", "additionalProperties": false, "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", "title": "Name", - "description": "A name for the encryption method.", - "examples": [ - "ENCR_AES_GCM_16" + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": { + "type": "string" + } + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" ] }, - "keyLength": { - "type": "integer", - "title": "Encryption algorithm key length", - "description": "The key length of the encryption algorithm." + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - }, - "ikeV2Prf": { - "type": "object", - "title": "Pseudorandom Function (PRF)", - "description": "Object representing a pseudorandom function (PRF).", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the pseudorandom function.", + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", "examples": [ - "PRF_HMAC_SHA2_256" - ] + "ConfigMap", + "Secret" + ], + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": [ + "a kubernetes Persistent Volume Claim (PVC) name" + ], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": [ + "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Integ": { + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", "type": "object", - "title": "Integrity Algorithm (INTEG)", - "description": "Object representing an integrity algorithm (INTEG).", "additionalProperties": false, "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", "title": "Name", - "description": "A name for the integrity algorithm.", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", + "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", "examples": [ - "AUTH_HMAC_SHA2_256_128" - ] + "10GB", + "2Ti", + "1Pi" + ], + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - }, - "ikeV2Ke": { - "type": "object", - "title": "Key Exchange Method (KE)", - "description": "Object representing a key exchange method (KE).", - "additionalProperties": false, - "properties": { - "group": { - "type": "integer", - "title": "Group Identifier", - "description": "A group identifier for the key exchange algorithm." + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Auth": { + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", "type": "object", - "title": "IKEv2 Authentication method", - "description": "Object representing a IKEv2 Authentication method.", "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", "title": "Name", - "description": "A name for the authentication method." + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - }, - "relatedCryptographicAssets": { - "type": "array", - "title": "Related Cryptographic Assets", - "description": "A list of cryptographic assets related to this component.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" - } - }, - "relatedCryptographicAsset": { - "type": "object", - "title": "Related Cryptographic Asset", - "description": "A cryptographic assets related to this component.", - "additionalProperties": false, - "properties": { "type": { - "type": "string", "title": "Type", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", - "examples": [ - "publicKey", - "privateKey", - "algorithm" + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" ] }, - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Reference to cryptographic asset", - "description": "The bom-ref to cryptographic asset." + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" + }, + "conditions": { + "type": "array", + "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "securedBy": { + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", "type": "object", - "title": "Secured By", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", "additionalProperties": false, "properties": { - "mechanism": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", "type": "string", - "title": "Mechanism", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", - "examples": [ - "HSM", - "TPM", - "SGX", - "Software", - "None" - ] + "format": "date-time" }, - "algorithmRef": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm Reference", - "description": "The bom-ref to the algorithm." + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - } - } - }, - "cyclonedx-data-2.0": { - "type": "null", - "title": "CycloneDX Data Model", - "$defs": { - "dataClassification": { - "type": "string", - "title": "Data Classification", - "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." }, - "dataGovernance": { + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", "type": "object", - "title": "Data Governance", - "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], "additionalProperties": false, "properties": { - "custodians": { - "type": "array", - "title": "Data Custodians", - "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } + "source": { + "title": "Source", + "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" }, - "stewards": { + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "a reference to a configuration file in a repository (i.e., a bom-ref)", + "a reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", "type": "array", - "title": "Data Stewards", - "description": "Data stewards are responsible for data content, context, and associated business rules.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" } }, - "owners": { + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", "type": "array", - "title": "Data Owners", - "description": "Data owners are concerned with risk and appropriate access to data.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "dataGovernanceResponsibleParty": { + "outputType": { "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], "additionalProperties": false, "properties": { - "organization": { - "title": "Organization", - "description": "The organization that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": [ + "a log file described as an `externalReference` within its target domain." + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] }, - "contact": { - "title": "Individual", - "description": "The individual that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" } }, "oneOf": [ { "required": [ - "organization" + "ref" ] }, { "required": [ - "contact" + "externalReference" ] } ] }, - "dataFlowDirection": { + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "taskType": { "type": "string", "enum": [ - "inbound", - "outbound", - "bi-directional", - "unknown" + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" ], "meta:enum": { - "inbound": "Data that enters a service.", - "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", - "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." - } - } - }, - "cyclonedx-declaration-2.0": { - "type": "null", - "title": "CycloneDX Declaration Model", - "$defs": { - "declarations": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", "type": "object", - "title": "Declarations", - "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", "additionalProperties": false, "properties": { - "assessors": { - "type": "array", - "title": "Assessors", - "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", - "items": { - "type": "object", - "title": "Assessor", - "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "thirdParty": { - "type": "boolean", - "title": "Third Party", - "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The entity issuing the assessment." - } - } - } + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" }, - "attestations": { - "type": "array", - "title": "Attestations", - "description": "The list of attestations asserted by an assessor that maps requirements to claims.", - "items": { - "type": "object", - "title": "Attestation", - "additionalProperties": false, - "properties": { - "summary": { - "type": "string", - "title": "Summary", - "description": "The short description explaining the main points of the attestation." - }, - "assessor": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Assessor", - "description": "The `bom-ref` to the assessor asserting the attestation." - }, - "map": { - "type": "array", - "title": "Map", - "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", - "items": { - "type": "object", - "title": "Map", - "additionalProperties": false, - "properties": { - "requirement": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Requirement", - "description": "The `bom-ref` to the requirement being attested to." - }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of `bom-ref` to the claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterClaims": { - "type": "array", - "title": "Counter Claims", - "description": "The list of `bom-ref` to the counter claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "conformance": { - "type": "object", - "title": "Conformance", - "description": "The conformance of the claim meeting a requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the conformance score." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - } - } - }, - "confidence": { - "type": "object", - "title": "Confidence", - "description": "The confidence of the claim meeting the requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the confidence score." - } - } - } - } - } - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - } + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of claims.", - "items": { + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + } + } + }, + "cyclonedx-license-2.0": { + "type": "null", + "title": "CycloneDX License Model", + "$defs": { + "licenseChoice": { + "title": "License Choice", + "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", + "type": "array", + "items": { + "oneOf": [ + { "type": "object", - "title": "Claim", + "title": "License", + "required": [ + "license" + ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "target": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." - }, - "predicate": { - "type": "string", - "title": "Predicate", - "description": "The specific statement or assertion about the target." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "reasoning": { - "type": "string", - "title": "Reasoning", - "description": "The written explanation of why the evidence provided substantiates the claim." - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of `bom-ref` to evidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterEvidence": { - "type": "array", - "title": "Counter Evidence", - "description": "The list of `bom-ref` to counterEvidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "license": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" } } - } - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of evidence", - "items": { + }, + { + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", "type": "object", - "title": "Evidence", "additionalProperties": false, + "required": [ + "expression" + ], "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "propertyName": { - "type": "string", - "title": "Property Name", - "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." - }, - "description": { + "expression": { "type": "string", - "title": "Description", - "description": "The written description of what this evidence is and how it was created." + "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] }, - "data": { + "expressionDetails": { + "title": "Expression Details", + "description": "Details for parts of the `expression`.", "type": "array", - "title": "Data", - "description": "The output or analysis that supports claims.", "items": { "type": "object", - "title": "Data", - "additionalProperties": false, + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "required": [ + "licenseIdentifier" + ], "properties": { - "name": { - "title": "Data Name", - "description": "The name of the data.", - "type": "string" - }, - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" - } - } + "licenseIdentifier": { + "title": "License Identifier", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" + ] }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "sensitiveData": { - "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data included.", - "items": { - "type": "string" - } + "text": { + "title": "License texts", + "description": "A way to include the textual content of the license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" } - } + }, + "additionalProperties": false } }, - "created": { - "type": "string", - "format": "date-time", - "title": "Created", - "description": "The date and time (timestamp) when the evidence was created." - }, - "expires": { - "type": "string", - "format": "date-time", - "title": "Expires", - "description": "The date and time (timestamp) when the evidence is no longer valid." + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" }, - "author": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Author", - "description": "The author of the evidence." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "reviewer": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Reviewer", - "description": "The reviewer of the evidence." + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } } + ] + } + }, + "license": { + "type": "object", + "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "oneOf": [ + { + "required": [ + "id" + ] + }, + { + "required": [ + "name" + ] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "$ref": "../spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "examples": [ + "Apache-2.0" + ] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "examples": [ + "Acme Software License" + ] + }, + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + }, + "text": { + "title": "License text", + "description": "A way to include the textual content of a license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + }, + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } }, - "targets": { + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", "type": "object", - "title": "Targets", - "description": "The list of targets which claims are made against.", "additionalProperties": false, "properties": { - "organizations": { - "type": "array", - "title": "Organizations", - "description": "The list of organizations which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "components": { - "type": "array", - "title": "Components", - "description": "The list of components which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - } + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] }, - "services": { - "type": "array", - "title": "Services", - "description": "The list of services which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - } + { + "required": [ + "individual" + ] } - } + ] }, - "affirmation": { + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", "type": "object", - "title": "Affirmation", - "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", "additionalProperties": false, "properties": { - "statement": { - "type": "string", - "title": "Statement", - "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", - "examples": [ - "I certify, to the best of my knowledge, that all information is correct." + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" ] }, - "signatories": { - "type": "array", - "title": "Signatories", - "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", - "items": { - "type": "object", - "title": "Signatory", - "additionalProperties": false, - "oneOf": [ - { - "required": [ - "signature" - ] - }, - { - "required": [ - "externalReference", - "organization" - ] - } - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The signatory's name." - }, - "role": { - "type": "string", - "title": "Role", - "description": "The signatory's role within an organization." - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The signatory's organization." - }, - "externalReference": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - } - } + { + "required": [ + "individual" + ] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." } } }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." } } } } }, - "cyclonedx-definition-2.0": { + "cyclonedx-metadata-2.0": { "type": "null", - "title": "CycloneDX Definition Model", + "title": "CycloneDX Metadata Model", "$defs": { - "definitions": { + "metadata": { "type": "object", - "title": "Definitions", - "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM.", "additionalProperties": false, "properties": { - "standards": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." }, - "patents": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + }, + "tools": { + "type": "object", + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + "manufacturer": { + "title": "BOM Manufacturer", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "authors": { + "type": "array", + "title": "BOM Authors", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "component": { + "description": "The component that the BOM describes.", + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + }, + "distributionConstraints": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - } - } - }, - "cyclonedx-dependency-2.0": { - "type": "null", - "title": "CycloneDX Dependency Model", - "$defs": { - "dependencies": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - }, - "uniqueItems": true, - "title": "Dependencies", - "description": "Provides the ability to document dependency relationships including provided & implemented components." }, - "dependency": { + "distributionConstraints": { + "title": "Distribution Constraints", + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", "type": "object", - "title": "Dependency", - "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", - "required": [ - "ref" - ], - "additionalProperties": false, "properties": { - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "References a component or service by its bom-ref attribute" - }, - "dependsOn": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - "title": "Depends On", - "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." - }, - "provides": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - "title": "Provides", - "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + "tlp": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." } } + }, + "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", + "type": "string", + "default": "CLEAR", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "AMBER_AND_STRICT", + "RED" + ], + "meta:enum": { + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + } } } }, - "cyclonedx-formulation-2.0": { + "cyclonedx-patent-2.0": { "type": "null", - "title": "CycloneDX Formulation Model", + "title": "CycloneDX Patent Model", "$defs": { - "formulation": { + "patents": { "type": "array", + "title": "Patents", + "description": "The list of either individual patents or patent families.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" - }, - "uniqueItems": true, - "title": "Formulation", - "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + "anyOf": [ + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" + }, + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" + } + ] + } }, - "formula": { - "title": "Formula", - "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "patent": { "type": "object", + "title": "Patent", + "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "required": [ + "patentNumber", + "jurisdiction", + "patentLegalStatus" + ], "additionalProperties": false, "properties": { "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "components": { - "title": "Components", - "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true + "patentNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Number", + "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", + "examples": [ + "US987654321", + "EP1234567B1" + ] }, - "services": { - "title": "Services", - "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - }, - "uniqueItems": true + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + }, + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + }, + "publicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Publication Number", + "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + }, + "title": { + "type": "string", + "title": "Patent Title", + "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + }, + "abstract": { + "type": "string", + "title": "Patent Abstract", + "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + }, + "filingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "grantDate": { + "type": "string", + "format": "date", + "title": "Grant Date", + "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + }, + "patentExpirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date", + "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." }, - "workflows": { - "title": "Workflows", - "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", - "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "patentLegalStatus": { + "type": "string", + "title": "Legal Status", + "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "enum": [ + "pending", + "granted", + "revoked", + "expired", + "lapsed", + "withdrawn", + "abandoned", + "suspended", + "reinstated", + "opposed", + "terminated", + "invalidated", + "in-force" + ], + "meta:enum": { + "pending": "The patent application has been filed but not yet examined or granted.", + "granted": "The patent application has been examined and a patent has been issued.", + "revoked": "The patent has been declared invalid through a legal or administrative process.", + "expired": "The patent has reached the end of its enforceable term.", + "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", + "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", + "abandoned": "The patent application was abandoned, often due to lack of action or response.", + "suspended": "Processing of the patent application has been temporarily halted.", + "reinstated": "A previously abandoned or lapsed patent has been reinstated.", + "opposed": "The patent application or granted patent is under formal opposition proceedings.", + "terminated": "The patent or application has been officially terminated.", + "invalidated": "The patent has been invalidated, either in part or in full.", + "in-force": "The granted patent is active and enforceable." + } + }, + "patentAssignee": { "type": "array", + "title": "Patent Assignees", + "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" - }, - "uniqueItems": true + "oneOf": [ + { + "title": "Person", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + }, + { + "title": "Organizational Entity", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + } + ] + } }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "workflow": { - "title": "Workflow", - "description": "A specialized orchestration task.", - "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "patentFamily": { "type": "object", + "title": "Patent Family", + "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", "required": [ - "bom-ref", - "uid", - "taskTypes" + "familyId" ], "additionalProperties": false, "properties": { "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." }, - "tasks": { - "title": "Tasks", - "description": "The tasks that comprise the workflow.", - "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" - } + "familyId": { + "type": "string", + "title": "Patent Family ID", + "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." }, - "taskDependencies": { - "title": "Task dependency graph", - "description": "The graph of dependencies between tasks within the workflow.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - } + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", + "members": { "type": "array", + "title": "Family Members", + "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "BOM Reference", + "description": "A `bom-ref` linking to a patent or application object within the BOM." } }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" - }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "patentAssertions": { + "type": "array", + "title": "Patent Assertions", + "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "items": { + "type": "object", + "title": "Patent Assertion", + "description": "An assertion linking a patent or patent family to this component or service.", + "required": [ + "assertionType", + "asserter" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." }, - "uniqueItems": true - }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", + "enum": [ + "ownership", + "license", + "third-party-claim", + "standards-inclusion", + "prior-art", + "exclusive-rights", + "non-assertion", + "research-or-evaluation" + ], + "meta:enum": { + "ownership": "The manufacturer asserts ownership of the patent or patent family.", + "license": "The manufacturer asserts they have a license to use the patent or patent family.", + "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", + "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", + "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", + "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", + "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", + "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." + } }, - "uniqueItems": true - }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "patentRefs": { + "type": "array", + "title": "Patent References", + "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } }, - "uniqueItems": true - }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" - }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" - }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" - } - }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for workflow's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + "asserter": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organizational Entity" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Person" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." + } + ] + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." } - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "task": { - "title": "Task", - "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", - "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "patentApplicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Application Number", + "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", + "examples": [ + "US20240000123", + "EP23123456" + ] + }, + "patentJurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", + "pattern": "^[A-Z]{2}$", + "examples": [ + "US", + "EP", + "JP" + ] + }, + "patentFilingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "priorityApplication": { "type": "object", + "title": "Priority Application", + "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", "required": [ - "bom-ref", - "uid", - "taskTypes" + "applicationNumber", + "jurisdiction", + "filingDate" ], "additionalProperties": false, "properties": { - "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "filingDate": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" + } + } + } + } + }, + "cyclonedx-release-notes-2.0": { + "type": "null", + "title": "CycloneDX Release Notes Model", + "$defs": { + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" - } + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" - }, - "uniqueItems": true + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" - }, - "uniqueItems": true + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "aliases": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "type": "string" }, - "uniqueItems": true - }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "resolves": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" }, - "uniqueItems": true + "title": "Resolves", + "description": "A collection of issues that have been resolved." }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for task's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "notes": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" }, - "uniqueItems": true + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." }, "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "step": { - "type": "object", - "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", - "additionalProperties": false, - "properties": { - "name": { - "title": "Name", - "description": "A name for the step.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the step.", - "type": "string" - }, - "commands": { - "title": "Commands", - "description": "Ordered list of commands or directives for the step", "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" } - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "command": { + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], "additionalProperties": false, "properties": { - "executed": { - "title": "Executed", - "description": "A text representation of the executed command.", - "type": "string" + "locale": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" } } - }, - "workspace": { - "title": "Workspace", - "description": "A named filesystem or data resource shareable by workflow tasks.", + } + } + }, + "cyclonedx-requirement-2.0": { + "type": "null", + "title": "CycloneDX Engineering Requirement Model", + "$defs": { + "requirement": { "type": "object", - "required": [ - "bom-ref", - "uid" - ], + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." }, "name": { + "type": "string", "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "description": "A short name or title for the requirement." }, - "aliases": { - "title": "Aliases", - "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", "items": { "type": "string" } }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion" + } }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", + "dependencies": { "type": "array", - "uniqueItems": true, + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/dependency" } }, - "accessMode": { - "title": "Access mode", - "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "parent": { "type": "string", - "enum": [ - "read-only", - "read-write", - "read-write-once", - "write-once", - "write-only" - ] + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." }, - "mountPath": { - "title": "Mount path", - "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", - "type": "string" + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." }, - "managedDataType": { - "title": "Managed data type", - "description": "The name of a domain-specific data type the workspace represents.", - "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", - "examples": [ - "ConfigMap", - "Secret" - ], - "type": "string" + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." }, - "volumeRequest": { - "title": "Volume request", - "description": "Identifies the reference to the request for a specific volume type and parameters.", - "examples": [ - "a kubernetes Persistent Volume Claim (PVC) name" - ], - "type": "string" + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." }, - "volume": { - "title": "Volume", - "description": "Information about the actual volume instance allocated to the workspace.", - "$comment": "The actual volume allocated may be different than the request.", - "examples": [ - "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + } }, "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } } } }, - "volume": { - "title": "Volume", - "description": "An identifiable, logical unit of data storage tied to a physical device.", + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the volume instance within its deployment context.", - "type": "string" + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." }, - "name": { - "title": "Name", - "description": "The name of the volume instance", - "type": "string" + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." }, - "mode": { - "title": "Mode", - "description": "The mode for the volume instance.", + "status": { "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", "enum": [ - "filesystem", - "block" - ], - "default": "filesystem" + "pending", + "passed", + "failed" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", + "additionalProperties": false, + "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] }, - "path": { - "title": "Path", - "description": "The underlying path created from the actual volume.", - "type": "string" + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] }, - "sizeAllocated": { - "title": "Size allocated", - "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", - "examples": [ - "10GB", - "2Ti", - "1Pi" + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + } + } + }, + "cyclonedx-risk-2.0": { + "type": "null", + "title": "CycloneDX Risk Model", + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" + }, + "domains": { + "type": "array", + "description": "Risk domains covered by this assessment", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" + } + }, + "scenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" + }, + "description": "Risk scenarios identified" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigation" + }, + "description": "Controls, countermeasures, or mitigations to address identified risks" + }, + "assessments": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/assessment" + }, + "description": "Risk assessments and evaluations" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + }, + "$defs": { + "riskDomain": { + "type": "object", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply_chain", + "technical", + "project" ], - "type": "string" - }, - "persistent": { - "title": "Persistent", - "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", - "type": "boolean" + "meta:enum": { + "security": "Information security and cybersecurity risks", + "privacy": "Data protection and privacy risks", + "operational": "Business operations and continuity risks", + "financial": "Financial loss and economic impact risks", + "compliance": "Regulatory and legal compliance risks", + "strategic": "Strategic business and market risks", + "reputational": "Brand and reputation damage risks", + "safety": "Human safety and physical security risks", + "environmental": "Environmental impact and sustainability risks", + "supply_chain": "Supply chain and third-party risks", + "technical": "Technical and technology risks", + "project": "Project delivery and execution risks" + } }, - "remote": { - "title": "Remote", - "description": "Indicates if the volume is remotely (i.e., network) attached.", - "type": "boolean" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": { + "type": "string", + "description": "Additional context for this risk domain" } } }, - "trigger": { - "title": "Trigger", - "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "riskAttribute": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities", + "authentication": "Verifying the identity of users, devices, or systems before granting access", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", + "availability": "Ensuring systems, data, and services are accessible and operational when needed", + "compliance": "Adherence to applicable laws, regulations, policies, and standards", + "confidentiality": "Preventing unauthorised access to or disclosure of information", + "connectivity": "Maintaining secure and reliable communication between systems or components", + "control": "Enabling individuals to manage how their personal data is used and shared", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", + "possession": "Ensuring control or custody over data or assets, regardless of ownership", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose" + } + }, + "scenario": { "type": "object", - "additionalProperties": false, "required": [ - "type", "bom-ref", - "uid" + "name", + "type" ], + "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "type": "string", + "description": "Name of the risk scenario" }, "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "type": "string", + "description": "Detailed description of the scenario" }, "type": { - "title": "Type", - "description": "The source type of event which caused the trigger to fire.", "type": "string", "enum": [ - "manual", - "api", - "webhook", - "scheduled" - ] + "threat", + "vulnerability", + "weakness", + "risk", + "incident", + "opportunity", + "hazard" + ], + "meta:enum": { + "threat": "Security threat scenario", + "vulnerability": "Exploitable vulnerability", + "weakness": "System or design weakness", + "risk": "General risk scenario", + "incident": "Potential incident scenario", + "opportunity": "Positive risk (opportunity)", + "hazard": "Safety hazard scenario" + } }, - "event": { - "title": "Event", - "description": "The event data that caused the associated trigger to activate.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" + "domain": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" }, - "conditions": { + "category": { + "type": "string", + "description": "Category or classification of the scenario" + }, + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "riskAttributes": { "type": "array", - "title": "Conditions", - "description": "A list of conditions used to determine if a trigger should be activated.", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" - } - }, - "timeActivated": { - "title": "Time activated", - "description": "The date and time (timestamp) when the trigger was activated.", - "type": "string", - "format": "date-time" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + }, + "description": "Risk attributes affected by this scenario" }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], + "affectedAssets": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to affected assets" }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "mitigations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to mitigations that address this scenario" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "event": { - "title": "Event", - "description": "Represents something that happened that may trigger a response.", + "likelihood": { "type": "object", + "required": [ + "level" + ], "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier of the event.", - "type": "string" + "level": { + "type": "string", + "enum": [ + "veryLow", + "low", + "medium", + "high", + "veryHigh", + "certain" + ], + "description": "Likelihood level", + "meta:enum": { + "veryLow": "Very unlikely to occur (< 10%)", + "low": "Unlikely to occur (10-30%)", + "medium": "Possible to occur (30-60%)", + "high": "Likely to occur (60-90%)", + "veryHigh": "Very likely to occur (> 90%)", + "certain": "Will certainly occur (100%)" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric likelihood score" + }, + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal (0-1)" + }, + "rationale": { + "type": "string", + "description": "Justification for the likelihood rating" + } + } + }, + "impact": { + "type": "object", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "negligible", + "low", + "moderate", + "high", + "severe", + "catastrophic" + ], + "description": "Impact severity level", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences", + "low": "Minor impact with limited consequences", + "moderate": "Moderate impact affecting some operations", + "high": "Significant impact with serious consequences", + "severe": "Severe impact with critical consequences", + "catastrophic": "Catastrophic impact with existential consequences" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric impact score" + }, + "categories": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality", + "integrity": "Impact on data or system integrity", + "availability": "Impact on service availability", + "financial": "Financial loss or impact", + "reputation": "Reputational damage", + "regulatory": "Regulatory compliance impact", + "safety": "Human safety impact", + "privacy": "Privacy violation impact", + "operational": "Operational disruption", + "strategic": "Strategic business impact" + } + }, + "description": "Categories of impact" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + }, + "description": "Risk attributes affected" + }, + "quantification": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification" }, "description": { - "title": "Description", - "description": "A description of the event.", - "type": "string" + "type": "string", + "description": "Description of the potential impact" + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "Estimated financial loss in currency units" }, - "timeReceived": { - "title": "Time Received", - "description": "The date and time (timestamp) when the event was received.", + "currency": { "type": "string", - "format": "date-time" + "pattern": "^[A-Z]{3}$", + "description": "ISO 4217 currency code" }, - "data": { - "title": "Data", - "description": "Encoding of the raw event data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "affectedUsers": { + "type": "integer", + "description": "Number of affected users" }, - "source": { - "title": "Source", - "description": "References the component or service that was the source of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Expected downtime as ISO 8601 duration" }, - "target": { - "title": "Target", - "description": "References the component or service that was the target of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "dataRecords": { + "type": "integer", + "description": "Number of data records affected" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Recovery time as ISO 8601 duration" } } }, - "inputType": { - "title": "Input type", - "description": "Type that represents various input data types and formats.", + "riskScore": { "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" + ], + "description": "Overall risk level", + "meta:enum": { + "info": "Informational - no immediate action required", + "low": "Low risk - monitor and address in normal cycle", + "medium": "Medium risk - plan mitigation activities", + "high": "High risk - prioritize mitigation efforts", + "critical": "Critical risk - immediate action required" + } }, - { - "required": [ - "parameters" - ] + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric risk score" }, - { - "required": [ - "environmentVars" - ] + "vector": { + "type": "string", + "description": "Risk scoring vector (e.g., L:H/I:M)" }, - { - "required": [ - "data" - ] + "methodology": { + "type": "string", + "description": "Risk scoring methodology used" } + } + }, + "mitigation": { + "type": "object", + "required": [ + "bom-ref", + "name", + "type" ], "additionalProperties": false, "properties": { - "source": { - "title": "Source", - "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", - "examples": [ - "source code repository", - "database" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the mitigation" + }, + "description": { + "type": "string", + "description": "Description of what the mitigation does" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Protective measure", + "practice": "Risk management practice", + "procedure": "Documented procedure" + } + }, + "strategy": { + "type": "string", + "enum": [ + "prevent", + "detect", + "respond", + "recover" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "meta:enum": { + "prevent": "Prevents the risk from occurring", + "detect": "Detects when the risk occurs", + "respond": "Responds to the risk when detected", + "recover": "Recovers from the impact" + } }, - "target": { - "title": "Target", - "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", - "examples": [ - "workspace", - "directory" + "status": { + "type": "string", + "enum": [ + "proposed", + "approved", + "planned", + "inProgress", + "implemented", + "verified" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", - "examples": [ - "a reference to a configuration file in a repository (i.e., a bom-ref)", - "a reference to a scanning service used in a task (i.e., a bom-ref)" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" + }, + "effectiveness": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/effectiveness" + }, + "cost": { + "type": "string", + "enum": [ + "trivial", + "low", + "medium", + "high", + "extreme" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "meta:enum": { + "trivial": "Minimal cost and effort", + "low": "Low cost and effort", + "medium": "Moderate cost and effort", + "high": "High cost and significant effort", + "extreme": "Extreme cost and major effort" + } }, - "parameters": { - "title": "Parameters", - "description": "Inputs that have the form of parameters with names and values.", + "addresses": { "type": "array", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to scenarios this mitigation addresses" }, - "environmentVars": { - "title": "Environment variables", - "description": "Inputs that have the form of parameters with names and values.", + "implementedBy": { "type": "array", - "uniqueItems": true, "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to assets that implement this mitigation" }, - "data": { - "title": "Data", - "description": "Inputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "outputType": { + "effectiveness": { "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] - }, - { - "required": [ - "environmentVars" - ] + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 100, + "description": "Effectiveness as percentage" }, - { - "required": [ - "data" - ] + "rating": { + "type": "string", + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk", + "marginal": "Slightly reduces risk", + "adequate": "Adequately reduces risk", + "good": "Significantly reduces risk", + "excellent": "Nearly eliminates risk" + } } + } + }, + "assessment": { + "type": "object", + "required": [ + "bom-ref", + "type", + "timestamp" ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, "type": { - "title": "Type", - "description": "Describes the type of data output.", "type": "string", "enum": [ - "artifact", - "attestation", - "log", - "evidence", - "metrics", - "other" - ] + "initial", + "periodic", + "continuous", + "triggered" + ], + "meta:enum": { + "initial": "Initial risk assessment", + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } }, - "source": { - "title": "Source", - "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed" }, - "target": { - "title": "Target", - "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", - "examples": [ - "a log file described as an `externalReference` within its target domain." - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource generated as output by the task.", - "examples": [ - "configuration file", - "source code", - "scanning service" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "summary": { + "type": "string", + "description": "Executive summary of the assessment" }, - "data": { - "title": "Data", - "description": "Outputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "findings": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/finding" + }, + "description": "Specific findings from the assessment" }, - "environmentVars": { - "title": "Environment variables", - "description": "Outputs that have the form of environment variables.", + "overallRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore", + "description": "Overall risk score/level" + }, + "recommendations": { "type": "array", "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] + "type": "string" }, - "uniqueItems": true + "description": "Recommendations from the assessment" + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "resourceReferenceChoice": { - "title": "Resource reference choice", - "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", - "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "finding": { "type": "object", + "required": [ + "title", + "severity" + ], "additionalProperties": false, "properties": { - "ref": { - "title": "BOM Reference", - "description": "References an object by its bom-ref attribute", - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "externalReference": { - "title": "External reference", - "description": "Reference to an externally accessible resource.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - }, - "oneOf": [ - { - "required": [ - "ref" - ] + "title": { + "type": "string", + "description": "Title of the finding" }, - { - "required": [ - "externalReference" - ] - } - ] - }, - "condition": { - "title": "Condition", - "description": "A condition that was used to determine a trigger should be activated.", - "type": "object", - "additionalProperties": false, - "properties": { "description": { - "title": "Description", - "description": "Describes the set of conditions which cause the trigger to activate.", - "type": "string" + "type": "string", + "description": "Detailed description of the finding" }, - "expression": { - "title": "Expression", - "description": "The logical expression that was evaluated that determined the trigger should be fired.", - "type": "string" + "severity": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/severity" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "relatedScenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Scenarios related to this finding" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets affected by this finding" + }, + "remediation": { + "type": "string", + "description": "Recommended remediation" + }, + "status": { + "type": "string", + "enum": [ + "open", + "inProgress", + "resolved", + "accepted" + ], + "meta:enum": { + "open": "Finding is open and unaddressed", + "inProgress": "Remediation is in progress", + "resolved": "Finding has been resolved", + "accepted": "Risk has been accepted" + } } } }, - "taskType": { + "priority": { "type": "string", "enum": [ - "copy", - "clone", - "lint", - "scan", - "merge", - "build", - "test", - "deliver", - "deploy", - "release", - "clean", - "other" + "none", + "low", + "medium", + "high", + "critical" + ], + "description": "Priority level", + "meta:enum": { + "none": "No priority assigned", + "low": "Low priority - address when convenient", + "medium": "Medium priority - address in normal cycle", + "high": "High priority - address soon", + "critical": "Critical priority - address immediately" + } + }, + "severity": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" ], + "description": "Severity level", "meta:enum": { - "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", - "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", - "lint": "A task that checks source code for programmatic and stylistic errors.", - "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", - "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", - "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", - "test": "A task that verifies the functionality of a component or service.", - "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", - "deploy": "A task that deploys a built artifact for execution on one or more target systems.", - "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", - "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", - "other": "A workflow task that does not match current task type definitions." + "info": "Informational finding", + "low": "Low severity issue", + "medium": "Medium severity issue", + "high": "High severity issue", + "critical": "Critical severity issue" } }, - "parameter": { - "title": "Parameter", - "description": "A representation of a functional parameter.", - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "title": "Name", - "description": "The name of the parameter.", - "type": "string" - }, - "value": { - "title": "Value", - "description": "The value of the parameter.", - "type": "string" - }, - "dataType": { - "title": "Data type", - "description": "The data type of the parameter.", - "type": "string" - } + "criticality": { + "type": "string", + "enum": [ + "minimal", + "low", + "moderate", + "high", + "critical" + ], + "description": "Business criticality level", + "meta:enum": { + "minimal": "Minimal impact on business operations", + "low": "Low impact with minor inconvenience", + "moderate": "Moderate impact affecting some operations", + "high": "High impact affecting critical operations", + "critical": "Critical impact with severe business consequences" } } } }, - "cyclonedx-license-2.0": { + "cyclonedx-service-2.0": { "type": "null", - "title": "CycloneDX License Model", + "title": "CycloneDX Service Model", "$defs": { - "licenseChoice": { - "title": "License Choice", - "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", + "services": { "type": "array", "items": { - "oneOf": [ - { - "type": "object", - "title": "License", - "required": [ - "license" - ], - "additionalProperties": false, - "properties": { - "license": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" - } - } - }, - { - "title": "License Expression", - "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", - "type": "object", - "additionalProperties": false, - "required": [ - "expression" - ], - "properties": { - "expression": { - "type": "string", - "title": "SPDX License Expression", - "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", - "examples": [ - "Apache-2.0 AND (MIT OR GPL-2.0-only)", - "GPL-3.0-only WITH Classpath-exception-2.0" - ] - }, - "expressionDetails": { - "title": "Expression Details", - "description": "Details for parts of the `expression`.", - "type": "array", - "items": { - "type": "object", - "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", - "required": [ - "licenseIdentifier" - ], - "properties": { - "licenseIdentifier": { - "title": "License Identifier", - "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", - "type": "string", - "examples": [ - "Apache-2.0", - "GPL-3.0-only WITH Classpath-exception-2.0", - "LicenseRef-my-custom-license" - ] - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "text": { - "title": "License texts", - "description": "A way to include the textual content of the license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" - ], - "format": "iri-reference" - } - }, - "additionalProperties": false - } - }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - } - ] - } + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true, + "title": "Services" }, - "license": { + "service": { "type": "object", - "title": "License", - "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", - "oneOf": [ - { - "required": [ - "id" - ] - }, - { - "required": [ - "name" - ] - } + "title": "Service", + "required": [ + "name" ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "id": { - "$ref": "../spdx.schema.json", - "title": "License ID (SPDX)", - "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", "examples": [ - "Apache-2.0" + "com.acme" ] }, "name": { "type": "string", - "title": "License Name", - "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", "examples": [ - "Acme Software License" + "ticker-service" ] }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" - }, - "text": { - "title": "License text", - "description": "A way to include the textual content of a license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Service Version", + "description": "The service version." }, - "url": { + "description": { "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" - ], - "format": "iri-reference" + "https://example.com/api/v1/ticker" + ] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, + "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + }, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "Service License(s)" + }, + "patentAssertions": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", + "title": "Service Patent(s)" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + "services": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "licenseAcknowledgementEnumeration": { - "title": "License Acknowledgement", - "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", - "type": "string", - "enum": [ - "declared", - "concluded" - ], - "meta:enum": { - "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", - "concluded": "Concluded licenses are verified and confirmed." - } - }, - "licensing": { + "serviceData": { "type": "object", - "title": "Licensing information", - "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], "additionalProperties": false, "properties": { - "altIds": { - "type": "array", - "title": "Alternate License Identifiers", - "description": "License identifiers that may be used to manage licenses and their lifecycle", - "items": { - "type": "string" - } + "flow": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." }, - "licensor": { - "title": "Licensor", - "description": "The individual or organization that grants a license to another individual or organization", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensor (Organization)", - "description": "The organization that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensor (Individual)", - "description": "The individual, not associated with an organization, that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } - ] + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" }, - "licensee": { - "title": "Licensee", - "description": "The individual or organization for which a license was granted to", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensee (Organization)", - "description": "The organization that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensee (Individual)", - "description": "The individual, not associated with an organization, that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" ] }, - "purchaser": { - "title": "Purchaser", - "description": "The individual or organization that purchased the license", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Purchaser (Organization)", - "description": "The organization that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Purchaser (Individual)", - "description": "The individual, not associated with an organization, that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" ] }, - "purchaseOrder": { - "type": "string", - "title": "Purchase Order", - "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" }, - "licenseTypes": { + "source": { "type": "array", - "title": "License Type", - "description": "The type of license(s) that was granted to the licensee.", "items": { - "type": "string", - "enum": [ - "academic", - "appliance", - "client-access", - "concurrent-user", - "core-points", - "custom-metric", - "device", - "evaluation", - "named-user", - "node-locked", - "oem", - "perpetual", - "processor-points", - "subscription", - "user", - "other" - ], - "meta:enum": { - "academic": "A license that grants use of software solely for the purpose of education or research.", - "appliance": "A license covering use of software embedded in a specific piece of hardware.", - "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", - "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", - "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", - "custom-metric": "A license for which consumption is measured by non-standard metrics.", - "device": "A license that covers a defined number of installations on computers and other types of devices.", - "evaluation": "A license that grants permission to install and use software for trial purposes.", - "named-user": "A license that grants access to the software to one or more pre-defined users.", - "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", - "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", - "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", - "processor-points": "A license where each installation consumes points per processor.", - "subscription": "A license where the licensee pays a fee to use the software or service.", - "user": "A license that grants access to the software or service by a specified number of users.", - "other": "Another license type." - } - } + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + } + } + }, + "cyclonedx-standard-2.0": { + "type": "null", + "title": "CycloneDX Standard Model", + "$defs": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" + } + }, + "standard": { + "type": "object", + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "lastRenewal": { + "name": { "type": "string", - "format": "date-time", - "title": "Last Renewal", - "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + "title": "Name", + "description": "The name of the standard. This will often be a shortened, single name of the standard." }, - "expiration": { + "version": { "type": "string", - "format": "date-time", - "title": "Expiration", - "description": "The timestamp indicating when the current license expires (if applicable)." + "title": "Version", + "description": "The version of the standard." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." + }, + "requirements": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" + }, + "levels": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } - } - } - }, - "cyclonedx-metadata-2.0": { - "type": "null", - "title": "CycloneDX Metadata Model", - "$defs": { - "metadata": { + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" + } + }, + "requirement": { "type": "object", - "title": "BOM Metadata", - "description": "Provides additional information about a BOM.", + "title": "Requirement", "additionalProperties": false, "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the BOM was created." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "lifecycles": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." }, - "tools": { - "type": "object", - "title": "Tools", - "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", - "additionalProperties": false, - "properties": { - "components": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", - "description": "A list of software and hardware components used as tools." - }, - "services": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", - "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." - } - } + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement." }, - "manufacturer": { - "title": "BOM Manufacturer", - "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." }, - "authors": { + "descriptions": { "type": "array", - "title": "BOM Authors", - "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + "type": "string" } }, - "component": { - "description": "The component that the BOM describes.", - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "licenses": { - "title": "BOM License(s)", - "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + "openCre": { + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ + "CRE:764-507" + ] + } }, - "distributionConstraints": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Parent BOM Reference", + "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "distributionConstraints": { - "title": "Distribution Constraints", - "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" + } + }, + "level": { "type": "object", + "title": "Level", + "additionalProperties": false, "properties": { - "tlp": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", - "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } } } - }, - "tlpClassification": { - "title": "Traffic Light Protocol (TLP) Classification", - "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", - "type": "string", - "default": "CLEAR", - "enum": [ - "CLEAR", - "GREEN", - "AMBER", - "AMBER_AND_STRICT", - "RED" - ], - "meta:enum": { - "CLEAR": "The information is not subject to any restrictions as regards the sharing.", - "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", - "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", - "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", - "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." - } } } }, - "cyclonedx-patent-2.0": { + "cyclonedx-threat-2.0": { "type": "null", - "title": "CycloneDX Patent Model", + "title": "CycloneDX Threat Model", "$defs": { - "patents": { - "type": "array", - "title": "Patents", - "description": "The list of either individual patents or patent families.", - "items": { - "anyOf": [ - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" - }, - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" + "threatScenario": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" + }, + { + "properties": { + "threatCategory": { + "type": "string", + "description": "Threat category based on methodology (e.g., STRIDE category)" + }, + "threatActor": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" + }, + "attackVector": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackVector" + }, + "attackPattern": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference" + }, + "weakness": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference" + }, + "exploitability": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/exploitability" + }, + "indicators": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/indicators" + }, + "killChainPhase": { + "type": "string", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target", + "weaponization": "Creating malicious payloads", + "delivery": "Transmitting weapon to target", + "exploitation": "Exploiting vulnerabilities", + "installation": "Installing malware or backdoors", + "command-and-control": "Establishing C2 channel", + "actions-on-objectives": "Achieving attack goals" + } + }, + "technicalImpact": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "unauthorized-access", + "data-breach", + "data-corruption", + "service-disruption", + "privilege-escalation", + "code-execution", + "information-disclosure", + "denial-of-service" + ] + } + } } - ] - } + } + ] }, - "patent": { + "threatActor": { "type": "object", - "title": "Patent", - "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", "required": [ - "patentNumber", - "jurisdiction", - "patentLegalStatus" + "bom-ref", + "name", + "type" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "patentNumber": { + "name": { "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Number", - "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", - "examples": [ - "US987654321", - "EP1234567B1" - ] + "description": "Name or identifier of the threat actor" }, - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + "description": { + "type": "string", + "description": "Description of the threat actor" }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + "type": { + "type": "string", + "enum": [ + "individual", + "group", + "organization", + "nation-state", + "unknown" + ], + "meta:enum": { + "individual": "Individual threat actor", + "group": "Organized group or collective", + "organization": "Corporate or criminal organization", + "nation-state": "Nation-state sponsored actor", + "unknown": "Unknown threat actor type" + } }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Known aliases or alternative names" }, - "publicationNumber": { - "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Publication Number", - "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + "profile": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" }, - "title": { - "type": "string", - "title": "Patent Title", - "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + "observedTTPs": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/ttp" + }, + "description": "Observed tactics, techniques, and procedures" }, - "abstract": { + "attributedAttacks": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Attacks attributed to this actor" + }, + "targeting": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/targeting" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + }, + "threatActorProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "sophistication": { "type": "string", - "title": "Patent Abstract", - "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + "enum": [ + "none", + "minimal", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No technical sophistication", + "minimal": "Script kiddie level", + "intermediate": "Intermediate technical skills", + "advanced": "Advanced persistent threat", + "expert": "Nation-state level capabilities" + } }, - "filingDate": { + "motivation": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ] + }, + "description": "Primary motivations" + }, + "capability": { "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + "enum": [ + "minimal", + "limited", + "moderate", + "significant", + "advanced" + ], + "description": "Overall capability level" }, - "grantDate": { + "intent": { "type": "string", - "format": "date", - "title": "Grant Date", - "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + "enum": [ + "accidental", + "opportunistic", + "targeted", + "persistent" + ], + "description": "Intent level" }, - "patentExpirationDate": { + "resources": { "type": "string", - "format": "date", - "title": "Expiration Date", - "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + "enum": [ + "minimal", + "limited", + "moderate", + "substantial", + "unlimited" + ], + "description": "Resource availability" }, - "patentLegalStatus": { + "accessLevel": { "type": "string", - "title": "Legal Status", - "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", "enum": [ - "pending", - "granted", - "revoked", - "expired", - "lapsed", - "withdrawn", - "abandoned", - "suspended", - "reinstated", - "opposed", - "terminated", - "invalidated", - "in-force" + "none", + "external", + "internal", + "privileged", + "physical" ], - "meta:enum": { - "pending": "The patent application has been filed but not yet examined or granted.", - "granted": "The patent application has been examined and a patent has been issued.", - "revoked": "The patent has been declared invalid through a legal or administrative process.", - "expired": "The patent has reached the end of its enforceable term.", - "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", - "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", - "abandoned": "The patent application was abandoned, often due to lack of action or response.", - "suspended": "Processing of the patent application has been temporarily halted.", - "reinstated": "A previously abandoned or lapsed patent has been reinstated.", - "opposed": "The patent application or granted patent is under formal opposition proceedings.", - "terminated": "The patent or application has been officially terminated.", - "invalidated": "The patent has been invalidated, either in part or in full.", - "in-force": "The granted patent is active and enforceable." - } + "description": "Level of access to target systems" }, - "patentAssignee": { + "skillSet": { "type": "array", - "title": "Patent Assignees", - "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", "items": { - "oneOf": [ - { - "title": "Person", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - }, - { - "title": "Organizational Entity", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } - ] - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "type": "string" + }, + "description": "Specific skills possessed" } } }, - "patentFamily": { + "attackVector": { "type": "object", - "title": "Patent Family", - "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", - "required": [ - "familyId" - ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + "type": { + "type": "string", + "enum": [ + "network", + "adjacent", + "local", + "physical" + ], + "meta:enum": { + "network": "Remotely exploitable via network", + "adjacent": "Exploitable from adjacent network", + "local": "Requires local access", + "physical": "Requires physical access" + } }, - "familyId": { + "complexity": { "type": "string", - "title": "Patent Family ID", - "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + "enum": [ + "low", + "high" + ], + "description": "Attack complexity" }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "privileges": { + "type": "string", + "enum": [ + "none", + "low", + "high" + ], + "description": "Privileges required" }, - "members": { - "type": "array", - "title": "Family Members", - "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "BOM Reference", - "description": "A `bom-ref` linking to a patent or application object within the BOM." - } + "userInteraction": { + "type": "string", + "enum": [ + "none", + "required" + ], + "description": "User interaction requirement" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "scope": { + "type": "string", + "enum": [ + "unchanged", + "changed" + ], + "description": "Scope impact" } } }, - "patentAssertions": { - "type": "array", - "title": "Patent Assertions", - "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "items": { - "type": "object", - "title": "Patent Assertion", - "description": "An assertion linking a patent or patent family to this component or service.", - "required": [ - "assertionType", - "asserter" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." - }, - "assertionType": { - "type": "string", - "title": "Assertion Type", - "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", - "enum": [ - "ownership", - "license", - "third-party-claim", - "standards-inclusion", - "prior-art", - "exclusive-rights", - "non-assertion", - "research-or-evaluation" - ], - "meta:enum": { - "ownership": "The manufacturer asserts ownership of the patent or patent family.", - "license": "The manufacturer asserts they have a license to use the patent or patent family.", - "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", - "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", - "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", - "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", - "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", - "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." - } + "attackPattern": { + "type": "object", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "capecId": { + "type": "integer", + "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + }, + "name": { + "type": "string", + "description": "Name of the attack pattern" + }, + "description": { + "type": "string", + "description": "Description of the attack pattern" + }, + "severity": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/severity" + }, + "likelihood": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Likelihood of this pattern being used" + }, + "prerequisites": { + "type": "array", + "items": { + "type": "string" }, - "patentRefs": { - "type": "array", - "title": "Patent References", - "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - } + "description": "Prerequisites for the attack" + }, + "techniques": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" }, - "asserter": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organizational Entity" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Person" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." - } - ] + "description": "Techniques used in the attack" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." - } + "description": "References to mitigations" + }, + "examples": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Real-world examples" } } }, - "patentApplicationNumber": { - "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Application Number", - "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", - "examples": [ - "US20240000123", - "EP23123456" - ] - }, - "patentJurisdiction": { - "type": "string", - "title": "Jurisdiction", - "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", - "pattern": "^[A-Z]{2}$", - "examples": [ - "US", - "EP", - "JP" - ] + "attackPatternReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "patternRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to attack pattern" + }, + "capecId": { + "type": "integer", + "description": "CAPEC ID if not referencing internal pattern" + }, + "customization": { + "type": "string", + "description": "How this pattern is customized for the specific scenario" + } + } }, - "patentFilingDate": { - "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + "technique": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "description": "Technique ID (e.g., MITRE ATT&CK ID)" + }, + "name": { + "type": "string", + "description": "Name of the technique" + }, + "tactic": { + "type": "string", + "description": "Associated tactic" + }, + "procedure": { + "type": "string", + "description": "Specific procedure" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools used with this technique" + } + } }, - "priorityApplication": { + "weakness": { "type": "object", - "title": "Priority Application", - "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", "required": [ - "applicationNumber", - "jurisdiction", - "filingDate" + "bom-ref" ], "additionalProperties": false, "properties": { - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + "cweId": { + "type": "integer", + "description": "CWE (Common Weakness Enumeration) ID" }, - "filingDate": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" + "name": { + "type": "string", + "description": "Name of the weakness" + }, + "description": { + "type": "string", + "description": "Description of the weakness" + }, + "abstraction": { + "type": "string", + "enum": [ + "pillar", + "class", + "base", + "variant", + "compound" + ], + "meta:enum": { + "pillar": "Most abstract type of weakness", + "class": "Weakness described in generic terms", + "base": "Weakness described in abstract terms", + "variant": "Weakness specific to a resource/technology", + "compound": "Combination of two or more weaknesses" + } + }, + "ordinality": { + "type": "string", + "enum": [ + "primary", + "resultant", + "indirect" + ], + "meta:enum": { + "primary": "Weakness exists independent of other weaknesses", + "resultant": "Weakness is caused by another weakness", + "indirect": "Weakness is indirectly caused by another weakness" + } + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets affected by this weakness" + }, + "exploitationDifficulty": { + "type": "string", + "enum": [ + "trivial", + "easy", + "moderate", + "difficult", + "impractical" + ], + "description": "Difficulty of exploiting this weakness" + }, + "detectionMethods": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod" + }, + "description": "Methods for detecting this weakness" } } - } - } - }, - "cyclonedx-release-notes-2.0": { - "type": "null", - "title": "CycloneDX Release Notes Model", - "$defs": { - "releaseNotes": { + }, + "weaknessReference": { "type": "object", - "title": "Release notes", - "required": [ - "type" - ], "additionalProperties": false, "properties": { - "type": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", - "title": "Type", - "description": "The software versioning type the release note describes." + "weaknessRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to weakness" }, - "title": { + "cweId": { + "type": "integer", + "description": "CWE ID if not referencing internal weakness" + }, + "instance": { "type": "string", - "title": "Title", - "description": "The title of the release." + "description": "Specific instance or manifestation of the weakness" + } + } + }, + "exploitability": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "theoretical", + "proof-of-concept", + "functional", + "weaponized" + ], + "meta:enum": { + "theoretical": "Theoretically possible but not demonstrated", + "proof-of-concept": "Proof of concept exists", + "functional": "Functional exploit exists", + "weaponized": "Weaponized exploit in the wild" + } }, - "featuredImage": { + "complexity": { "type": "string", - "format": "iri-reference", - "title": "Featured image", - "description": "The URL to an image that may be prominently displayed with the release note." + "enum": [ + "trivial", + "low", + "medium", + "high", + "very-high" + ], + "description": "Complexity to exploit" }, - "socialImage": { + "skillRequired": { "type": "string", - "format": "iri-reference", - "title": "Social image", - "description": "The URL to an image that may be used in messaging on social media platforms." + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "description": "Skill level required" }, - "description": { + "toolsRequired": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools required for exploitation" + }, + "timeRequired": { "type": "string", - "title": "Description", - "description": "A short description of the release." + "description": "Estimated time to develop exploit" }, - "timestamp": { + "reliability": { "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the release note was created." + "enum": [ + "unreliable", + "occasional", + "reliable", + "highly-reliable" + ], + "description": "Reliability of exploitation" }, - "aliases": { + "automatable": { + "type": "boolean", + "description": "Whether exploitation can be automated" + } + } + }, + "indicators": { + "type": "object", + "additionalProperties": false, + "properties": { + "compromise": { "type": "array", "items": { "type": "string" }, - "title": "Aliases", - "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + "description": "Indicators of compromise" }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "attack": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of attack" }, - "resolves": { + "behavioral": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "type": "string" }, - "title": "Resolves", - "description": "A collection of issues that have been resolved." + "description": "Behavioral indicators" }, - "notes": { + "signatures": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/signature" }, - "title": "Notes", - "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + "description": "Detection signatures" + } + } + }, + "signature": { + "type": "object", + "required": [ + "type", + "value" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "yara", + "snort", + "regex", + "hash", + "behavior" + ], + "description": "Type of signature" + }, + "value": { + "type": "string", + "description": "Signature value or pattern" + }, + "description": { + "type": "string", + "description": "Description of what the signature detects" }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } + "confidence": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Confidence level of detection" } } }, - "releaseType": { - "type": "string", - "examples": [ - "major", - "minor", - "patch", - "pre-release", - "internal" - ], - "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." - }, - "note": { + "ttp": { "type": "object", - "title": "Note", - "description": "A note containing the locale and content.", - "required": [ - "text" - ], "additionalProperties": false, "properties": { - "locale": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", - "title": "Locale", - "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + "tactic": { + "type": "string", + "description": "High-level tactic" }, - "text": { - "title": "Release note content", - "description": "Specifies the full content of the release note.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "technique": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" + }, + "procedure": { + "type": "string", + "description": "Specific implementation" + }, + "tools": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/tool" + }, + "description": "Tools used" + }, + "infrastructure": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Infrastructure used" } } - } - } - }, - "cyclonedx-service-2.0": { - "type": "null", - "title": "CycloneDX Service Model", - "$defs": { - "services": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - }, - "uniqueItems": true, - "title": "Services" }, - "service": { + "tool": { "type": "object", - "title": "Service", "required": [ "name" ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "provider": { - "title": "Provider", - "description": "The organization that provides the service.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "group": { + "name": { "type": "string", - "title": "Service Group", - "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", - "examples": [ - "com.acme" - ] + "description": "Tool name" }, - "name": { + "type": { "type": "string", - "title": "Service Name", - "description": "The name of the service. This will often be a shortened, single name of the service.", - "examples": [ - "ticker-service" - ] + "enum": [ + "exploit", + "scanner", + "fuzzer", + "proxy", + "framework", + "custom" + ], + "description": "Type of tool" }, "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Service Version", - "description": "The service version." - }, - "description": { "type": "string", - "title": "Service Description", - "description": "Specifies a description for the service" + "description": "Tool version" }, - "endpoints": { + "capabilities": { "type": "array", "items": { - "type": "string", - "format": "iri-reference" + "type": "string" }, - "title": "Endpoints", - "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", - "examples": [ - "https://example.com/api/v1/ticker" - ] - }, - "authenticated": { - "type": "boolean", - "title": "Authentication Required", - "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." - }, - "x-trust-boundary": { - "type": "boolean", - "title": "Crosses Trust Boundary", - "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." - }, - "trustZone": { - "type": "string", - "title": "Trust Zone", - "description": "The name of the trust zone the service resides in." - }, - "data": { + "description": "Tool capabilities" + } + } + }, + "targeting": { + "type": "object", + "additionalProperties": false, + "properties": { + "sectors": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + "type": "string" }, - "title": "Data", - "description": "Specifies information about the data including the directional flow of data and the data classification." - }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "Service License(s)" - }, - "patentAssertions": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", - "title": "Service Patent(s)" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "description": "Targeted sectors or industries" }, - "services": { + "regions": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + "type": "string" }, - "uniqueItems": true, - "title": "Services", - "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." - }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": "Targeted geographic regions" }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted technologies or platforms" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Types of data targeted" } } }, - "serviceData": { + "detectionMethod": { "type": "object", - "title": "Hash Objects", "required": [ - "flow", - "classification" + "method" ], "additionalProperties": false, "properties": { - "flow": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", - "title": "Directional Flow", - "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." - }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "name": { + "method": { "type": "string", - "title": "Name", - "description": "Name for the defined data", - "examples": [ - "Credit card reporting" - ] + "enum": [ + "static-analysis", + "dynamic-analysis", + "penetration-test", + "code-review", + "architecture-review", + "automated-scan" + ], + "description": "Detection method type" }, "description": { "type": "string", - "title": "Description", - "description": "Short description of the data content and usage", - "examples": [ - "Credit card information being exchanged in between the web app and the database" - ] - }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "description": "Description of the detection method" }, - "source": { - "type": "array", - "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "Source", - "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + "effectiveness": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Effectiveness of the method" }, - "destination": { + "tools": { "type": "array", "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "type": "string" }, - "title": "Destination", - "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" - } - } - } - } - }, - "cyclonedx-standard-2.0": { - "type": "null", - "title": "CycloneDX Standard Model", - "$defs": { - "standards": { - "type": "array", - "title": "Standards", - "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" + "description": "Tools that implement this method" + } } }, - "standard": { + "securityPolicy": { "type": "object", - "title": "Standard", - "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", - "title": "Name", - "description": "The name of the standard. This will often be a shortened, single name of the standard." + "description": "Policy name" }, - "version": { + "type": { "type": "string", - "title": "Version", - "description": "The version of the standard." + "enum": [ + "access-control", + "data-protection", + "network-security", + "application-security", + "operational-security", + "compliance" + ], + "description": "Type of security policy" }, "description": { "type": "string", - "title": "Description", - "description": "The description of the standard." - }, - "owner": { - "type": "string", - "title": "Owner", - "description": "The owner of the standard, often the entity responsible for its release." + "description": "Policy description" }, "requirements": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy requirements" }, - "levels": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" + "enforcement": { + "type": "string", + "enum": [ + "mandatory", + "recommended", + "optional" + ], + "description": "Enforcement level" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "appliesTo": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets this policy applies to" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "exceptions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy exceptions" } } }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The list of requirements comprising the standard.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" - } + "trustBoundary": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" + }, + { + "properties": { + "trustLevel": { + "type": "string", + "enum": [ + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" + ], + "description": "Trust level differential" + }, + "securityRequirements": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements" + }, + "threatsAtBoundary": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Threats that could exploit this boundary" + }, + "controlsAtBoundary": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Controls implemented at this boundary" + } + } + } + ] }, - "requirement": { + "boundarySecurityRequirements": { "type": "object", - "title": "Requirement", "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "identifier": { + "authenticationStrength": { "type": "string", - "title": "Identifier", - "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + "enum": [ + "none", + "weak", + "moderate", + "strong", + "very-strong" + ], + "description": "Required authentication strength" }, - "title": { + "authorizationGranularity": { "type": "string", - "title": "Title", - "description": "The title of the requirement." + "enum": [ + "coarse", + "medium", + "fine", + "very-fine" + ], + "description": "Authorization granularity required" }, - "text": { + "integrityVerification": { + "type": "boolean", + "description": "Whether integrity verification is required" + }, + "confidentialityProtection": { + "type": "boolean", + "description": "Whether confidentiality protection is required" + }, + "auditingLevel": { "type": "string", - "title": "Text", - "description": "The textual content of the requirement." + "enum": [ + "none", + "basic", + "detailed", + "comprehensive" + ], + "description": "Level of auditing required" }, - "descriptions": { + "dataValidationRules": { "type": "array", - "title": "Descriptions", - "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", "items": { "type": "string" - } - }, - "openCre": { - "type": "array", - "title": "OWASP OpenCRE Identifier(s)", - "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", - "items": { - "type": "string", - "pattern": "^CRE:[0-9]+-[0-9]+$", - "examples": [ - "CRE:764-507" - ] - } - }, - "parent": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Parent BOM Reference", - "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "description": "Data validation rules at boundary" } } + } + } + }, + "cyclonedx-usecase-2.0": { + "type": "null", + "title": "CycloneDX Use Case Model", + "properties": { + "bom-ref": { + "type": "string", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, - "levels": { + "name": { + "type": "string", + "title": "Name", + "description": "The name or title of the use case." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the use case." + }, + "actors": { "type": "array", - "title": "Levels", - "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "title": "Actors", + "description": "The stakeholders or users who interact with the system in this use case.", "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" + "type": "string" } }, - "level": { + "preconditions": { + "type": "array", + "title": "Preconditions", + "description": "Conditions that must be true before the use case can be executed.", + "items": { + "type": "string" + } + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "description": "Conditions that will be true after the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "description": "The primary sequence of steps that describe the use case.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + } + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "description": "Alternative sequences of steps that may occur in the use case.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/flow" + } + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "description": "Error scenarios that may occur during the execution of the use case.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/exception" + } + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "description": "Criteria that determine whether the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "notes": { + "type": "array", + "title": "Notes", + "description": "Additional information or comments about the use case.", + "items": { + "type": "string" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/property" + } + } + }, + "$defs": { + "step": { "type": "object", - "title": "Level", + "title": "Step", + "description": "A single step in a use case flow.", "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "number": { + "type": "integer", + "title": "Number", + "description": "The sequence number of the step." }, - "identifier": { + "description": { "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level." + "title": "Description", + "description": "A description of the step." }, - "title": { + "actor": { "type": "string", - "title": "Title", - "description": "The title of the level." + "title": "Actor", + "description": "The actor who performs this step." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "A sequence of steps in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the flow." }, "description": { "type": "string", "title": "Description", - "description": "The description of the level." + "description": "A description of the flow." }, - "requirements": { + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this alternative flow is executed." + }, + "steps": { "type": "array", - "title": "Requirements", - "description": "The list of requirement `bom-ref`s that comprise the level.", + "title": "Steps", + "description": "The sequence of steps in the flow.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" } } } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error scenario in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the exception." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the exception." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this exception occurs." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "How the exception is handled." + } + } + }, + "property": { + "type": "object", + "title": "Property", + "description": "A name-value property.", + "additionalProperties": false, + "required": [ + "name", + "value" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } } } }, diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json new file mode 100644 index 00000000..58f0914e --- /dev/null +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -0,0 +1,1688 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-behavior-2.0.schema.json", + "type": "null", + "title": "CycloneDX Behavior Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "properties": { + "behaviors": { + "$ref": "#/$defs/behaviors" + } + }, + "$defs": { + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for steps within a flow.", + "default": "sequential", + "enum": [ + "sequential", + "unordered", + "parallel", + "conditional" + ], + "meta:enum": { + "sequential": "Steps execute in ordinal order. Each completes before the next begins.", + "unordered": "All steps execute, but order is not guaranteed.", + "parallel": "Steps may execute concurrently.", + "conditional": "Step execution is determined by runtime conditions." + } + }, + "acknowledgment": { + "type": "array", + "title": "Acknowledgment", + "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } + }, + "behaviors": { + "type": "object", + "title": "Behaviors", + "description": "Behaviors performed by objects within the BOM.", + "additionalProperties": false, + "properties": { + "instances": { + "type": "array", + "title": "Instances", + "description": "Individual behavior instances.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorInstance" + } + }, + "flows": { + "type": "array", + "title": "Flows", + "description": "Behavior flows that organise behaviors into operational patterns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorFlow" + } + } + } + }, + "behaviorInstance": { + "type": "object", + "title": "Behavior Instance", + "description": "A behavior performed by one or more objects within the BOM.", + "additionalProperties": false, + "required": ["bom-ref", "behavior"], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "behavior": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "title": "Behavior", + "description": "The behavior from the taxonomy." + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + } + } + }, + "behaviorFlow": { + "type": "object", + "title": "Behavior Flow", + "description": "An organised collection of behaviors forming a coherent process.", + "additionalProperties": false, + "required": ["bom-ref", "steps"], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "ordering": { + "$ref": "#/$defs/ordering" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The steps that comprise this flow.", + "minItems": 1, + "items": { + "$ref": "#/$defs/flowStep" + } + } + }, + "allOf": [ + { + "if": { + "anyOf": [ + { "properties": { "ordering": { "const": "sequential" } }, "required": ["ordering"] }, + { "not": { "required": ["ordering"] } } + ] + }, + "then": { + "properties": { + "steps": { + "items": { + "required": ["ordinal"] + } + } + } + } + } + ] + }, + "flowStep": { + "type": "object", + "title": "Flow Step", + "description": "A single step within a behavior flow.", + "additionalProperties": false, + "properties": { + "ordinal": { + "type": "integer", + "title": "Ordinal", + "description": "Position within the flow. Required when ordering is 'sequential' or omitted.", + "minimum": 1 + }, + "behavior": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "title": "Behavior", + "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Behavior Reference", + "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'." + }, + "flow": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Flow Reference", + "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'." + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this step.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this step.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + } + }, + "oneOf": [ + { "required": ["behavior"] }, + { "required": ["ref"] }, + { "required": ["flow"] } + ] + }, + "behavior": { + "type": "string", + "title": "Behavior", + "description": "Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.", + "enum": [ + "ai", + "ai:agent", + "ai:agent:actsOnBehalfOfUser", + "ai:agent:coordinatesAgents", + "ai:agent:delegatesTask", + "ai:agent:executesAction", + "ai:agent:invokesTool", + "ai:agent:observesResult", + "ai:agent:plansAction", + "ai:agent:receivesHumanDelegation", + "ai:agent:reflectsOnResult", + "ai:agent:reportsDelegatedAction", + "ai:agent:requestsUserApproval", + "ai:agent:returnsDelegation", + "ai:agent:revisesPlan", + "ai:explainability", + "ai:explainability:attributesFeatures", + "ai:explainability:documentsModel", + "ai:explainability:explainsDecision", + "ai:explainability:tracesPrediction", + "ai:explainability:visualizesModel", + "ai:fairness", + "ai:fairness:auditsModelFairness", + "ai:fairness:calculatesFairnessMetric", + "ai:fairness:detectsBias", + "ai:fairness:handlesProtectedAttribute", + "ai:fairness:mitigatesBias", + "ai:generative", + "ai:generative:citesSource", + "ai:generative:filtersOutput", + "ai:generative:generatesAudio", + "ai:generative:generatesCode", + "ai:generative:generatesEmbedding", + "ai:generative:generatesImage", + "ai:generative:generatesText", + "ai:generative:mitigatesHallucination", + "ai:generative:processesPrompt", + "ai:generative:streamsResponse", + "ai:inference", + "ai:inference:appliesThreshold", + "ai:inference:batchesInference", + "ai:inference:cachesPrediction", + "ai:inference:ensemblesModels", + "ai:inference:generatesPrediction", + "ai:inference:infersInRealTime", + "ai:inference:ranksResults", + "ai:inference:scoresConfidence", + "ai:management", + "ai:management:comparesModels", + "ai:management:deploysModel", + "ai:management:loadsModel", + "ai:management:monitorsModel", + "ai:management:retiresModel", + "ai:management:rollsBackModel", + "ai:management:unloadsModel", + "ai:management:versionsModel", + "ai:quality", + "ai:quality:detectsConceptDrift", + "ai:quality:detectsDataDrift", + "ai:quality:detectsOutlier", + "ai:quality:engineersFeatures", + "ai:quality:selectsFeatures", + "ai:quality:validatesInputData", + "ai:robustness", + "ai:robustness:defendsAgainstAdversarial", + "ai:robustness:detectsAdversarialInput", + "ai:robustness:detectsOutOfDistribution", + "ai:robustness:estimatesUncertainty", + "ai:robustness:validatesRobustness", + "ai:training", + "ai:training:appliesTransferLearning", + "ai:training:checkpointsModel", + "ai:training:fineTunesModel", + "ai:training:ingestsTrainingData", + "ai:training:preprocessesTrainingData", + "ai:training:trainsFederatedly", + "ai:training:trainsModel", + "ai:training:tunesHyperparameters", + "ai:training:validatesModel", + "ai:training:validatesTrainingData", + "application", + "application:codeExecution", + "application:codeExecution:compilesCode", + "application:codeExecution:evaluatesExpression", + "application:codeExecution:executesNativeCommand", + "application:codeExecution:executesScript", + "application:codeExecution:interpretsCode", + "application:codeExecution:invokesViaReflection", + "application:codeExecution:loadsCodeDynamically", + "application:configuration", + "application:configuration:detectsEnvironment", + "application:configuration:evaluatesFeatureFlag", + "application:configuration:loadsConfiguration", + "application:configuration:reloadsConfiguration", + "application:controlFlow", + "application:controlFlow:awaitsAsyncResult", + "application:controlFlow:catchesException", + "application:controlFlow:emitsEvent", + "application:controlFlow:handlesEvent", + "application:controlFlow:invokesCallback", + "application:controlFlow:invokesHandler", + "application:controlFlow:invokesMiddleware", + "application:controlFlow:schedulesAsyncOperation", + "application:controlFlow:throwsException", + "application:dependencyManagement", + "application:dependencyManagement:closesCircuitBreaker", + "application:dependencyManagement:fallsBack", + "application:dependencyManagement:injectsDependency", + "application:dependencyManagement:opensCircuitBreaker", + "application:dependencyManagement:resolvesDependency", + "application:externalIntegration", + "application:externalIntegration:callsExternalService", + "application:externalIntegration:consumesEvent", + "application:externalIntegration:publishesEvent", + "application:externalIntegration:receivesWebhook", + "application:observability", + "application:observability:emitsTelemetry", + "application:observability:logsOperation", + "application:observability:recordsMetric", + "application:observability:reportsHealth", + "application:observability:tracesRequest", + "application:requestHandling", + "application:requestHandling:authenticatesRequest", + "application:requestHandling:authorizesRequest", + "application:requestHandling:bindsParameters", + "application:requestHandling:parsesRequest", + "application:requestHandling:receivesHttpRequest", + "application:requestHandling:rejectsRequest", + "application:requestHandling:routesRequest", + "application:requestHandling:validatesRequest", + "application:responseGeneration", + "application:responseGeneration:generatesResponse", + "application:responseGeneration:readsCookie", + "application:responseGeneration:redirectsRequest", + "application:responseGeneration:returnsError", + "application:responseGeneration:returnsSuccess", + "application:responseGeneration:sendsHttpResponse", + "application:responseGeneration:setsCookie", + "application:responseGeneration:setsHeader", + "application:stateManagement", + "application:stateManagement:acquiresLock", + "application:stateManagement:beginsTransaction", + "application:stateManagement:commitsTransaction", + "application:stateManagement:createsSessionState", + "application:stateManagement:destroysSessionState", + "application:stateManagement:readsSessionState", + "application:stateManagement:releasesLock", + "application:stateManagement:rollsBackTransaction", + "application:stateManagement:synchronizesState", + "application:stateManagement:updatesSessionState", + "data", + "data:encoding", + "data:encoding:appliesXor", + "data:encoding:decodesBaseSixtyFour", + "data:encoding:decodesUrl", + "data:encoding:encodesBaseSixtyFour", + "data:encoding:encodesUrl", + "data:ingestion", + "data:ingestion:pollsSource", + "data:ingestion:readsFile", + "data:ingestion:readsStream", + "data:ingestion:receivesInput", + "data:ingestion:receivesMessage", + "data:ingestion:receivesRequest", + "data:ingestion:subscribesToFeed", + "data:output", + "data:output:formatsResponse", + "data:output:producesOutput", + "data:output:publishesMessage", + "data:output:rendersTemplate", + "data:output:sendsResponse", + "data:output:serializesObject", + "data:output:streamsOutput", + "data:output:writesFile", + "data:parsing", + "data:parsing:decodesData", + "data:parsing:deserializesObject", + "data:parsing:extractsFields", + "data:parsing:parsesData", + "data:parsing:parsesHtml", + "data:parsing:parsesJson", + "data:parsing:parsesXml", + "data:query", + "data:query:executesLdapQuery", + "data:query:executesNoSqlQuery", + "data:query:executesSearch", + "data:query:executesSql", + "data:query:executesXPath", + "data:query:queriesData", + "data:storage", + "data:storage:cachesData", + "data:storage:deletesData", + "data:storage:flushesCache", + "data:storage:invalidatesCache", + "data:storage:retrievesData", + "data:storage:storesData", + "data:storage:updatesData", + "data:transformation", + "data:transformation:aggregatesData", + "data:transformation:compressesData", + "data:transformation:decompressesData", + "data:transformation:encodesData", + "data:transformation:enrichesData", + "data:transformation:filtersData", + "data:transformation:joinsData", + "data:transformation:mapsData", + "data:transformation:normalizesData", + "data:transformation:sortsData", + "data:transformation:transformsData", + "evasion", + "evasion:analysisResistance", + "evasion:analysisResistance:detectsAnalysisTool", + "evasion:analysisResistance:detectsDebugger", + "evasion:analysisResistance:detectsEmulator", + "evasion:analysisResistance:detectsSandbox", + "evasion:analysisResistance:detectsVirtualMachine", + "evasion:analysisResistance:evadesDebugger", + "evasion:analysisResistance:evadesEmulator", + "evasion:analysisResistance:evadesSandbox", + "evasion:analysisResistance:evadesVirtualMachine", + "evasion:analysisResistance:usesTimingEvasion", + "evasion:antiSecurity", + "evasion:antiSecurity:detectsAntivirus", + "evasion:antiSecurity:disablesSecuritySoftware", + "evasion:antiSecurity:evadesAntivirus", + "evasion:antiSecurity:terminatesSecurityProcess", + "evasion:indirection", + "evasion:indirection:resolvesApiDynamically", + "evasion:indirection:usesIndirectCalls", + "evasion:indirection:usesProxyExecution", + "evasion:obfuscation", + "evasion:obfuscation:obfuscatesCode", + "evasion:obfuscation:obfuscatesControlFlow", + "evasion:obfuscation:obfuscatesData", + "evasion:obfuscation:obfuscatesStrings", + "evasion:obfuscation:packsCode", + "evasion:obfuscation:unpacksAtRuntime", + "file", + "file:directory", + "file:directory:changesDirectory", + "file:directory:createsDirectory", + "file:directory:deletesDirectory", + "file:directory:listsDirectory", + "file:directory:traversesDirectory", + "file:disk", + "file:disk:decryptsVolume", + "file:disk:encryptsVolume", + "file:disk:formatsVolume", + "file:disk:mountsVolume", + "file:disk:unmountsVolume", + "file:disk:wipesDisk", + "file:operations", + "file:operations:appendsToFile", + "file:operations:checksFileExistence", + "file:operations:closesFile", + "file:operations:copiesFile", + "file:operations:createsFile", + "file:operations:deletesFile", + "file:operations:getsFileAttributes", + "file:operations:movesFile", + "file:operations:opensFile", + "file:operations:readsFile", + "file:operations:renamesFile", + "file:operations:setsFileAttributes", + "file:operations:setsFilePermissions", + "file:operations:writesFile", + "gui", + "gui:display", + "gui:display:displaysData", + "gui:display:monitorsDisplay", + "gui:display:updatesDisplay", + "gui:session", + "gui:session:displaysLogin", + "gui:session:interactsWithSession", + "gui:session:switchesSession", + "gui:window", + "gui:window:capturesWindow", + "gui:window:createsWindow", + "gui:window:destroysWindow", + "gui:window:enumeratesWindows", + "gui:window:interactsWithTaskbar", + "gui:window:modifiesWindow", + "hardware", + "hardware:actuator", + "hardware:actuator:calibratesActuator", + "hardware:actuator:controlsBattery", + "hardware:actuator:controlsHeating", + "hardware:actuator:controlsLed", + "hardware:actuator:controlsMotor", + "hardware:actuator:controlsPower", + "hardware:actuator:controlsPump", + "hardware:actuator:controlsTemperature", + "hardware:boot", + "hardware:boot:entersRecoveryMode", + "hardware:boot:executesSecureBoot", + "hardware:boot:locksBootConfiguration", + "hardware:boot:modifiesBootConfiguration", + "hardware:boot:readsBootConfiguration", + "hardware:boot:recordsBootMeasurement", + "hardware:boot:verifiesBootLoader", + "hardware:firmware", + "hardware:firmware:monitorsFirmwareIntegrity", + "hardware:firmware:preventsFirmwareRollback", + "hardware:firmware:readsFirmwareVersion", + "hardware:firmware:updatesFirmware", + "hardware:firmware:verifiesFirmwareSignature", + "hardware:memory", + "hardware:memory:encryptsMemory", + "hardware:memory:isolatesMemory", + "hardware:memory:protectsStack", + "hardware:memory:randomizesAddressSpace", + "hardware:memory:readsProtectedMemory", + "hardware:memory:writesProtectedMemory", + "hardware:peripheral", + "hardware:peripheral:accessesCamera", + "hardware:peripheral:accessesDisplay", + "hardware:peripheral:accessesGpio", + "hardware:peripheral:accessesJtag", + "hardware:peripheral:accessesKeyboard", + "hardware:peripheral:accessesStorageDevice", + "hardware:peripheral:accessesUsbDevice", + "hardware:peripheral:configuresDma", + "hardware:peripheral:protectsDma", + "hardware:physicalSecurity", + "hardware:physicalSecurity:detectsPhysicalTamper", + "hardware:physicalSecurity:disablesDebugInterface", + "hardware:physicalSecurity:enablesDebugInterface", + "hardware:physicalSecurity:monitorsEnclosure", + "hardware:physicalSecurity:respondsToTamper", + "hardware:physicalSecurity:zeroizesKeys", + "hardware:security", + "hardware:security:anchorsInHardwareRoot", + "hardware:security:executesInTee", + "hardware:security:generatesPufResponse", + "hardware:security:usesHsm", + "hardware:security:usesSecureElement", + "hardware:sensor", + "hardware:sensor:calibratesSensor", + "hardware:sensor:readsBatteryStatus", + "hardware:sensor:readsBloodOxygen", + "hardware:sensor:readsBloodPressure", + "hardware:sensor:readsCoTwoLevel", + "hardware:sensor:readsEcg", + "hardware:sensor:readsPowerStatus", + "hardware:sensor:readsTemperature", + "hardware:sideChannelDefense", + "hardware:sideChannelDefense:controlsEmEmissions", + "hardware:sideChannelDefense:resistsFaultInjection", + "hardware:sideChannelDefense:resistsPowerAnalysis", + "hardware:sideChannelDefense:resistsTimingAnalysis", + "network", + "network:connection", + "network:connection:acceptsConnection", + "network:connection:detectsConnectionLoss", + "network:connection:establishesConnection", + "network:connection:reconnects", + "network:connection:reusesConnection", + "network:connection:sendsHeartbeat", + "network:connection:terminatesConnection", + "network:discovery", + "network:discovery:advertisesService", + "network:discovery:discoversService", + "network:discovery:enumeratesInterfaces", + "network:discovery:probesPort", + "network:discovery:queriesDns", + "network:discovery:resolvesName", + "network:discovery:scansNetwork", + "network:protocol", + "network:protocol:downgradesProtocol", + "network:protocol:framesMessage", + "network:protocol:negotiatesProtocol", + "network:protocol:parsesMessage", + "network:protocol:retransmitsMessage", + "network:protocol:upgradesProtocol", + "network:protocol:validatesMessage", + "network:remoteInteraction", + "network:remoteInteraction:accessesRemoteDesktop", + "network:remoteInteraction:accessesRemoteShell", + "network:remoteInteraction:executesRemoteCommand", + "network:remoteInteraction:invokesRemoteProcedure", + "network:remoteInteraction:sendsEmail", + "network:remoteInteraction:sendsSms", + "network:remoteInteraction:transfersFile", + "network:routing", + "network:routing:configuresProxy", + "network:routing:forwardsPacket", + "network:routing:redirectsTraffic", + "network:routing:routesTraffic", + "network:routing:tunnelsTraffic", + "network:trafficControl", + "network:trafficControl:balancesLoad", + "network:trafficControl:filtersTraffic", + "network:trafficControl:inspectsTraffic", + "network:trafficControl:interceptsTraffic", + "network:trafficControl:limitsRate", + "network:trafficControl:modifiesTraffic", + "network:trafficControl:shapesTraffic", + "network:transmission", + "network:transmission:broadcastsData", + "network:transmission:multicastsData", + "network:transmission:receivesData", + "network:transmission:sendsData", + "network:transmission:streamsData", + "privacy", + "privacy:collection", + "privacy:collection:capturesAudio", + "privacy:collection:capturesKeystrokes", + "privacy:collection:capturesScreen", + "privacy:collection:capturesVideo", + "privacy:collection:collectsBehavioralData", + "privacy:collection:collectsBiometricData", + "privacy:collection:collectsCommunicationContent", + "privacy:collection:collectsDeviceInformation", + "privacy:collection:collectsFinancialData", + "privacy:collection:collectsHealthData", + "privacy:collection:collectsInBackground", + "privacy:collection:collectsLocationData", + "privacy:collection:collectsPersonalData", + "privacy:collection:collectsSilently", + "privacy:collection:readsBrowserHistory", + "privacy:collection:readsClipboard", + "privacy:deletion", + "privacy:deletion:clearsCache", + "privacy:deletion:deletesPersonalData", + "privacy:deletion:erasesSecurely", + "privacy:deletion:purgesFromBackup", + "privacy:deletion:redactsData", + "privacy:inference", + "privacy:inference:correlatesData", + "privacy:inference:createsProfile", + "privacy:inference:fingerprintsDevice", + "privacy:inference:infersPersonalInformation", + "privacy:inference:linksIdentities", + "privacy:inference:tracksUser", + "privacy:minimization", + "privacy:minimization:aggregatesData", + "privacy:minimization:anonymizesData", + "privacy:minimization:filtersData", + "privacy:minimization:generalizesData", + "privacy:minimization:limitsCollection", + "privacy:minimization:limitsProcessing", + "privacy:minimization:pseudonymizesData", + "privacy:privacyEnhancement", + "privacy:privacyEnhancement:addsDifferentialPrivacy", + "privacy:privacyEnhancement:computesMultiparty", + "privacy:privacyEnhancement:processesHomomorphically", + "privacy:privacyEnhancement:processesLocally", + "privacy:retention", + "privacy:retention:archivesData", + "privacy:retention:backsUpData", + "privacy:retention:enforcesRetentionPeriod", + "privacy:retention:retainsBeyondPurpose", + "privacy:retention:retainsInCache", + "privacy:retention:retainsInLog", + "privacy:retention:storesPersonalData", + "privacy:sharing", + "privacy:sharing:disclosesToThirdParty", + "privacy:sharing:exportsData", + "privacy:sharing:publishesData", + "privacy:sharing:sellsData", + "privacy:sharing:sharesWithAffiliate", + "privacy:sharing:transfersCrossBorder", + "privacy:subjectRights", + "privacy:subjectRights:correctsData", + "privacy:subjectRights:exportsDataPortably", + "privacy:subjectRights:honorsErasureRequest", + "privacy:subjectRights:honorsObjection", + "privacy:subjectRights:providesDataAccess", + "privacy:subjectRights:restrictsProcessing", + "privacy:transparency", + "privacy:transparency:disclosesProcessing", + "privacy:transparency:displaysPrivacyNotice", + "privacy:transparency:explainsAutomatedDecision", + "privacy:transparency:recordsConsent", + "privacy:transparency:requestsConsent", + "privacy:transparency:withdrawsConsent", + "safety", + "safety:autonomousBehavior", + "safety:autonomousBehavior:acceptsOverride", + "safety:autonomousBehavior:enforcesHumanInLoop", + "safety:autonomousBehavior:explainsDecision", + "safety:autonomousBehavior:requestsGuidance", + "safety:autonomousBehavior:respectsDecisionBoundary", + "safety:contentSafety", + "safety:contentSafety:detectsHarmfulContent", + "safety:contentSafety:detectsMisinformation", + "safety:contentSafety:enforcesAgeRestriction", + "safety:contentSafety:filtersContent", + "safety:contentSafety:labelsContent", + "safety:harmPrevention", + "safety:harmPrevention:preventsEnvironmentalHarm", + "safety:harmPrevention:preventsPropertyDamage", + "safety:harmPrevention:preventsUserHarm", + "safety:harmPrevention:protectsBystanders", + "safety:hazardManagement", + "safety:hazardManagement:assessesRisk", + "safety:hazardManagement:identifiesHazard", + "safety:hazardManagement:mitigatesHazard", + "safety:hazardManagement:reportsHazard", + "safety:humanInteraction", + "safety:humanInteraction:adaptsForAccessibility", + "safety:humanInteraction:managesCognitiveLoad", + "safety:humanInteraction:requestsConfirmation", + "safety:humanInteraction:warnsOperator", + "safety:operationalSafety", + "safety:operationalSafety:acceptsManualOverride", + "safety:operationalSafety:enforcesInterlock", + "safety:operationalSafety:enforcesOperatingLimits", + "safety:operationalSafety:executesEmergencyStop", + "safety:operationalSafety:monitorsWatchdog", + "safety:operationalSafety:validatesSafetyCondition", + "security", + "security:auditing", + "security:auditing:logsEvent", + "security:auditing:logsSecurityEvent", + "security:auditing:protectsAuditLog", + "security:auditing:purgesLog", + "security:auditing:rotatesLog", + "security:auditing:signsLogEntry", + "security:auditing:timestampsEvent", + "security:auditing:transmitsLog", + "security:authentication", + "security:authentication:authenticatesDevice", + "security:authentication:authenticatesService", + "security:authentication:authenticatesUser", + "security:authentication:bypassesAuthentication", + "security:authentication:capturesBiometric", + "security:authentication:delegatesAuthentication", + "security:authentication:failsAuthentication", + "security:authentication:locksAccount", + "security:authentication:performsMultiFactorAuthentication", + "security:authentication:promptsForCredentials", + "security:authentication:unlocksAccount", + "security:authentication:validatesBiometric", + "security:authentication:validatesCredentials", + "security:authorization", + "security:authorization:checksPermission", + "security:authorization:delegatesAuthority", + "security:authorization:deniesAccess", + "security:authorization:enforcesRole", + "security:authorization:escalatesPrivilege", + "security:authorization:evaluatesAttributes", + "security:authorization:evaluatesPolicy", + "security:authorization:grantsAccess", + "security:authorization:grantsImpersonation", + "security:authorization:impersonatesUser", + "security:authorization:requestsImpersonation", + "security:authorization:revokesAccess", + "security:authorization:revokesImpersonation", + "security:cryptography", + "security:cryptography:checksRevocation", + "security:cryptography:decryptsData", + "security:cryptography:destroysKey", + "security:cryptography:encryptsData", + "security:cryptography:exchangesKey", + "security:cryptography:generatesKey", + "security:cryptography:generatesRandomValue", + "security:cryptography:hashesData", + "security:cryptography:issuesCertificate", + "security:cryptography:retrievesKey", + "security:cryptography:revokesCertificate", + "security:cryptography:rotatesKey", + "security:cryptography:signsData", + "security:cryptography:storesKey", + "security:cryptography:validatesCertificate", + "security:cryptography:verifiesHash", + "security:cryptography:verifiesSignature", + "security:errorHandling", + "security:errorHandling:catchesException", + "security:errorHandling:disclosesErrorDetails", + "security:errorHandling:failsClosed", + "security:errorHandling:failsOpen", + "security:errorHandling:generatesError", + "security:errorHandling:logsError", + "security:errorHandling:propagatesError", + "security:errorHandling:returnsGenericError", + "security:errorHandling:suppressesError", + "security:inputHandling", + "security:inputHandling:escapesInput", + "security:inputHandling:normalizesInput", + "security:inputHandling:rejectsInvalidInput", + "security:inputHandling:sanitizesInput", + "security:inputHandling:truncatesInput", + "security:inputHandling:validatesFormat", + "security:inputHandling:validatesRange", + "security:inputHandling:validatesSchema", + "security:integrity", + "security:integrity:attestsIntegrity", + "security:integrity:detectsTampering", + "security:integrity:respondsToTampering", + "security:integrity:validatesComponent", + "security:integrity:verifiesIntegrity", + "security:integrity:verifiesProvenance", + "security:outputHandling", + "security:outputHandling:encodesOutput", + "security:outputHandling:enforcesContentPolicy", + "security:outputHandling:escapesOutput", + "security:outputHandling:filtersOutput", + "security:outputHandling:masksOutput", + "security:outputHandling:setsSecurityHeader", + "security:session", + "security:session:createsSession", + "security:session:detectsSessionHijacking", + "security:session:invalidatesSession", + "security:session:refreshesSession", + "security:session:regeneratesSessionId", + "security:session:terminatesSession", + "security:session:validatesSession", + "security:threatResponse", + "security:threatResponse:blocksRequest", + "security:threatResponse:blocksSource", + "security:threatResponse:collectsForensicData", + "security:threatResponse:detectsAnomaly", + "security:threatResponse:detectsIntrusion", + "security:threatResponse:initiatesIncidentResponse", + "security:threatResponse:quarantinesElement", + "security:threatResponse:raisesAlert", + "system", + "system:configuration", + "system:configuration:deletesRegistryKey", + "system:configuration:modifiesGroupPolicy", + "system:configuration:readsConfigurationFile", + "system:configuration:readsEnvironmentVariable", + "system:configuration:readsGroupPolicy", + "system:configuration:readsRegistry", + "system:configuration:setsEnvironmentVariable", + "system:configuration:writesConfigurationFile", + "system:configuration:writesRegistry", + "system:informationGathering", + "system:informationGathering:detectsOsVersion", + "system:informationGathering:gathersSystemInformation", + "system:informationGathering:queriesHardwareInformation", + "system:informationGathering:retrievesHostname", + "system:kernelInteraction", + "system:kernelInteraction:hooksKernelFunction", + "system:kernelInteraction:installsDriver", + "system:kernelInteraction:readsKernelMemory", + "system:kernelInteraction:writesKernelMemory", + "system:lifecycle", + "system:lifecycle:appliesUpdate", + "system:lifecycle:decommissions", + "system:lifecycle:initializes", + "system:lifecycle:performsSelfTest", + "system:lifecycle:provisions", + "system:lifecycle:rollsBack", + "system:lifecycle:shutsDown", + "system:operationalState", + "system:operationalState:entersFailSafeState", + "system:operationalState:entersFailSecureState", + "system:operationalState:operatesInDegradedMode", + "system:operationalState:operatesNormally", + "system:operationalState:performsEmergencyShutdown", + "system:persistence", + "system:persistence:createsScheduledTask", + "system:persistence:installsAsService", + "system:persistence:loadsAsKernelModule", + "system:persistence:registersForStartup", + "system:persistence:removesPersistence", + "system:processControl", + "system:processControl:createsProcess", + "system:processControl:dumpsProcessMemory", + "system:processControl:enumeratesProcesses", + "system:processControl:hooksFunction", + "system:processControl:injectsCodeIntoProcess", + "system:processControl:modifiesProcess", + "system:processControl:resumesProcess", + "system:processControl:suspendsProcess", + "system:processControl:terminatesProcess", + "system:resilience", + "system:resilience:activatesRedundancy", + "system:resilience:degradesGracefully", + "system:resilience:detectsFault", + "system:resilience:recoversFromFailure", + "system:resilience:toleratesFault", + "system:resourceManagement", + "system:resourceManagement:allocatesMemory", + "system:resourceManagement:deallocatesMemory", + "system:resourceManagement:handlesResourceExhaustion", + "system:resourceManagement:managesPowerState", + "system:resourceManagement:readsFromStorage", + "system:resourceManagement:resumesThread", + "system:resourceManagement:spawnsThread", + "system:resourceManagement:suspendsThread", + "system:resourceManagement:terminatesThread", + "system:resourceManagement:writesToStorage", + "system:serviceControl", + "system:serviceControl:createsService", + "system:serviceControl:deletesService", + "system:serviceControl:enumeratesServices", + "system:serviceControl:modifiesService", + "system:serviceControl:startsService", + "system:serviceControl:stopsService", + "system:synchronization", + "system:synchronization:acquiresMutex", + "system:synchronization:releasesMutex", + "system:synchronization:signalsEvent", + "system:synchronization:signalsSemaphore", + "system:synchronization:waitsOnEvent", + "system:synchronization:waitsOnSemaphore", + "system:timing", + "system:timing:delaysExecution", + "system:timing:enforcesDeadline", + "system:timing:executesScheduledTask", + "system:timing:resetsWatchdog", + "system:timing:synchronizesClock", + "system:timing:triggersTimeout", + "system:timing:waits", + "system:userManagement", + "system:userManagement:createsUserAccount", + "system:userManagement:deletesUserAccount", + "system:userManagement:elevatesPrivileges", + "system:userManagement:enumeratesUsers", + "system:userManagement:impersonatesUser", + "system:userManagement:modifiesUserAccount" + ], + "meta:enum": { + "ai": "Behaviours relating to artificial intelligence and machine learning operations.", + "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", + "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", + "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", + "ai:agent:delegatesTask": "The entity assigns work to another agent.", + "ai:agent:executesAction": "The entity performs planned step.", + "ai:agent:invokesTool": "The entity calls external capability.", + "ai:agent:observesResult": "The entity captures action outcome.", + "ai:agent:plansAction": "The entity determines steps to achieve goal.", + "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", + "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", + "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", + "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", + "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", + "ai:agent:revisesPlan": "The entity modifies approach based on results.", + "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", + "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", + "ai:explainability:documentsModel": "The entity records model design and behaviour.", + "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", + "ai:explainability:tracesPrediction": "The entity records basis for output.", + "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", + "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", + "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", + "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", + "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", + "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", + "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", + "ai:generative": "Behaviours that produce content using generative models.", + "ai:generative:citesSource": "The entity attributes generated content.", + "ai:generative:filtersOutput": "The entity screens generated content.", + "ai:generative:generatesAudio": "The entity produces sound content.", + "ai:generative:generatesCode": "The entity produces executable code.", + "ai:generative:generatesEmbedding": "The entity produces vector representation.", + "ai:generative:generatesImage": "The entity produces visual content.", + "ai:generative:generatesText": "The entity produces natural language.", + "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", + "ai:generative:processesPrompt": "The entity interprets user instruction.", + "ai:generative:streamsResponse": "The entity delivers output incrementally.", + "ai:inference": "Behaviours that generate predictions using trained models.", + "ai:inference:appliesThreshold": "The entity uses decision boundary.", + "ai:inference:batchesInference": "The entity processes multiple inputs together.", + "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", + "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", + "ai:inference:generatesPrediction": "The entity produces model output.", + "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", + "ai:inference:ranksResults": "The entity orders predictions by relevance.", + "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", + "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", + "ai:management:comparesModels": "The entity evaluates relative model performance.", + "ai:management:deploysModel": "The entity places model into service.", + "ai:management:loadsModel": "The entity retrieves model for use.", + "ai:management:monitorsModel": "The entity observes model performance.", + "ai:management:retiresModel": "The entity removes model from service.", + "ai:management:rollsBackModel": "The entity reverts to previous version.", + "ai:management:unloadsModel": "The entity removes model from memory.", + "ai:management:versionsModel": "The entity tracks model versions.", + "ai:quality": "Behaviours that monitor and maintain model and data quality.", + "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", + "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", + "ai:quality:detectsOutlier": "The entity identifies anomalous input.", + "ai:quality:engineersFeatures": "The entity transforms raw data for model.", + "ai:quality:selectsFeatures": "The entity chooses relevant input features.", + "ai:quality:validatesInputData": "The entity checks inference input quality.", + "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", + "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", + "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", + "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", + "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", + "ai:robustness:validatesRobustness": "The entity tests model resilience.", + "ai:training": "Behaviours that prepare data and train machine learning models.", + "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", + "ai:training:checkpointsModel": "The entity saves model state during training.", + "ai:training:fineTunesModel": "The entity refines model for specific task.", + "ai:training:ingestsTrainingData": "The entity acquires data for training.", + "ai:training:preprocessesTrainingData": "The entity prepares data for training.", + "ai:training:trainsFederatedly": "The entity trains on distributed data.", + "ai:training:trainsModel": "The entity adjusts model parameters.", + "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", + "ai:training:validatesModel": "The entity evaluates model during training.", + "ai:training:validatesTrainingData": "The entity checks training data quality.", + "application": "Behaviours relating to application-level request processing and business logic.", + "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", + "application:codeExecution:compilesCode": "The entity transforms source to executable form.", + "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", + "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", + "application:codeExecution:executesScript": "The entity runs script code.", + "application:codeExecution:interpretsCode": "The entity executes code without compilation.", + "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", + "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", + "application:configuration": "Behaviours that load and manage application configuration settings.", + "application:configuration:detectsEnvironment": "The entity determines deployment context.", + "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", + "application:configuration:loadsConfiguration": "The entity reads configuration settings.", + "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", + "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", + "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", + "application:controlFlow:catchesException": "The entity handles an error condition.", + "application:controlFlow:emitsEvent": "The entity triggers an event.", + "application:controlFlow:handlesEvent": "The entity responds to an event.", + "application:controlFlow:invokesCallback": "The entity executes a callback function.", + "application:controlFlow:invokesHandler": "The entity calls a request handler.", + "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", + "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", + "application:controlFlow:throwsException": "The entity raises an error condition.", + "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", + "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", + "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", + "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", + "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", + "application:dependencyManagement:resolvesDependency": "The entity locates required component.", + "application:externalIntegration": "Behaviours that communicate with external services and systems.", + "application:externalIntegration:callsExternalService": "The entity invokes an external API.", + "application:externalIntegration:consumesEvent": "The entity receives event from external system.", + "application:externalIntegration:publishesEvent": "The entity sends event to external system.", + "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", + "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", + "application:observability:emitsTelemetry": "The entity transmits operational data.", + "application:observability:logsOperation": "The entity records an operational event.", + "application:observability:recordsMetric": "The entity captures a quantitative measurement.", + "application:observability:reportsHealth": "The entity communicates operational status.", + "application:observability:tracesRequest": "The entity tracks request across services.", + "application:requestHandling": "Behaviours that receive and process incoming requests.", + "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", + "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", + "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", + "application:requestHandling:parsesRequest": "The entity interprets incoming request.", + "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", + "application:requestHandling:rejectsRequest": "The entity refuses to process request.", + "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", + "application:requestHandling:validatesRequest": "The entity verifies request validity.", + "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", + "application:responseGeneration:generatesResponse": "The entity creates a response.", + "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", + "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", + "application:responseGeneration:returnsError": "The entity indicates failure.", + "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", + "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", + "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", + "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", + "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", + "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", + "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", + "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", + "application:stateManagement:createsSessionState": "The entity initialises session data.", + "application:stateManagement:destroysSessionState": "The entity removes session data.", + "application:stateManagement:readsSessionState": "The entity retrieves session data.", + "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", + "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", + "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", + "application:stateManagement:updatesSessionState": "The entity modifies session data.", + "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", + "data:encoding": "Behaviours that apply specific encoding schemes to data.", + "data:encoding:appliesXor": "The entity transforms data using XOR operation.", + "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", + "data:encoding:decodesUrl": "The entity converts URL-encoded data.", + "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", + "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", + "data:ingestion": "Behaviours that acquire data from external sources.", + "data:ingestion:pollsSource": "The entity periodically checks for new data.", + "data:ingestion:readsFile": "The entity retrieves data from a file.", + "data:ingestion:readsStream": "The entity consumes data from a continuous source.", + "data:ingestion:receivesInput": "The entity accepts data from an external source.", + "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", + "data:ingestion:receivesRequest": "The entity accepts an incoming request.", + "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", + "data:output": "Behaviours that produce and transmit data to external consumers.", + "data:output:formatsResponse": "The entity structures data for delivery.", + "data:output:producesOutput": "The entity generates data for consumption.", + "data:output:publishesMessage": "The entity sends a message to a queue.", + "data:output:rendersTemplate": "The entity generates output from a template.", + "data:output:sendsResponse": "The entity transmits a reply.", + "data:output:serializesObject": "The entity converts object to transmittable form.", + "data:output:streamsOutput": "The entity continuously produces data.", + "data:output:writesFile": "The entity saves data to a file.", + "data:parsing": "Behaviours that interpret and extract information from structured data formats.", + "data:parsing:decodesData": "The entity converts encoded data to original form.", + "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", + "data:parsing:extractsFields": "The entity isolates specific data elements.", + "data:parsing:parsesData": "The entity interprets structured data.", + "data:parsing:parsesHtml": "The entity interprets HTML content.", + "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", + "data:parsing:parsesXml": "The entity interprets XML-formatted data.", + "data:query": "Behaviours that retrieve data based on specified criteria.", + "data:query:executesLdapQuery": "The entity queries an LDAP directory.", + "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", + "data:query:executesSearch": "The entity performs full-text or indexed search.", + "data:query:executesSql": "The entity runs a SQL statement.", + "data:query:executesXPath": "The entity evaluates an XPath expression.", + "data:query:queriesData": "The entity retrieves data matching criteria.", + "data:storage": "Behaviours that persist and retrieve data from storage systems.", + "data:storage:cachesData": "The entity stores data for quick retrieval.", + "data:storage:deletesData": "The entity removes stored data.", + "data:storage:flushesCache": "The entity writes cached data to persistent storage.", + "data:storage:invalidatesCache": "The entity marks cached data as stale.", + "data:storage:retrievesData": "The entity fetches stored data.", + "data:storage:storesData": "The entity saves data persistently.", + "data:storage:updatesData": "The entity modifies stored data.", + "data:transformation": "Behaviours that convert data from one form or structure to another.", + "data:transformation:aggregatesData": "The entity combines multiple values.", + "data:transformation:compressesData": "The entity reduces data size.", + "data:transformation:decompressesData": "The entity restores compressed data.", + "data:transformation:encodesData": "The entity converts data to encoded form.", + "data:transformation:enrichesData": "The entity adds information from external sources.", + "data:transformation:filtersData": "The entity removes unwanted elements.", + "data:transformation:joinsData": "The entity combines data from multiple sources.", + "data:transformation:mapsData": "The entity converts between data structures.", + "data:transformation:normalizesData": "The entity converts to standard form.", + "data:transformation:sortsData": "The entity orders data elements.", + "data:transformation:transformsData": "The entity converts data from one form to another.", + "evasion": "Behaviours relating to techniques that avoid detection and analysis.", + "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", + "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", + "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", + "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", + "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", + "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", + "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", + "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", + "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", + "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", + "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", + "evasion:antiSecurity": "Behaviours that detect and disable security software.", + "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", + "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", + "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", + "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", + "evasion:indirection": "Behaviours that use indirect methods to execute code.", + "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", + "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", + "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", + "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", + "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", + "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", + "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", + "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", + "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", + "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", + "file": "Behaviours relating to file system operations and disk management.", + "file:directory": "Behaviours that create and navigate directory structures.", + "file:directory:changesDirectory": "The entity sets current working directory.", + "file:directory:createsDirectory": "The entity creates a new directory.", + "file:directory:deletesDirectory": "The entity removes a directory.", + "file:directory:listsDirectory": "The entity enumerates directory contents.", + "file:directory:traversesDirectory": "The entity recursively explores directories.", + "file:disk": "Behaviours that manage storage volumes and disk-level operations.", + "file:disk:decryptsVolume": "The entity decrypts a storage volume.", + "file:disk:encryptsVolume": "The entity encrypts a storage volume.", + "file:disk:formatsVolume": "The entity prepares storage for use.", + "file:disk:mountsVolume": "The entity attaches a storage volume.", + "file:disk:unmountsVolume": "The entity detaches a storage volume.", + "file:disk:wipesDisk": "The entity securely erases disk contents.", + "file:operations": "Behaviours that create and manipulate files.", + "file:operations:appendsToFile": "The entity adds data to end of file.", + "file:operations:checksFileExistence": "The entity verifies whether a file exists.", + "file:operations:closesFile": "The entity releases file access.", + "file:operations:copiesFile": "The entity duplicates a file.", + "file:operations:createsFile": "The entity creates a new file.", + "file:operations:deletesFile": "The entity removes a file.", + "file:operations:getsFileAttributes": "The entity retrieves file metadata.", + "file:operations:movesFile": "The entity relocates a file.", + "file:operations:opensFile": "The entity prepares a file for access.", + "file:operations:readsFile": "The entity retrieves file contents.", + "file:operations:renamesFile": "The entity changes a file name.", + "file:operations:setsFileAttributes": "The entity modifies file metadata.", + "file:operations:setsFilePermissions": "The entity modifies file access permissions.", + "file:operations:writesFile": "The entity modifies file contents.", + "gui": "Behaviours relating to graphical user interface interactions.", + "gui:display": "Behaviours that render and monitor visual output.", + "gui:display:displaysData": "The entity renders information visually.", + "gui:display:monitorsDisplay": "The entity observes displayed content.", + "gui:display:updatesDisplay": "The entity refreshes visual presentation.", + "gui:session": "Behaviours that interact with user login sessions.", + "gui:session:displaysLogin": "The entity presents login interface.", + "gui:session:interactsWithSession": "The entity operates within user session.", + "gui:session:switchesSession": "The entity changes active user session.", + "gui:window": "Behaviours that create and manipulate graphical windows.", + "gui:window:capturesWindow": "The entity captures window contents.", + "gui:window:createsWindow": "The entity creates a graphical window.", + "gui:window:destroysWindow": "The entity closes a window.", + "gui:window:enumeratesWindows": "The entity lists open windows.", + "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", + "gui:window:modifiesWindow": "The entity changes window properties.", + "hardware": "Behaviours relating to hardware components and physical device interactions.", + "hardware:actuator": "Behaviours that control physical actuators and output devices.", + "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", + "hardware:actuator:controlsBattery": "The entity manages battery charging.", + "hardware:actuator:controlsHeating": "The entity manages heating element.", + "hardware:actuator:controlsLed": "The entity manages LED indicator.", + "hardware:actuator:controlsMotor": "The entity manages motor operation.", + "hardware:actuator:controlsPower": "The entity manages power distribution.", + "hardware:actuator:controlsPump": "The entity manages fluid pump.", + "hardware:actuator:controlsTemperature": "The entity regulates temperature.", + "hardware:boot": "Behaviours that verify and configure system startup processes.", + "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", + "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", + "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", + "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", + "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", + "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", + "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", + "hardware:firmware": "Behaviours that manage and verify firmware integrity.", + "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", + "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", + "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", + "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", + "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", + "hardware:memory": "Behaviours that protect and isolate memory regions.", + "hardware:memory:encryptsMemory": "The entity protects memory contents.", + "hardware:memory:isolatesMemory": "The entity separates memory regions.", + "hardware:memory:protectsStack": "The entity defends against stack attacks.", + "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", + "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", + "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", + "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", + "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", + "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", + "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", + "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", + "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", + "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", + "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", + "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", + "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", + "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", + "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", + "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", + "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", + "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", + "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", + "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", + "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", + "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", + "hardware:security:executesInTee": "The entity runs in trusted execution environment.", + "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", + "hardware:security:usesHsm": "The entity employs hardware security module.", + "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", + "hardware:sensor": "Behaviours that read measurements from hardware sensors.", + "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", + "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", + "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", + "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", + "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", + "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", + "hardware:sensor:readsPowerStatus": "The entity obtains power state.", + "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", + "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", + "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", + "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", + "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", + "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", + "network": "Behaviours relating to network communication and data transmission between systems.", + "network:connection": "Behaviours that establish and manage network connections.", + "network:connection:acceptsConnection": "The entity receives an incoming connection.", + "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", + "network:connection:establishesConnection": "The entity initiates a network connection.", + "network:connection:reconnects": "The entity re-establishes a dropped connection.", + "network:connection:reusesConnection": "The entity uses a pooled connection.", + "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", + "network:connection:terminatesConnection": "The entity closes a network connection.", + "network:discovery": "Behaviours that locate and advertise network services and resources.", + "network:discovery:advertisesService": "The entity announces its availability.", + "network:discovery:discoversService": "The entity locates an available service.", + "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", + "network:discovery:probesPort": "The entity checks if a port is open.", + "network:discovery:queriesDns": "The entity requests DNS resolution.", + "network:discovery:resolvesName": "The entity translates a name to an address.", + "network:discovery:scansNetwork": "The entity probes for active hosts or services.", + "network:protocol": "Behaviours that negotiate and implement communication protocols.", + "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", + "network:protocol:framesMessage": "The entity structures data for transmission.", + "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", + "network:protocol:parsesMessage": "The entity interprets received network data.", + "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", + "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", + "network:protocol:validatesMessage": "The entity verifies message format and integrity.", + "network:remoteInteraction": "Behaviours that execute operations on remote systems.", + "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", + "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", + "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", + "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", + "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", + "network:remoteInteraction:sendsSms": "The entity transmits a text message.", + "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", + "network:routing": "Behaviours that direct network traffic to its destination.", + "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", + "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", + "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", + "network:routing:routesTraffic": "The entity directs network traffic to destinations.", + "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", + "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", + "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", + "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", + "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", + "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", + "network:trafficControl:limitsRate": "The entity restricts traffic volume.", + "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", + "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", + "network:transmission": "Behaviours that send and receive data over network connections.", + "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", + "network:transmission:multicastsData": "The entity sends data to a group of recipients.", + "network:transmission:receivesData": "The entity accepts data from the network.", + "network:transmission:sendsData": "The entity transmits data over the network.", + "network:transmission:streamsData": "The entity continuously transmits or receives data.", + "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", + "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", + "privacy:collection:capturesAudio": "The entity records sound via microphone.", + "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", + "privacy:collection:capturesScreen": "The entity records display contents.", + "privacy:collection:capturesVideo": "The entity records images via camera.", + "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", + "privacy:collection:collectsBiometricData": "The entity captures biometric information.", + "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", + "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", + "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", + "privacy:collection:collectsHealthData": "The entity gathers protected health information.", + "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", + "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", + "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", + "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", + "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", + "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", + "privacy:deletion": "Behaviours that remove or destroy personal data.", + "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", + "privacy:deletion:deletesPersonalData": "The entity removes personal data.", + "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", + "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", + "privacy:deletion:redactsData": "The entity removes specific content from records.", + "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", + "privacy:inference:correlatesData": "The entity combines data from multiple sources.", + "privacy:inference:createsProfile": "The entity builds a profile from collected data.", + "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", + "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", + "privacy:inference:linksIdentities": "The entity associates data across contexts.", + "privacy:inference:tracksUser": "The entity follows user activity across sessions.", + "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", + "privacy:minimization:aggregatesData": "The entity combines records into summaries.", + "privacy:minimization:anonymizesData": "The entity removes identifying information.", + "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", + "privacy:minimization:generalizesData": "The entity reduces data precision.", + "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", + "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", + "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", + "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", + "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", + "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", + "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", + "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", + "privacy:retention": "Behaviours that store personal data over time.", + "privacy:retention:archivesData": "The entity moves data to long-term storage.", + "privacy:retention:backsUpData": "The entity creates copies for recovery.", + "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", + "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", + "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", + "privacy:retention:retainsInLog": "The entity keeps data in log files.", + "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", + "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", + "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", + "privacy:sharing:exportsData": "The entity outputs data in portable format.", + "privacy:sharing:publishesData": "The entity makes data publicly available.", + "privacy:sharing:sellsData": "The entity provides data in exchange for value.", + "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", + "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", + "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", + "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", + "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", + "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", + "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", + "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", + "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", + "privacy:transparency": "Behaviours that inform individuals about data processing activities.", + "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", + "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", + "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", + "privacy:transparency:recordsConsent": "The entity stores consent decisions.", + "privacy:transparency:requestsConsent": "The entity asks for processing permission.", + "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", + "safety": "Behaviours relating to the prevention of harm to users and the environment.", + "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", + "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", + "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", + "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", + "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", + "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", + "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", + "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", + "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", + "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", + "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", + "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", + "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", + "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", + "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", + "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", + "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", + "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", + "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", + "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", + "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", + "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", + "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", + "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", + "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", + "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", + "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", + "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", + "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", + "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", + "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", + "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", + "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", + "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", + "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", + "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", + "security:auditing:logsEvent": "The entity records an occurrence.", + "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", + "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", + "security:auditing:purgesLog": "The entity deletes old log records.", + "security:auditing:rotatesLog": "The entity archives and starts new log files.", + "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", + "security:auditing:timestampsEvent": "The entity records when an event occurred.", + "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", + "security:authentication": "Behaviours that verify the identity of users and entities.", + "security:authentication:authenticatesDevice": "The entity confirms device identity.", + "security:authentication:authenticatesService": "The entity confirms service identity.", + "security:authentication:authenticatesUser": "The entity confirms user identity.", + "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", + "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", + "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", + "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", + "security:authentication:locksAccount": "The entity prevents further authentication attempts.", + "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", + "security:authentication:promptsForCredentials": "The entity requests authentication information.", + "security:authentication:unlocksAccount": "The entity restores authentication capability.", + "security:authentication:validatesBiometric": "The entity verifies biometric data.", + "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", + "security:authorization": "Behaviours that determine and enforce access permissions.", + "security:authorization:checksPermission": "The entity verifies access rights.", + "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", + "security:authorization:deniesAccess": "The entity refuses a requested action.", + "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", + "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", + "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", + "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", + "security:authorization:grantsAccess": "The entity permits a requested action.", + "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", + "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", + "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", + "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", + "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", + "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", + "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:destroysKey": "The entity securely erases a key.", + "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:exchangesKey": "The entity shares a key with another party.", + "security:cryptography:generatesKey": "The entity creates a cryptographic key.", + "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", + "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:retrievesKey": "The entity obtains a stored key.", + "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", + "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:verifiesHash": "The entity validates data against a hash.", + "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", + "security:errorHandling:catchesException": "The entity intercepts an error condition.", + "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", + "security:errorHandling:failsClosed": "The entity denies access when controls fail.", + "security:errorHandling:failsOpen": "The entity permits access when controls fail.", + "security:errorHandling:generatesError": "The entity produces an error condition.", + "security:errorHandling:logsError": "The entity records an error condition.", + "security:errorHandling:propagatesError": "The entity passes an error to caller.", + "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", + "security:errorHandling:suppressesError": "The entity hides an error condition.", + "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", + "security:inputHandling:escapesInput": "The entity encodes special characters in input.", + "security:inputHandling:normalizesInput": "The entity converts input to standard form.", + "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", + "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", + "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", + "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", + "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", + "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", + "security:integrity": "Behaviours that verify and protect the integrity of data and code.", + "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", + "security:integrity:detectsTampering": "The entity identifies modification attempts.", + "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", + "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", + "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", + "security:integrity:verifiesProvenance": "The entity confirms origin and history.", + "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", + "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", + "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", + "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", + "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", + "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", + "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", + "security:session": "Behaviours that manage authenticated user sessions.", + "security:session:createsSession": "The entity establishes an authenticated session.", + "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", + "security:session:invalidatesSession": "The entity revokes session validity.", + "security:session:refreshesSession": "The entity extends session lifetime.", + "security:session:regeneratesSessionId": "The entity creates a new session identifier.", + "security:session:terminatesSession": "The entity ends an authenticated session.", + "security:session:validatesSession": "The entity verifies session validity.", + "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", + "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", + "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", + "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", + "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", + "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", + "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", + "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", + "security:threatResponse:raisesAlert": "The entity notifies of a security event.", + "system": "Behaviours relating to operating system interactions and the management of computational resources.", + "system:configuration": "Behaviours that read and modify system configuration settings.", + "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", + "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", + "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", + "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", + "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", + "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", + "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", + "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", + "system:configuration:writesRegistry": "The entity stores values in the system registry.", + "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", + "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", + "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", + "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", + "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", + "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", + "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", + "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", + "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", + "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", + "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", + "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", + "system:lifecycle:decommissions": "The entity securely retires from service.", + "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", + "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", + "system:lifecycle:provisions": "The entity configures itself for deployment.", + "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", + "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", + "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", + "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", + "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", + "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", + "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", + "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", + "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", + "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", + "system:persistence:installsAsService": "The entity registers itself as a system service.", + "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", + "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", + "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", + "system:processControl": "Behaviours that create and manipulate operating system processes.", + "system:processControl:createsProcess": "The entity starts a new process.", + "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", + "system:processControl:enumeratesProcesses": "The entity lists running processes.", + "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", + "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", + "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", + "system:processControl:resumesProcess": "The entity continues paused process execution.", + "system:processControl:suspendsProcess": "The entity pauses process execution.", + "system:processControl:terminatesProcess": "The entity ends a running process.", + "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", + "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", + "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", + "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", + "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", + "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", + "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", + "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", + "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", + "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", + "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", + "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", + "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", + "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", + "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", + "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", + "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", + "system:serviceControl": "Behaviours that manage system services and daemons.", + "system:serviceControl:createsService": "The entity installs a system service or daemon.", + "system:serviceControl:deletesService": "The entity removes a system service.", + "system:serviceControl:enumeratesServices": "The entity lists installed services.", + "system:serviceControl:modifiesService": "The entity changes service configuration.", + "system:serviceControl:startsService": "The entity initiates service execution.", + "system:serviceControl:stopsService": "The entity halts service execution.", + "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", + "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", + "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", + "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", + "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", + "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", + "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", + "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", + "system:timing:delaysExecution": "The entity postpones an operation.", + "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", + "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", + "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", + "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", + "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", + "system:timing:waits": "The entity pauses execution for a specified duration.", + "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", + "system:userManagement:createsUserAccount": "The entity adds a new user account.", + "system:userManagement:deletesUserAccount": "The entity removes a user account.", + "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", + "system:userManagement:enumeratesUsers": "The entity lists user accounts.", + "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", + "system:userManagement:modifiesUserAccount": "The entity changes user account properties." + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json new file mode 100644 index 00000000..30a68310 --- /dev/null +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -0,0 +1,1574 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", + "type": "null", + "title": "CycloneDX Blueprint Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "required": ["modelTypes", "methodologies"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "modelTypes": { + "type": "array", + "minItems": 1, + "description": "The types of models being represented", + "items": { + "$ref": "#/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "minItems": 1, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/methodology" + } + }, + "perspectives": { + "type": "array", + "description": "Different viewpoints or perspectives used in the model analysis", + "items": { + "$ref": "#/$defs/perspective" + } + }, + "metadata": { + "$ref": "#/$defs/blueprintMetadata" + }, + "scope": { + "$ref": "#/$defs/scope" + }, + "assets": { + "type": "array", + "items": { + "$ref": "#/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model" + }, + "dataStores": { + "type": "array", + "items": { + "$ref": "#/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model" + }, + "dataSets": { + "type": "array", + "items": { + "$ref": "#/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity" + }, + "zones": { + "type": "array", + "items": { + "$ref": "#/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "items": { + "$ref": "#/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "actors": { + "type": "array", + "items": { + "$ref": "#/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets" + }, + "assumptions": { + "type": "array", + "items": { + "$ref": "#/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "actor": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the actor" + }, + "name": { + "type": "string", + "description": "Name or title of the actor" + }, + "description": { + "type": "string", + "description": "Narrative describing the actor's role and context" + }, + "type": { + "type": "string", + "enum": ["user", "engineer", "administrator", "operator", "system", "external"], + "description": "Classification of the actor", + "meta:enum": { + "user": "End user of a client application or service", + "engineer": "Developer or platform/DevOps engineer", + "administrator": "Administrative or privileged operator", + "operator": "Operational staff running the system", + "system": "Automated system actor or service account", + "external": "Third-party or external entity" + } + }, + "permissions": { + "type": "string", + "description": "Key permissions, capabilities, or duties the actor holds" + }, + "trustZone": { + "$ref": "#/$defs/trustZoneRef", + "description": "Reference to the trust zone where the actor resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "visualizations": { + "type": "array", + "items": { + "$ref": "#/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "items": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-usecase-2.0.schema.json" + }, + { + "properties": { + "assets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets involved in this use case" + }, + "flows": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to flows that are part of this use case" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirements implemented by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + }, + "description": "External references related to the blueprint" + }, + "properties": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + }, + "description": "Additional properties and extensions" + } + }, + "$defs": { + "modelType": { + "type": "object", + "oneOf": [ + { + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "process", + "deployment", + "network", + "threat", + "risk", + "privacy", + "operational", + "conceptual", + "logical", + "physical", + "behavioral", + "structural" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "dataFlow": "Data flow model showing how data moves through the system", + "process": "Business or system process model", + "deployment": "Deployment or infrastructure model", + "network": "Network topology or connectivity model", + "threat": "Security threat model", + "risk": "Risk assessment model", + "privacy": "Privacy impact assessment model", + "operational": "Operational model", + "conceptual": "High-level conceptual model", + "logical": "Logical system model", + "physical": "Physical infrastructure model", + "behavioral": "System behavior model", + "structural": "System structure model" + } + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom model type name" + }, + "description": { + "type": "string", + "description": "Description of the custom model type" + } + } + } + ] + }, + "methodology": { + "type": "object", + "oneOf": [ + { + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "C4", + "UML", + "TOGAF", + "Archimate", + "BPMN", + "DFD", + "ERD", + "4+1", + "Zachman", + "SABSA", + "DODAF", + "MODAF", + "NAF", + "Kruchten", + "IDEF", + "SysML", + "STRIDE", + "PASTA", + "LINDDUN", + "OCTAVE", + "ISO27005", + "NIST", + "FAIR" + ], + "meta:enum": { + "C4": "C4 Model for software architecture", + "UML": "Unified Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "Archimate": "Enterprise architecture modeling language", + "BPMN": "Business Process Model and Notation", + "DFD": "Data Flow Diagrams", + "ERD": "Entity Relationship Diagrams", + "4+1": "4+1 Architectural View Model", + "Zachman": "Zachman Framework", + "SABSA": "Sherwood Applied Business Security Architecture", + "DODAF": "Department of Defense Architecture Framework", + "MODAF": "Ministry of Defence Architecture Framework", + "NAF": "NATO Architecture Framework", + "Kruchten": "Kruchten's 4+1 View Model", + "IDEF": "Integration Definition Methods", + "SysML": "Systems Modeling Language", + "STRIDE": "Microsoft's threat modeling methodology", + "PASTA": "Process for Attack Simulation and Threat Analysis", + "LINDDUN": "Privacy threat modeling methodology", + "OCTAVE": "Operationally Critical Threat, Asset, and Vulnerability Evaluation", + "ISO27005": "ISO/IEC 27005 Information security risk management", + "NIST": "NIST Risk Management Framework", + "FAIR": "Factor Analysis of Information Risk" + } + }, + "version": { + "type": "string", + "description": "Version of the methodology" + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom methodology name" + }, + "version": { + "type": "string", + "description": "Version of the methodology" + }, + "description": { + "type": "string", + "description": "Description of the custom methodology" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + } + ] + }, + "perspective": { + "type": "object", + "required": ["bom-ref", "type", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the perspective" + }, + "type": { + "type": "string", + "enum": [ + "business", + "technical", + "user", + "operational", + "development", + "architectural", + "functional", + "informational", + "contextual", + "conceptual", + "logical", + "physical", + "security", + "compliance", + "risk", + "stakeholder", + "design-review", + "custom" + ], + "meta:enum": { + "business": "Business stakeholder perspective", + "technical": "Technical implementation perspective", + "user": "End user or customer perspective", + "operational": "Operations and maintenance perspective", + "development": "Software development perspective", + "architectural": "System architecture perspective", + "functional": "Functional requirements perspective", + "informational": "Information and data perspective", + "contextual": "Business context perspective", + "conceptual": "High-level conceptual perspective", + "logical": "Logical design perspective", + "physical": "Physical implementation perspective", + "security": "Security perspective", + "compliance": "Regulatory compliance perspective", + "risk": "Risk management perspective", + "stakeholder": "General stakeholder perspective", + "custom": "Custom or other perspective" + } + }, + "name": { + "type": "string", + "description": "Name of the perspective" + }, + "description": { + "type": "string", + "description": "Detailed description of the perspective and its focus" + }, + "role": { + "type": "string", + "description": "The role or persona associated with this perspective" + }, + "objectives": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Primary objectives or goals from this perspective" + }, + "concerns": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Primary concerns from this perspective" + }, + "viewpoint": { + "type": "string", + "description": "The architectural viewpoint this perspective represents" + }, + "scope": { + "type": "string", + "description": "The scope of this perspective" + }, + "properties": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + } + } + } + }, + "blueprintMetadata": { + "type": "object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was created or last updated" + }, + "authors": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who created the blueprint" + }, + "reviewer": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who reviewed the blueprint" + }, + "reviewDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was reviewed" + }, + "approver": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who approved the blueprint" + }, + "approvalDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was approved" + }, + "ordinalVersion": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/validityPeriod" + } + } + }, + "validityPeriod": { + "type": "object", + "additionalProperties": false, + "properties": { + "start": { + "type": "string", + "format": "date-time", + "description": "When the blueprint becomes valid" + }, + "end": { + "type": "string", + "format": "date-time", + "description": "When the blueprint expires" + }, + "reviewFrequency": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" + } + } + }, + "scope": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the scope" + }, + "description": { + "type": "string", + "description": "Description of what is included and excluded from the model" + }, + "boundaries": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Explicit boundaries of the model" + }, + "includedComponents": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly included" + }, + "excludedComponents": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly excluded" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "asset": { + "type": "object", + "required": ["bom-ref", "type", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the asset" + }, + "componentRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the component this asset represents" + }, + "serviceRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the service this asset represents" + }, + "type": { + "type": "string", + "enum": [ + "component", + "service", + "dataStore", + "data", + "actor", + "process", + "infrastructure", + "device", + "network", + "container", + "function", + "api", + "queue", + "stream", + "system", + "subsystem", + "module", + "interface", + "endpoint", + "resource" + ], + "meta:enum": { + "component": "Software component or application", + "service": "Service or microservice", + "dataStore": "Database, file system, or data repository", + "data": "Dataset", + "actor": "User, system, or external entity", + "process": "Business or system process", + "infrastructure": "Infrastructure component", + "device": "Physical or IoT device", + "network": "Network segment or resource", + "container": "Container or orchestration unit", + "function": "Serverless function or lambda", + "api": "API endpoint or interface", + "queue": "Message queue or event bus", + "stream": "Data stream or event stream", + "system": "Complete system or application", + "subsystem": "Part of a larger system", + "module": "Software module or package", + "interface": "System interface or contract", + "endpoint": "Service endpoint or URL", + "resource": "Generic resource or artifact" + } + }, + "name": { + "type": "string", + "description": "Name of the asset" + }, + "description": { + "type": "string", + "description": "Description of the asset's role and purpose" + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone containing this asset" + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent asset if this is a sub-component" + }, + "classification": { + "$ref": "#/$defs/assetClassification" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Generic attributes or tags for the asset" + }, + "responsibilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Responsibilities or functions of this asset" + }, + "interfaces": { + "type": "array", + "items": { + "$ref": "#/$defs/interface" + }, + "description": "Interfaces exposed by this asset" + }, + "dependencies": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets this asset depends on" + }, + "useCases": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to use cases that involve this asset" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication methods supported/required" + }, + "authorization": { + "$ref": "#/$defs/accessControlType", + "description": "Access control model used" + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "ownership": { + "$ref": "#/$defs/ownership" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "dataStore": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the data store" + }, + "description": { + "type": "string", + "description": "Purpose and contents of the store" + }, + "type": { + "type": "string", + "enum": [ + "sql", + "keyValue", + "document", + "object", + "graph", + "timeSeries", + "file", + "blob", + "cache", + "custom" + ], + "meta:enum": { + "sql": "Relational database", + "keyValue": "Key-value store", + "document": "Document database (e.g., MongoDB)", + "object": "Object storage", + "graph": "Graph database", + "timeSeries": "Time-series database", + "file": "File system or NAS", + "blob": "Binary/blob storage", + "cache": "Caching tier", + "custom": "Other or mixed storage technology" + } + }, + "vendor": { + "type": "string" + }, + "product": { + "type": "string" + }, + "version": { + "type": "string" + }, + "environment": { + "type": "string", + "description": "Deployment environment (prod, test, etc.)" + }, + "trustZone": { + "$ref": "#/$defs/trustZoneRef" + }, + "location": { + "type": "string", + "description": "Physical or logical hosting location" + }, + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Supporting technologies or services" + }, + "dataSets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to data sets stored here" + }, + "accessControl": { + "$ref": "#/$defs/accessControlType" + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataSet": { + "type": "object", + "required": ["bom-ref", "name", "description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the dataset" + }, + "description": { + "type": "string", + "description": "What information is contained and why it exists" + }, + "classification": { + "$ref": "#/$defs/dataClassification" + }, + "dataTypes": { + "type": "array", + "items": { + "$ref": "#/$defs/dataObjectType" + }, + "description": "Categories of data stored (PII, PHI, etc.)" + }, + "recordCount": { + "type": "integer", + "description": "Approximate number of records" + }, + "owners": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" + }, + "regulations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Applicable regulations or contracts" + }, + "accessControl": { + "$ref": "#/$defs/accessControlType" + }, + "placements": { + "type": "array", + "items": { + "type": "object", + "required": ["dataStore"], + "additionalProperties": false, + "properties": { + "dataStore": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the store holding this dataset" + }, + "encrypted": { + "type": "boolean", + "description": "Whether the dataset is encrypted at this location" + }, + "retention": { + "type": "string", + "description": "Retention policy for this placement" + }, + "replicated": { + "type": "boolean", + "description": "Indicates if this placement is a replica" + } + } + }, + "description": "Where the dataset resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "interface": { + "type": "object", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the interface" + }, + "type": { + "type": "string", + "enum": ["rest", "graphql", "grpc", "soap", "messaging", "file", "database", "cli", "gui", "api", "event", "stream"], + "description": "Type of interface" + }, + "description": { + "type": "string", + "description": "Description of the interface" + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "operations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Operations or methods exposed" + } + } + }, + "zone": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the zone" + }, + "description": { + "type": "string", + "description": "Description of the zone's characteristics" + }, + "type": { + "type": "string", + "enum": ["trust", "network", "physical", "logical", "deployment", "organizational", "functional", "security"], + "meta:enum": { + "trust": "Security trust zone", + "network": "Network segmentation zone", + "physical": "Physical location or boundary", + "logical": "Logical grouping or boundary", + "deployment": "Deployment environment (e.g., dev, staging, prod)", + "organizational": "Organizational or administrative boundary", + "functional": "Functional grouping", + "security": "Security zone or perimeter" + } + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent zone if this is a sub-zone" + }, + "characteristics": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone" + }, + "constraints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "boundary": { + "type": "object", + "required": ["bom-ref", "zones"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the boundary" + }, + "type": { + "type": "string", + "enum": ["trust", "network", "process", "data", "physical", "organizational", "functional"], + "meta:enum": { + "trust": "Trust boundary between different security zones", + "network": "Network boundary or firewall", + "process": "Process or execution boundary", + "data": "Data classification boundary", + "physical": "Physical security boundary", + "organizational": "Organizational boundary", + "functional": "Functional boundary" + } + }, + "zones": { + "type": "array", + "minItems": 2, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "The zones this boundary connects or separates" + }, + "crossingRequirements": { + "$ref": "#/$defs/crossingRequirements" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "crossingRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary" + }, + "authorization": { + "$ref": "#/$defs/accessControlType", + "description": "Access control model at this boundary" + }, + "dataValidation": { + "type": "boolean", + "description": "Whether data is validated when crossing this boundary" + }, + "dataTransformation": { + "type": "boolean", + "description": "Whether data is transformed when crossing this boundary" + }, + "encryption": { + "$ref": "#/$defs/encryptionType", + "description": "Encryption requirements for crossing this boundary" + }, + "logging": { + "type": "boolean", + "description": "Whether crossings are logged" + }, + "monitoring": { + "type": "boolean", + "description": "Whether crossings are monitored" + }, + "rateLimit": { + "type": "string", + "description": "Rate limiting policy" + }, + "protocols": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing" + } + } + }, + "flow": { + "type": "object", + "required": ["bom-ref", "name", "source", "destination", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or description of the flow" + }, + "description": { + "type": "string", + "description": "Detailed description of what flows and why" + }, + "type": { + "type": "string", + "enum": ["data", "control", "process", "message", "event", "dependency", "interaction"], + "meta:enum": { + "data": "Data or information flow", + "control": "Control or command flow", + "process": "Business process flow", + "message": "Message or communication flow", + "event": "Event or notification flow", + "dependency": "Dependency relationship", + "interaction": "User or system interaction" + } + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the source asset" + }, + "destination": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the destination asset" + }, + "bidirectional": { + "type": "boolean", + "default": false, + "description": "Whether flow occurs in both directions" + }, + "synchronous": { + "type": "boolean", + "description": "Whether the flow is synchronous or asynchronous" + }, + "volume": { + "type": "string", + "description": "Expected volume or frequency of flow" + }, + "timing": { + "type": "string", + "description": "Timing characteristics (real-time, batch, scheduled)" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Format of data in the flow" + }, + "classification": { + "$ref": "#/$defs/dataClassification" + }, + "dataObjects": { + "type": "array", + "items": { + "$ref": "#/$defs/dataObject" + }, + "description": "The data object(s) transported in this flow" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "sequence": { + "type": "integer", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assumption": { + "type": "object", + "required": ["description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": { + "type": "string", + "description": "The assumption being made" + }, + "topic": { + "type": "string", + "enum": ["technical", "business", "operational", "security", "compliance", "performance", "availability"], + "description": "Topic of the assumption" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets this assumption relates to" + }, + "validity": { + "type": "string", + "enum": ["unknown", "verified", "unverified", "invalid"], + "default": "unknown", + "description": "Whether the assumption has been validated" + }, + "impact": { + "type": "string", + "description": "Impact if this assumption proves false" + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Who owns or is responsible for this assumption" + }, + "validationMethod": { + "type": "string", + "description": "How this assumption can be validated" + }, + "validationDate": { + "type": "string", + "format": "date-time", + "description": "When the assumption was last validated" + } + } + }, + "visualization": { + "type": "object", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or title of the visualization" + }, + "description": { + "type": "string", + "description": "Description of what the visualization shows" + }, + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "sequence", + "state", + "deployment", + "network", + "process", + "useCase", + "component", + "class", + "entity", + "activity", + "collaboration", + "context", + "container", + "code" + ], + "meta:enum": { + "architecture": "System architecture diagram", + "dataFlow": "Data flow diagram (DFD)", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "deployment": "Deployment or infrastructure diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "useCase": "Use case diagram", + "component": "Component diagram", + "class": "Class or object diagram", + "entity": "Entity relationship diagram", + "activity": "Activity or workflow diagram", + "collaboration": "Collaboration diagram", + "context": "Context diagram", + "container": "Container diagram (C4)", + "code": "Code structure diagram" + } + }, + "format": { + "type": "string", + "enum": ["mermaid", "graphviz", "plantuml", "drawio", "svg", "png", "jpeg", "d3", "cytoscape", "visio", "archimate"], + "meta:enum": { + "mermaid": "Mermaid diagram language", + "graphviz": "GraphViz DOT language", + "plantuml": "PlantUML diagram language", + "drawio": "Draw.io/diagrams.net format", + "svg": "Scalable Vector Graphics", + "png": "Portable Network Graphics", + "jpeg": "JPEG image format", + "d3": "D3.js visualization", + "cytoscape": "Cytoscape graph format", + "visio": "Microsoft Visio format", + "archimate": "ArchiMate model format" + } + }, + "content": { + "type": "string", + "description": "The diagram content (source code or base64 encoded image)" + }, + "url": { + "type": "string", + "format": "iri-reference", + "description": "URL to the diagram if stored externally" + }, + "level": { + "type": "string", + "enum": ["overview", "high", "medium", "detailed"], + "description": "Level of detail in the visualization" + }, + "perspective": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the perspective this visualization represents" + }, + "elements": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to elements shown in this visualization" + }, + "interactive": { + "type": "boolean", + "description": "Whether the visualization is interactive" + }, + "layers": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Layers or views available in the visualization" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assetClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "criticality": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" + }, + "sensitivity": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" + }, + "dataClassification": { + "$ref": "#/$defs/dataClassification" + }, + "tier": { + "type": "string", + "enum": ["tier0", "tier1", "tier2", "tier3", "tier4"], + "meta:enum": { + "tier0": "Mission critical - highest priority", + "tier1": "Business critical - high priority", + "tier2": "Business important - medium priority", + "tier3": "Business supporting - low priority", + "tier4": "Non-critical - minimal priority" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search" + } + } + }, + "dataClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "public", + "internal", + "confidential", + "restricted" + ], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access and special protection measures" + } + }, + "sensitivity": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific types of data" + }, + "handling": { + "type": "string", + "description": "Data handling requirements" + }, + "retention": { + "type": "string", + "description": "Data retention requirements" + }, + "disposal": { + "type": "string", + "description": "Data disposal requirements" + }, + "regulations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Applicable regulations" + } + } + }, + "dataObject": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data object" + }, + "name": { + "type": "string", + "description": "Name of the transported data object" + }, + "description": { + "type": "string", + "description": "Additional details about the data contents" + }, + "classification": { + "$ref": "#/$defs/dataClassification", + "description": "Inline classification details for this data object" + }, + "classificationRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to a shared classification definition elsewhere in the model" + }, + "type": { + "$ref": "#/$defs/dataObjectType", + "description": "Type of data (PII, PHI, PCI, etc.)" + }, + "schema": { + "type": "string", + "description": "Reference to a schema contract or document describing the data structure" + }, + "format": { + "type": "string", + "description": "Serialization or encoding format (JSON, HL7, CSV, etc.)" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key attributes or fields transported" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataObjectType": { + "type": "string", + "enum": [ + "pii", + "phi", + "pci", + "financial", + "intellectualProperty", + "telemetry", + "logs", + "credentials", + "safety", + "operational", + "custom" + ], + "description": "Common data object classifications", + "meta:enum": { + "pii": "Personally identifiable information", + "phi": "Protected health information", + "pci": "Payment card industry data", + "financial": "Financial statements or transaction data", + "intellectualProperty": "Intellectual property or trade secrets", + "telemetry": "System or product telemetry data", + "logs": "Operational or security log data", + "credentials": "Secrets, tokens, or credentials", + "safety": "Safety critical data or signals", + "operational": "Operational or process data", + "custom": "Other data types not covered by the enumerated values" + } + }, + "ownership": { + "type": "object", + "additionalProperties": false, + "properties": { + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Primary owner of the asset" + }, + "steward": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Steward responsible for the asset" + }, + "custodian": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Custodian responsible for protecting the asset" + }, + "users": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Primary users of the asset" + } + } + }, + "authenticationType": { + "type": "string", + "enum": [ + "none", + "basic", + "bearer", + "digest", + "certificate", + "apiKey", + "oauth1", + "oauth2", + "openIdConnect", + "saml", + "kerberos", + "ntlm", + "jwt", + "custom" + ], + "description": "Authentication method", + "meta:enum": { + "none": "No authentication required", + "basic": "Basic authentication (username/password)", + "bearer": "Bearer token authentication", + "digest": "Digest authentication", + "certificate": "Certificate-based authentication", + "apiKey": "API key authentication", + "oauth1": "OAuth 1.0 authentication", + "oauth2": "OAuth 2.0 authentication", + "openIdConnect": "OpenID Connect authentication", + "saml": "SAML authentication", + "kerberos": "Kerberos authentication", + "ntlm": "NTLM authentication", + "jwt": "JSON Web Token authentication", + "custom": "Custom authentication method" + } + }, + "authorizationType": { + "type": "string", + "enum": ["none", "acl", "rbac", "abac", "mac", "dac", "pbac", "cbac", "custom"], + "description": "Authorization model", + "meta:enum": { + "none": "No authorization controls", + "acl": "Access Control Lists", + "rbac": "Role-Based Access Control", + "abac": "Attribute-Based Access Control", + "mac": "Mandatory Access Control", + "dac": "Discretionary Access Control", + "pbac": "Policy-Based Access Control", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model" + } + }, + "encryptionType": { + "type": "object", + "additionalProperties": false, + "properties": { + "inTransit": { + "type": "boolean", + "description": "Whether data is encrypted in transit" + }, + "atRest": { + "type": "boolean", + "description": "Whether data is encrypted at rest" + }, + "inProcessing": { + "type": "boolean", + "description": "Whether data is encrypted during processing" + } + } + }, + "trustZoneRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to a zone entry whose type is 'trust'" + } + } +} diff --git a/schema/2.0/model/cyclonedx-common-2.0.schema.json b/schema/2.0/model/cyclonedx-common-2.0.schema.json index b93946c4..137b629a 100644 --- a/schema/2.0/model/cyclonedx-common-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-common-2.0.schema.json @@ -487,6 +487,19 @@ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." }, + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, "lifecycle": { "type": "object", "title": "Lifecycle", diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 598f9098..665ed5ed 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -10,6 +10,18 @@ "title": "Data Classification", "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." }, + "dataSensitivity": { + "type": "string", + "enum": ["public", "internal", "confidential", "restricted", "secret"], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access", + "secret": "Secret information requiring special handling" + } + }, "dataGovernance": { "type": "object", "title": "Data Governance", diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json new file mode 100644 index 00000000..bee371df --- /dev/null +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -0,0 +1,280 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-requirement-2.0.schema.json", + "type": "null", + "title": "CycloneDX Engineering Requirement Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "requirement": { + "type": "object", + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name or title for the requirement." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { + "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", + "items": { + "type": "string" + } + }, + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/acceptanceCriterion" + } + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", + "items": { + "$ref": "#/$defs/dependency" + } + }, + "parent": { + "type": "string", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." + }, + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." + }, + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." + }, + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { + "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." + }, + "status": { + "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", + "enum": [ + "pending", + "passed", + "failed" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", + "additionalProperties": false, + "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/bomLinkElementType" + } + ] + }, + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json new file mode 100644 index 00000000..a2bd70b0 --- /dev/null +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -0,0 +1,820 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-risk-2.0.schema.json", + "type": "null", + "title": "CycloneDX Risk Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" + }, + "domains": { + "type": "array", + "description": "Risk domains covered by this assessment", + "items": { + "$ref": "#/$defs/riskDomain" + } + }, + "scenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/scenario" + }, + "description": "Risk scenarios identified" + }, + "risks": { + "type": "array", + "items": { + "$ref": "#/$defs/risk" + }, + "description": "Documented risks derived from scenarios" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Controls, countermeasures, or mitigations to address identified risks" + }, + "assessments": { + "type": "array", + "items": { + "$ref": "#/$defs/assessment" + }, + "description": "Risk assessments and evaluations" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + }, + "$defs": { + "riskDomain": { + "type": "object", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply_chain", + "technical", + "project" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks", + "privacy": "Data protection and privacy risks", + "operational": "Business operations and continuity risks", + "financial": "Financial loss and economic impact risks", + "compliance": "Regulatory and legal compliance risks", + "strategic": "Strategic business and market risks", + "reputational": "Brand and reputation damage risks", + "safety": "Human safety and physical security risks", + "environmental": "Environmental impact and sustainability risks", + "supply_chain": "Supply chain and third-party risks", + "technical": "Technical and technology risks", + "project": "Project delivery and execution risks" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "description": { + "type": "string", + "description": "Additional context for this risk domain" + } + } + }, + "riskAttribute": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities", + "authentication": "Verifying the identity of users, devices, or systems before granting access", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", + "availability": "Ensuring systems, data, and services are accessible and operational when needed", + "compliance": "Adherence to applicable laws, regulations, policies, and standards", + "confidentiality": "Preventing unauthorised access to or disclosure of information", + "connectivity": "Maintaining secure and reliable communication between systems or components", + "control": "Enabling individuals to manage how their personal data is used and shared", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", + "possession": "Ensuring control or custody over data or assets, regardless of ownership", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose" + } + }, + "scenario": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the risk scenario" + }, + "description": { + "type": "string", + "description": "Detailed description of the scenario" + }, + "type": { + "type": "string", + "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"], + "meta:enum": { + "threat": "Threat scenario", + "vulnerability": "Exploitable vulnerability", + "weakness": "System or design weakness", + "risk": "General risk scenario", + "incident": "Potential incident scenario", + "opportunity": "Positive risk (opportunity)", + "hazard": "Safety hazard scenario" + } + }, + "domain": { + "$ref": "#/$defs/riskDomain" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected by this scenario" + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to affected assets" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations that address this scenario" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "compliance": { + "type": "array", + "items": { + "type": "object", + "required": ["framework", "controlId"], + "additionalProperties": false, + "properties": { + "framework": { + "type": "string", + "description": "Name of the compliance program or framework" + }, + "controlId": { + "type": "string", + "description": "Identifier of the control within the framework" + }, + "reference": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference", + "description": "Link or citation to the requirement or control documentation" + }, + "description": { + "type": "string", + "description": "Optional notes describing the mapping" + } + } + }, + "description": "Compliance frameworks and control references this mitigation supports" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "risk": { + "type": "object", + "required": ["bom-ref", "name", "statement"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier for the risk" + }, + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact" + }, + "description": { + "type": "string", + "description": "Additional narrative about the risk" + }, + "domains": { + "type": "array", + "items": { + "$ref": "#/$defs/riskDomain" + }, + "description": "Risk domains impacted" + }, + "scenarios": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this risk addresses" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + } + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/riskResponse" + }, + "description": "Risk responses or mitigation plans applied to this risk" + }, + "relatedThreats": { + "type": "array", + "items": { + "$ref": "cyclonedx-threat-2.0.schema.json#/$defs/threatScenario" + }, + "description": "Related threat scenarios informing this risk" + }, + "status": { + "type": "string", + "enum": ["identified", "assessed", "mitigated", "accepted", "transferred", "retired"], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated", + "assessed": "Risk has been assessed and prioritized", + "mitigated": "Mitigations are in place reducing this risk", + "accepted": "Risk has been formally accepted", + "transferred": "Risk has been transferred to another party", + "retired": "Risk no longer applies" + } + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Owner or accountable party for this risk" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "likelihood": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["veryLow", "low", "medium", "high", "veryHigh", "certain"], + "description": "Likelihood level", + "meta:enum": { + "rare": "Very unlikely to occur (< 10%)", + "unlikely": "Unlikely to occur (10-30%)", + "possible": "Possible to occur (30-60%)", + "likely": "Likely to occur (60-90%)", + "almostCertain": "Very likely to occur (> 90%)" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 5, + "description": "Numeric likelihood score" + }, + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal (0-1)" + }, + "factors": { + "type": "array", + "items": { + "$ref": "#/$defs/likelihoodFactor" + }, + "description": "Factors considered when determining the likelihood level" + }, + "rationale": { + "type": "string", + "description": "Justification for the likelihood rating" + } + } + }, + "impact": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["negligible", "low", "moderate", "major", "catastrophic"], + "description": "Impact severity level", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences", + "low": "Minor impact with limited consequences", + "moderate": "Moderate impact affecting some operations", + "major": "Significant impact with serious consequences", + "catastrophic": "Catastrophic impact with existential consequences" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric impact score" + }, + "categories": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality", + "integrity": "Impact on data or system integrity", + "availability": "Impact on service availability", + "financial": "Financial loss or impact", + "reputation": "Reputational damage", + "regulatory": "Regulatory compliance impact", + "safety": "Human safety impact", + "privacy": "Privacy violation impact", + "operational": "Operational disruption", + "strategic": "Strategic business impact" + } + }, + "description": "Categories of impact" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected" + }, + "quantification": { + "$ref": "#/$defs/impactQuantification" + }, + "description": { + "type": "string", + "description": "Description of the potential impact" + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "Estimated financial loss in currency units" + }, + "currency": { + "type": "string", + "pattern": "^[A-Z]{3}$", + "description": "ISO 4217 currency code" + }, + "affectedUsers": { + "type": "integer", + "description": "Number of affected users" + }, + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Expected downtime as ISO 8601 duration" + }, + "dataRecords": { + "type": "integer", + "description": "Number of data records affected" + }, + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Recovery time as ISO 8601 duration" + } + } + }, + "riskScore": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Overall risk level", + "meta:enum": { + "info": "Informational - no immediate action required", + "low": "Low risk - monitor and address in normal cycle", + "medium": "Medium risk - plan mitigation activities", + "high": "High risk - prioritize mitigation efforts", + "critical": "Critical risk - immediate action required" + } + }, + "score": { + "type": "number", + "minimum": 1, + "description": "Numeric risk score" + }, + "vector": { + "type": "string", + "description": "Risk scoring vector (e.g., L:H/I:M)" + }, + "methodology": { + "type": "string", + "description": "Risk scoring methodology used" + } + } + }, + "riskResponse": { + "type": "object", + "required": ["bom-ref", "mitigations", "mitigationPlan"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Mitigations applied to this risk response" + }, + "mitigationPlan": { + "$ref": "#/$defs/mitigationPlan" + } + } + }, + "mitigation": { + "type": "object", + "required": ["bom-ref", "reference"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" + }, + "reference": { + "description": "Reference to a mitigation/control implementing the response.", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "strategy": { + "type": "string", + "enum": ["prevent", "detect", "respond", "recover"], + "meta:enum": { + "prevent": "Prevents the risk from occurring", + "detect": "Detects when the risk occurs", + "respond": "Responds to the risk when detected", + "recover": "Recovers from the impact" + } + }, + "type": { + "type": "string", + "enum": [ + "control", + "countermeasure", + "procedure", + "removal" + ], + "meta:enum": { + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "procedure": "Documented procedure", + "removal": "Removing a risky component or asset" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "effectiveness": { + "$ref": "#/$defs/effectiveness" + }, + "cost": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "extreme"], + "meta:enum": { + "trivial": "Minimal cost and effort", + "low": "Low cost and effort", + "medium": "Moderate cost and effort", + "high": "High cost and significant effort", + "extreme": "Extreme cost and major effort" + } + }, + "addresses": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this plan addresses" + }, + "implementedBy": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets that implement this plan" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "mitigationPlan": { + "type": "object", + "required": ["name", "type", "status", "mitigations"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the mitigation plan" + }, + "description": { + "type": "string", + "description": "Description of what the plan covers" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Safeguards mitigating adverse events", + "practice": "Operational or governance practice", + "procedure": "Documented procedure" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "List of mitigation bom-refs chosen for this plan" + } + } + }, + "effectiveness": { + "type": "object", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Effectiveness as decimal" + }, + "rating": { + "type": "string", + "enum": ["ineffective", "marginal", "adequate", "good", "excellent"], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk", + "marginal": "Slightly reduces risk", + "adequate": "Adequately reduces risk", + "good": "Significantly reduces risk", + "excellent": "Nearly eliminates risk" + } + } + } + }, + "assessment": { + "type": "object", + "required": ["bom-ref", "type", "timestamp"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "type": { + "type": "string", + "enum": ["initial", "periodic", "continuous", "triggered"], + "meta:enum": { + "initial": "Initial risk assessment", + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed" + }, + "assessor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" + }, + "summary": { + "type": "string", + "description": "Executive summary of the assessment" + }, + "risks": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to risk entries evaluated in this assessment" + }, + "overallRisk": { + "type": "object", + "required": ["method", "score"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["sum", "average", "custom"], + "description": "Aggregation method used to derive the overall risk" + }, + "score": { + "$ref": "#/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "Optional explanation for custom aggregation approaches" + } + }, + "description": "Aggregated risk result for this assessment" + }, + "recommendations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Recommendations from the assessment" + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "priority": { + "type": "string", + "enum": ["none", "low", "medium", "high", "critical"], + "description": "Priority level", + "meta:enum": { + "none": "No priority assigned", + "low": "Low priority - address when convenient", + "medium": "Medium priority - address in normal cycle", + "high": "High priority - address soon", + "critical": "Critical priority - address immediately" + } + }, + "severity": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Severity level", + "meta:enum": { + "info": "Informational finding", + "low": "Low severity issue", + "medium": "Medium severity issue", + "high": "High severity issue", + "critical": "Critical severity issue" + } + }, + "criticality": { + "type": "string", + "enum": ["minimal", "low", "moderate", "high", "critical"], + "description": "Business criticality level", + "meta:enum": { + "minimal": "Minimal impact on business operations", + "low": "Low impact with minor inconvenience", + "moderate": "Moderate impact affecting some operations", + "high": "High impact affecting critical operations", + "critical": "Critical impact with severe business consequences" + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json new file mode 100644 index 00000000..4bf44932 --- /dev/null +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -0,0 +1,804 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-threat-2.0.schema.json", + "type": "null", + "title": "CycloneDX Threat Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "threatScenario": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/scenario" + }, + { + "properties": { + "threatCategory": { + "type": "string", + "description": "Threat category based on methodology (e.g., STRIDE category)" + }, + "threatActor": { + "$ref": "#/$defs/threatActorProfile" + }, + "attackVector": { + "$ref": "#/$defs/attackVector" + }, + "attackPattern": { + "$ref": "#/$defs/attackPatternReference" + }, + "abuseCases": { + "type": "array", + "items": { + "$ref": "#/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that illustrate how this threat can be exercised" + }, + "weakness": { + "$ref": "#/$defs/weaknessReference" + }, + "exploitability": { + "$ref": "#/$defs/exploitability" + }, + "indicators": { + "$ref": "#/$defs/indicators" + }, + "killChainPhase": { + "type": "string", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target", + "weaponization": "Creating malicious payloads", + "delivery": "Transmitting weapon to target", + "exploitation": "Exploiting vulnerabilities", + "installation": "Installing malware or backdoors", + "command-and-control": "Establishing C2 channel", + "actions-on-objectives": "Achieving attack goals" + } + }, + "technicalImpact": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "unauthorized-access", + "data-breach", + "data-corruption", + "service-disruption", + "privilege-escalation", + "code-execution", + "information-disclosure", + "denial-of-service" + ] + } + } + } + } + ] + }, + "threatActor": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier of the threat actor" + }, + "description": { + "type": "string", + "description": "Description of the threat actor" + }, + "type": { + "type": "string", + "enum": ["individual", "group", "organization", "nation-state", "unknown"], + "meta:enum": { + "individual": "Individual threat actor", + "group": "Organized group or collective", + "organization": "Corporate or criminal organization", + "nation-state": "Nation-state sponsored actor", + "unknown": "Unknown threat actor type" + } + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Known aliases or alternative names" + }, + "profile": { + "$ref": "#/$defs/threatActorProfile" + }, + "observedTTPs": { + "type": "array", + "items": { + "$ref": "#/$defs/ttp" + }, + "description": "Observed tactics, techniques, and procedures" + }, + "attributedAttacks": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Attacks attributed to this actor" + }, + "targeting": { + "$ref": "#/$defs/targeting" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "threatActorProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "sophistication": { + "type": "string", + "enum": ["none", "minimal", "intermediate", "advanced", "expert"], + "meta:enum": { + "none": "No technical sophistication", + "minimal": "Script kiddie level", + "intermediate": "Intermediate technical skills", + "advanced": "Advanced persistent threat", + "expert": "Nation-state level capabilities" + } + }, + "motivation": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ] + }, + "description": "Primary motivations" + }, + "intent": { + "type": "string", + "enum": ["accidental", "opportunistic", "targeted", "persistent"], + "description": "Intent level" + }, + "resources": { + "type": "string", + "enum": ["minimal", "limited", "moderate", "substantial", "unlimited"], + "description": "Resource availability" + }, + "accessLevel": { + "type": "string", + "enum": ["none", "external", "internal", "privileged", "physical"], + "description": "Level of access to target systems" + }, + "skillSet": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific skills possessed" + } + } + }, + "attackVector": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["network", "adjacent", "local", "physical"], + "meta:enum": { + "network": "Remotely exploitable via network", + "adjacent": "Exploitable from adjacent network", + "local": "Requires local access", + "physical": "Requires physical access" + } + }, + "complexity": { + "type": "string", + "enum": [ + "low", + "high" + ], + "description": "Attack complexity" + }, + "privileges": { + "type": "string", + "enum": ["none", "low", "high"], + "description": "Privileges required" + }, + "userInteraction": { + "type": "string", + "enum": ["none", "required"], + "description": "User interaction requirement" + }, + "scope": { + "type": "string", + "enum": ["unchanged", "changed"], + "description": "Scope impact" + } + } + }, + "abuseCase": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the abuse case" + }, + "description": { + "type": "string", + "description": "Narrative describing how the system can be misused or abused" + }, + "abuser": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference (bom-ref) to a threat actor involved in the abuse case" + }, + "targets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References (bom-refs) to assets or flows targeted in this abuse case" + }, + "steps": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered steps the abuser follows" + } + } + }, + "attackPattern": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "capecId": { + "type": "integer", + "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + }, + "name": { + "type": "string", + "description": "Name of the attack pattern" + }, + "description": { + "type": "string", + "description": "Description of the attack pattern" + }, + "prerequisites": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Prerequisites for the attack" + }, + "techniques": { + "type": "array", + "items": { + "$ref": "#/$defs/technique" + }, + "description": "Techniques used in the attack" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations" + }, + "examples": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Real-world examples" + } + } + }, + "attackPatternReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "patternRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to attack pattern" + }, + "capecId": { + "type": "integer", + "description": "CAPEC ID if not referencing internal pattern" + }, + "customization": { + "type": "string", + "description": "How this pattern is customized for the specific scenario" + } + } + }, + "technique": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "description": "Technique ID (e.g., MITRE ATT&CK ID)" + }, + "name": { + "type": "string", + "description": "Name of the technique" + }, + "tactic": { + "type": "string", + "description": "Associated tactic" + }, + "procedure": { + "type": "string", + "description": "Specific procedure" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools used with this technique" + } + } + }, + "weakness": { + "type": "object", + "required": ["bom-ref"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "cweId": { + "type": "integer", + "description": "CWE (Common Weakness Enumeration) ID" + }, + "name": { + "type": "string", + "description": "Name of the weakness" + }, + "description": { + "type": "string", + "description": "Description of the weakness" + }, + "abstraction": { + "type": "string", + "enum": ["pillar", "class", "base", "variant", "compound"], + "meta:enum": { + "pillar": "Most abstract type of weakness", + "class": "Weakness described in generic terms", + "base": "Weakness described in abstract terms", + "variant": "Weakness specific to a resource/technology", + "compound": "Combination of two or more weaknesses" + } + }, + "ordinality": { + "type": "string", + "enum": ["primary", "resultant", "indirect"], + "meta:enum": { + "primary": "Weakness exists independent of other weaknesses", + "resultant": "Weakness is caused by another weakness", + "indirect": "Weakness is indirectly caused by another weakness" + } + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets affected by this weakness" + }, + "exploitationDifficulty": { + "type": "string", + "enum": ["trivial", "easy", "moderate", "difficult", "impractical"], + "description": "Difficulty of exploiting this weakness" + }, + "detectionMethods": { + "type": "array", + "items": { + "$ref": "#/$defs/detectionMethod" + }, + "description": "Methods for detecting this weakness" + } + } + }, + "weaknessReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "weaknessRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to weakness" + }, + "cweId": { + "type": "integer", + "description": "CWE ID if not referencing internal weakness" + }, + "instance": { + "type": "string", + "description": "Specific instance or manifestation of the weakness" + } + } + }, + "exploitability": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["theoretical", "proof-of-concept", "functional", "weaponized"], + "meta:enum": { + "theoretical": "Theoretically possible but not demonstrated", + "proof-of-concept": "Proof of concept exists", + "functional": "Functional exploit exists", + "weaponized": "Weaponized exploit in the wild" + } + }, + "complexity": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "very-high"], + "description": "Complexity to exploit" + }, + "skillRequired": { + "type": "string", + "enum": ["none", "basic", "intermediate", "advanced", "expert"], + "description": "Skill level required" + }, + "toolsRequired": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools required for exploitation" + }, + "timeRequired": { + "type": "string", + "description": "Estimated time to develop exploit" + }, + "reliability": { + "type": "string", + "enum": ["unreliable", "occasional", "reliable", "highly-reliable"], + "description": "Reliability of exploitation" + }, + "automatable": { + "type": "boolean", + "description": "Whether exploitation can be automated" + } + } + }, + "indicators": { + "type": "object", + "additionalProperties": false, + "properties": { + "compromise": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of compromise" + }, + "attack": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of attack" + }, + "behavioral": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Behavioral indicators" + }, + "signatures": { + "type": "array", + "items": { + "$ref": "#/$defs/signature" + }, + "description": "Detection signatures" + } + } + }, + "signature": { + "type": "object", + "required": ["type", "value"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["yara", "snort", "regex", "hash", "behavior"], + "description": "Type of signature" + }, + "value": { + "type": "string", + "description": "Signature value or pattern" + }, + "description": { + "type": "string", + "description": "Description of what the signature detects" + }, + "confidence": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Confidence level of detection" + } + } + }, + "ttp": { + "type": "object", + "additionalProperties": false, + "properties": { + "tactic": { + "type": "string", + "description": "High-level tactic" + }, + "technique": { + "$ref": "#/$defs/technique" + }, + "procedure": { + "type": "string", + "description": "Specific implementation" + }, + "tools": { + "type": "array", + "items": { + "$ref": "#/$defs/tool" + }, + "description": "Tools used" + }, + "infrastructure": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Infrastructure used" + } + } + }, + "tool": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Tool name" + }, + "type": { + "type": "string", + "enum": ["exploit", "scanner", "fuzzer", "proxy", "framework", "custom"], + "description": "Type of tool" + }, + "version": { + "type": "string", + "description": "Tool version" + }, + "capabilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tool capabilities" + } + } + }, + "targeting": { + "type": "object", + "additionalProperties": false, + "properties": { + "sectors": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted sectors or industries" + }, + "regions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted geographic regions" + }, + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted technologies or platforms" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Types of data targeted" + } + } + }, + "detectionMethod": { + "type": "object", + "required": ["method"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["static-analysis", "dynamic-analysis", "penetration-test", "code-review", "architecture-review", "automated-scan"], + "description": "Detection method type" + }, + "description": { + "type": "string", + "description": "Description of the detection method" + }, + "effectiveness": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Effectiveness of the method" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools that implement this method" + } + } + }, + "securityPolicy": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Policy name" + }, + "type": { + "type": "string", + "enum": ["access-control", "data-protection", "network-security", "application-security", "operational-security", "compliance"], + "description": "Type of security policy" + }, + "description": { + "type": "string", + "description": "Policy description" + }, + "requirements": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy requirements" + }, + "enforcement": { + "type": "string", + "enum": ["mandatory", "recommended", "optional"], + "description": "Enforcement level" + }, + "appliesTo": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets this policy applies to" + }, + "exceptions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy exceptions" + } + } + }, + "trustBoundary": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-blueprint-2.0.schema.json#/$defs/boundary" + }, + { + "properties": { + "trustLevel": { + "type": "string", + "enum": ["untrusted", "semi-trusted", "trusted", "highly-trusted"], + "description": "Trust level differential" + }, + "securityRequirements": { + "$ref": "#/$defs/boundarySecurityRequirements" + }, + "threatsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Threats that could exploit this boundary" + }, + "controlsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Controls implemented at this boundary" + } + } + } + ] + }, + "boundarySecurityRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authenticationStrength": { + "type": "string", + "enum": ["none", "weak", "moderate", "strong", "very-strong"], + "description": "Required authentication strength" + }, + "authorizationGranularity": { + "type": "string", + "enum": ["coarse", "medium", "fine", "very-fine"], + "description": "Authorization granularity required" + }, + "integrityVerification": { + "type": "boolean", + "description": "Whether integrity verification is required" + }, + "confidentialityProtection": { + "type": "boolean", + "description": "Whether confidentiality protection is required" + }, + "auditingLevel": { + "type": "string", + "enum": ["none", "basic", "detailed", "comprehensive"], + "description": "Level of auditing required" + }, + "dataValidationRules": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Data validation rules at boundary" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json new file mode 100644 index 00000000..4f08e132 --- /dev/null +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -0,0 +1,202 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-usecase-2.0.schema.json", + "type": "null", + "title": "CycloneDX Use Case Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "properties": { + "bom-ref": { + "type": "string", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name or title of the use case." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the use case." + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "The stakeholders or users who interact with the system in this use case.", + "items": { + "type": "string" + } + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "description": "Conditions that must be true before the use case can be executed.", + "items": { + "type": "string" + } + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "description": "Conditions that will be true after the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "description": "The primary sequence of steps that describe the use case.", + "items": { + "$ref": "#/$defs/step" + } + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "description": "Alternative sequences of steps that may occur in the use case.", + "items": { + "$ref": "#/$defs/flow" + } + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "description": "Error scenarios that may occur during the execution of the use case.", + "items": { + "$ref": "#/$defs/exception" + } + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "description": "Criteria that determine whether the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "notes": { + "type": "array", + "title": "Notes", + "description": "Additional information or comments about the use case.", + "items": { + "type": "string" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/property" + } + } + }, + "$defs": { + "step": { + "type": "object", + "title": "Step", + "description": "A single step in a use case flow.", + "additionalProperties": false, + "properties": { + "number": { + "type": "integer", + "title": "Number", + "description": "The sequence number of the step." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the step." + }, + "actor": { + "type": "string", + "title": "Actor", + "description": "The actor who performs this step." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "A sequence of steps in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the flow." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the flow." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this alternative flow is executed." + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The sequence of steps in the flow.", + "items": { + "$ref": "#/$defs/step" + } + } + } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error scenario in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the exception." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the exception." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this exception occurs." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "How the exception is handled." + } + } + }, + "property": { + "type": "object", + "title": "Property", + "description": "A name-value property.", + "additionalProperties": false, + "required": [ + "name", + "value" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + } + } +} diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json new file mode 100644 index 00000000..e36ec28a --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json @@ -0,0 +1,71 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "blueprints": [ + { + "bom-ref": "blueprint-1", + "blueprintMetadata":{ + "timestamp": "2025-09-12T15:42:30Z", + "authors": [], + "reviewers": [], + "reviewDate": "2025-09-03", + "approvers": [], + "approvalDate": "2025-09-12", + "ordinalVersion": "1.0", + "lifecycles": [ + { + "phase": "operations" + } + ], + "validityPeriod": { + "start": "", + "end": "", + "reviewFrequency": "P3M" + } + }, + "modelTypes": [ + "threat", + "dataFlow", + "logical" + ], + "methodologies": [ + "STRIDE", + "LINDDUN" + ], + "perspectives": [ + { + "bom-ref": "perspective-1", + "type": "security", + "name": "", + "role": "Security Architect", + "objectives": [], + "concerns": [], + "viewpoint": "" + ], + "scope": { + "bom-ref": "scope-1", + "name": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "$comment": "Business criticality, data sensitivity, and tier are defined on the individual assets. Exposure is not defined yet.", + "boundaries": [], + "includedComponents": [], + "excludedComponents": [] + + }, + "visualizations": [ + + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://developer.hashicorp.com/vault/docs" + }, + { + "type": "vcs", + "url": "https://github.com/hashicorp/vault" + } + ] + } + } + ] + } \ No newline at end of file diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json new file mode 100644 index 00000000..d549195a --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json @@ -0,0 +1,1258 @@ +{ + "$schema": "https://github.com/OWASP/www-project-threat-model-library/blob/v1.0.1/threat-model.schema.json", + "version": "1.0", + "scope": { + "title": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "business_criticality": "high", + "data_sensitivity": [ + "biz", + "cred", + "pii" + ], + "exposure": "internal", + "tier": "mission_critical" + }, + "description": "Enterprise secrets management and cryptographic services for applications and operators.", + "frozen": false, + "release_docs_link": "https://developer.hashicorp.com/vault/docs", + "reviewed_at": "2025-09-03", + "repo_link": "https://github.com/hashicorp/vault", + "diagrams": [ + { + "title": "AWS Deployment with K8s and a load balancer","type": "mermaid", + "source": "flowchart LR; AU[\"App User\"]; DEV[\"Developer\"]; PE[\"Platform Engineer\"]; APP1[\"Client Application (App 1)\"]; CLI[\"Vault CLI / API Client\"]; subgraph VPC[\"Internal AWS VPC\"]; direction LR; VPN[\"VPN Gateway (AWS SSO)\"]; LB[\"AWS Load Balancer\"]; subgraph EKS[\"EKS Cluster\"]; direction TB; APISERVER[\"Kubernetes API Server\"]; subgraph NS[\"K8s Namespace: vault\"]; direction LR; SVC[\"K8s Service: vault-internal\"]; SVC_EP[\"Service Endpoint\"]; subgraph VAULT[\"Vault HA Deployment (StatefulSet)\"]; direction LR; V1[\"Vault Pod 1 (Active)\"]; V2[\"Vault Pod 2 (Standby)\"]; V3[\"Vault Pod 3 (Standby)\"]; API[\"Vault API (:8200)\"]; AUTH[\"Vault Auth Methods\"]; SE[\"Vault Secret Engines\"]; AUDDEV[\"Vault Audit Devices\"]; subgraph RAFT[\"Integrated Storage (Raft :8201 mTLS)\"]; R1[\"Raft Peer (Pod 1)\"]; R2[\"Raft Peer (Pod 2)\"]; R3[\"Raft Peer (Pod 3)\"]; end; end; end; end; KMS[\"Vault Auto-Unseal (Cloud KMS)\"]; end; AU -->|Login/API| APP1; APP1 -- \"TLS :8200\" --> LB; DEV -->|\"VPN + AWS SSO\"| VPN; PE -->|\"VPN + AWS SSO\"| VPN; DEV -->|\"Uses Vault CLI\"| CLI; PE -->|\"Uses Vault CLI\"| CLI; CLI -->|\"Tunnel via VPN\"| VPN; VPN -->|\"Forward to VPC\"| LB; CLI -- \"TLS :8200 (via VPN)\" --> LB; VPN -. \"kubectl (AWS SSO)\" .-> APISERVER; LB -->|\"TLS :8200\"| SVC_EP; SVC_EP --> V1; SVC_EP --> V2; SVC_EP --> V3; V1 --- API; V2 --- API; V3 --- API; API --> AUTH; API --> SE; API --> AUDDEV; V1 --- R1; V2 --- R2; V3 --- R3; R1 <-->|\"Raft :8201 mTLS\"| R2; R1 <-->|\"Raft :8201 mTLS\"| R3; R2 <-->|\"Raft :8201 mTLS\"| R3; VAULT -. \"Auto-Unseal\" .-> KMS;" + } + ], + "trust_zones": [ + { + "symbolic_name": "public", + "title": "Public Internet Zone", + "description": "External clients and actors including applications, CI/CD pipelines, and operators that connect to Vault over TLS (8200)." + }, + { + "symbolic_name": "aws-vpc", + "title": "Internal AWS VPC", + "description": "Private AWS VPC hosting the EKS cluster and load balancer. Provides network isolation and segmentation for Vault components." + }, + { + "symbolic_name": "eks-cluster", + "title": "EKS Cluster Zone", + "description": "Amazon EKS cluster providing the orchestration environment for Vault pods and services." + }, + { + "symbolic_name": "k8s-namespace-vault", + "title": "Vault Kubernetes Namespace", + "description": "Dedicated Kubernetes namespace (`vault`) that contains the Vault StatefulSet, Service, and Raft integrated storage peers." + } + ], + "trust_boundaries": [ + { + "trust_zone_a": "public-internet", + "trust_zone_b": "aws-vpc", + "access_control_methods": [ + "acl", + "rbac" + ], + "authentication_methods": [ + "public_key", + "token", + "sso" + + ] + }, + { + "trust_zone_a": "aws-vpc", + "trust_zone_b": "eks-cluster", + "access_control_methods": [ + "rbac", + "acl" + ], + "authentication_methods": [ + "public_key" + ] + }, + { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault", + "access_control_methods": [ + "rbac", + "acl", + "mac" + ], + "authentication_methods": [ + "token" + ] + } + ], + "actors": [ + { + "symbolic_name": "platform-engineer", + "title": "Platform Engineer", + "description": "Responsible for deploying, operating, and maintaining the Vault cluster. Manages HA configuration, upgrades, storage backends, and operational tasks like initialization, unseal, and monitoring.", + "type": "engineer", + "permissions": "Deploy and upgrade Vault; configure Raft or Consul storage; perform initialization and unseal operations; enable/disable auth and secrets engines; monitor health and performance.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "developer", + "title": "Application Developer", + "description": "A developer who builds and maintains applications that consume secrets from Vault. In this scenario, developers also have access to the Kubernetes cluster where Vault is deployed, as well as Vault audit logs. This gives them significant power to access, modify, and observe secret-related operations.", + "type": "engineer", + "permissions": "Push and retrieve secrets; configure application roles for development; read Vault audit logs; access the Kubernetes cluster including the Vault namespace, which may allow tampering with Vault pods, services, or Raft storage.", + "trust_zone": "aws-vpc" + }, + + { + "symbolic_name": "app-user", + "title": "End User of Client Application", + "description": "An end user (internal employee or external customer) who interacts with an application that relies on Vault for secrets management or cryptographic operations.", + "type": "user", + "permissions": "Indirect access to Vault-protected resources through the client application; cannot interact with Vault directly.", + "trust_zone": "public" + } + ], + "components": [ + { + "symbolic_name": "client-app-1", + "title": "Client Application (App 1)", + "description": "External application that end users interact with. Relies on Vault for secrets or cryptographic operations.", + "trust_zone": "public-internet" + }, + { + "symbolic_name": "vpn-gateway", + "title": "VPN Gateway", + "description": "Provides secure entry for engineers and developers into the AWS VPC hosting Vault.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "aws-lb", + "title": "AWS Load Balancer", + "description": "DMZ load balancer that forwards client requests over TLS to the Vault Kubernetes Service endpoint.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "eks-cluster", + "title": "Amazon EKS Cluster", + "description": "Managed Kubernetes control plane and worker nodes that run the Vault namespace.", + "trust_zone": "eks-cluster" + }, + { + "symbolic_name": "k8s-service-vault-internal", + "title": "Kubernetes Service: vault-internal", + "description": "Cluster-internal service endpoint that routes traffic from the AWS Load Balancer to Vault pods.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-ha-statefulset", + "title": "Vault HA Deployment (StatefulSet)", + "description": "Vault pods (1 active leader, 2 standbys) running in high availability mode and exposing the Vault API.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-auth-methods", + "title": "Vault Authentication Methods", + "description": "Pluggable authentication backends (e.g., AppRole, Kubernetes, AWS IAM, OIDC) that validate identities and issue scoped Vault tokens.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-secret-engines", + "title": "Vault Secret Engines", + "description": "Pluggable backends for secrets management and cryptographic operations, including KV, PKI, Transit, Database, and dynamic secrets engines.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-audit-devices", + "title": "Vault Audit Devices", + "description": "Configured audit sinks (file, syslog, socket, etc.) that record all requests and responses for security and compliance monitoring.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-cli", + "title": "Vault CLI / API Client", + "description": "The Vault command-line interface and HTTP API used by engineers and automation tools to interact with Vault.", + "trust_zone": "public-internet-client-zone", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-auto-unseal", + "title": "Vault Auto-Unseal (Cloud KMS Integration)", + "description": "Integration with external Key Management Services (AWS KMS, GCP KMS, Azure Key Vault) to automate the unseal process.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-api", + "title": "Vault API", + "description": "The HTTP API exposed by Vault pods on port 8200. Provides entry points to authentication methods, secret engines, and application endpoints.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + } + ], + "data_stores": [ + { + "symbolic_name": "vault-raft-storage", + "title": "Vault Integrated Storage (Raft)", + "description": "Embedded Raft storage peers that persist encrypted Vault data. Provides replication and consensus across Vault pods.", + "type": "key_value", + "vendor": "HashiCorp", + "product": "Vault Raft Storage", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-audit-logs", + "title": "Vault Audit Logs", + "description": "Audit device output streams (file, syslog, socket) that contain records of every Vault request and response for compliance and monitoring.", + "type": "object", + "vendor": "HashiCorp", + "product": "Vault Audit Devices", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "cloud-kms", + "title": "Cloud KMS for Auto-Unseal", + "description": "External Key Management Service used by Vault for auto-unseal operations and master key encryption.", + "type": "key_value", + "vendor": "AWS", + "product": "AWS KMS", + "trust_zone": "aws-vpc" + } + ], + "data_sets": [ + { + "symbolic_name": "vault-secrets", + "title": "Vault Stored Secrets", + "description": "Static and dynamic secrets stored and managed within Vault, including credentials, API keys, and tokens. Encrypted at rest within the Raft storage backend.", + "placements": [ + { + "data_store": "vault-raft-storage", + "encrypted": true + } + ], + "record_count": 5000, + "data_sensitivity": [ + "cred", + "pii", + "biz" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-audit-records", + "title": "Vault Audit Log Records", + "description": "Detailed records of Vault API requests and responses, containing metadata on who accessed what, when, and how.", + "placements": [ + { + "data_store": "vault-audit-logs", + "encrypted": false + } + ], + "record_count": 1000000, + "data_sensitivity": [ + "biz", + "pii" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-unseal-keys", + "title": "Vault Master Key and Unseal Keys", + "description": "Key shares or cloud KMS-encrypted master keys used for unsealing Vault and securing the root of trust.", + "placements": [ + { + "data_store": "cloud-kms", + "encrypted": true + } + ], + "record_count": 5, + "data_sensitivity": [ + "cred" + ], + "access_control_methods": [ + "acl", + "rbac" + ] + } + ], + "data_flows": [ + { + "symbolic_name": "developer-to-cli", + "title": "Developer to Vault CLI", + "description": "Developer issues commands to the local Vault CLI binary, which acts as the client interface to Vault.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "platform-engineer-to-cli", + "title": "Platform Engineer to Vault CLI", + "description": "Platform Engineer issues commands to the local Vault CLI binary for managing Vault operations and configurations.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "app-user-to-client-app", + "title": "App User to Client Application", + "description": "An end user interacts with the client-facing application, which relies on Vault for secrets or cryptographic operations.", + "source": { + "type": "actor", + "object": "app-user" + }, + "destination": { + "type": "component", + "object": "client-app-1" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "client-app-to-aws-lb", + "title": "Client Application to AWS Load Balancer", + "description": "Client Application (App 1) sends requests to Vault via the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "client-app-1" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "cli-to-vpn", + "title": "Vault CLI to VPN Gateway", + "description": "Vault CLI tunnels traffic through the VPN Gateway, which enforces AWS SSO before allowing access into the VPC.", + "source": { + "type": "component", + "object": "vault-cli" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vpn-to-aws-lb", + "title": "VPN Gateway to AWS Load Balancer", + "description": "VPN Gateway forwards authenticated engineer traffic (AWS SSO) into the VPC, delivering Vault CLI/API requests to the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "vpn-gateway" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "aws-lb-to-eks", + "title": "AWS Load Balancer to EKS Cluster", + "description": "The Load Balancer forwards TLS :8200 traffic into the EKS cluster.", + "source": { + "type": "component", + "object": "aws-lb" + }, + "destination": { + "type": "component", + "object": "eks-cluster" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "k8s-service-to-vault-ha", + "title": "Kubernetes Service to Vault HA StatefulSet", + "description": "The Service load balances requests to Vault pods.", + "source": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "destination": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "eks-cluster-to-k8s-service", + "title": "EKS Cluster to Kubernetes Service (vault-internal)", + "description": "EKS networking routes traffic internally to the cluster Service endpoint for Vault.", + "source": { + "type": "component", + "object": "eks-cluster" + }, + "destination": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-vault-api", + "title": "Vault Pod to Vault API", + "description": "Requests arriving at a Vault pod are handled by the Vault API listener on :8200.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-api" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-auth", + "title": "Vault API to Auth Methods", + "description": "Login requests (/auth/*) dispatched to configured authentication backends.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-auth-methods" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-secrets", + "title": "Vault API to Secret Engines", + "description": "Secret read/write and cryptographic operations routed to secrets engines.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-secret-engines" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-audit", + "title": "Vault API to Audit Devices", + "description": "Vault writes request/response metadata to audit devices (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-audit-devices" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-core-to-raft", + "title": "Vault Core to Raft Storage", + "description": "Vault Core persists encrypted state via the storage barrier into Integrated Storage (Raft).", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-auto-unseal", + "title": "Vault to Auto-Unseal Integration", + "description": "Vault contacts the Cloud KMS integration to decrypt master key material during startup/unseal.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-auto-unseal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Audit devices append structured records to the audit log store.", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "auto-unseal-to-cloud-kms", + "title": "Auto-Unseal to Cloud KMS", + "description": "Auto-unseal integration calls Cloud KMS to decrypt the master key material.", + "source": { + "type": "component", + "object": "vault-auto-unseal" + }, + "destination": { + "type": "data_store", + "object": "cloud-kms" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "developer-to-vpn", + "title": "Developer to VPN (AWS SSO)", + "description": "Developer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "platform-engineer-to-vpn", + "title": "Platform Engineer to VPN (AWS SSO)", + "description": "Platform Engineer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "vault-audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Vault pods (audit devices) write structured audit records to the audit log store (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-developer", + "title": "Developer reads Vault Audit Logs", + "description": "Developer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-platform-engineer", + "title": "Platform Engineer reads Vault Audit Logs", + "description": "Platform Engineer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage", + "title": "Developer reads Raft Storage", + "description": "Developer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage-platform-engineer", + "title": "Platform Engineer reads Raft Storage", + "description": "Platform Engineer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + } + ], + "assumptions": [ + { + "description": "All communication between clients, load balancers, Kubernetes services, and Vault pods occurs over TLS (8200).", + "validity": "confirmed" + }, + { + "description": "Vault Raft storage is encrypted at rest by the Vault barrier, and requires master key material (from KMS or Shamir unseal) for decryption.", + "validity": "confirmed" + }, + { + "description": "Vault pods run inside a dedicated Kubernetes namespace with RBAC, NetworkPolicies, and IAM roles scoped to the namespace.", + "validity": "confirmed" + }, + { + "description": "VPN gateway enforces AWS SSO authentication for Developers and Platform Engineers before they can access the AWS VPC and EKS cluster.", + "validity": "confirmed" + }, + { + "description": "Cloud KMS (AWS KMS) keys used for auto-unseal are properly scoped and only accessible by Vault service accounts.", + "validity": "confirmed" + }, + { + "description": "Audit devices are configured and cannot be disabled without privileged administrator actions.", + "validity": "confirmed" + }, + { + "description": "Developers and Platform Engineers with kubectl access could bypass the Vault API to access logs and storage directly, introducing insider risk.", + "validity": "confirmed" + }, + { + "description": "Raft replication between Vault pods uses mutual TLS on port 8201 with certificate pinning/verification.", + "validity": "confirmed" + }, + { + "description": "VPN Gateway enforces AWS SSO (MFA) for Developers and Platform Engineers before access to the VPC and EKS control plane.", + "validity": "confirmed" + }, + { + "description": "EKS API access requires VPN + SSO and is logged; direct Internet access to the cluster or nodes is blocked.", + "validity": "confirmed" + } + ], + "threat_personas": [ + { + "symbolic_name": "darius", + "title": "Darius the Compromised / Malicious Developer", + "description": "An insider developer whose account or workstation is compromised (or who has turned malicious). Has kubectl access to the EKS cluster and can read Vault audit logs and pod files. Could exfiltrate secrets, tamper with Raft storage, or disable/modify logging.", + "is_person": true, + "skill_level": "engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "high" + }, + { + "symbolic_name": "sofia", + "title": "Sofia the Rogue Platform Engineer", + "description": "An insider with elevated privileges over Vault’s deployment, networking, and storage backends. Capable of modifying StatefulSets, Service configurations, or intercepting API traffic.", + "is_person": true, + "skill_level": "expert_engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "low" + }, + { + "symbolic_name": "li-wei", + "title": "Li Wei the External Attacker", + "description": "An attacker on the public Internet attempting to exploit misconfigurations, weak authentication methods, or exposed APIs to gain unauthorized access to Vault.", + "is_person": true, + "skill_level": "script_kid", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "giovanni", + "title": "Giovanni the Curious Administrator", + "description": "A well-meaning but overcurious administrator who inspects Vault audit logs or Raft storage beyond their intended duties, creating insider risk without direct malicious intent.", + "is_person": true, + "skill_level": "insider", + "access_level": "admin", + "malicious_intent": false, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "alejandra", + "title": "Alejandra the OC-Sponsored Operator", + "description": "An operator working on behalf of organized crime (ransomware/credential resale). Skilled at exploiting exposed services, social engineering, and purchasing insider access; targets Vault to harvest credentials and secrets for monetization.", + "is_person": true, + "skill_level": "oc_sponsored", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "high" + } + ], + "threats": [ + { + "symbolic_name": "insider-exfiltrate-secrets-via-kubectl", + "title": "Insider exfiltrates secrets and configuration via kubectl (pod exec / file copy)", + "description": "A developer or platform engineer with kubectl access execs into Vault pods or mounts pod volumes to read Raft storage files and configuration, allowing exfiltration of encrypted state and metadata which can be used for offline attacks or tampering.", + "threat_persona": "darius", + "event": "unauthorized data exfiltration / tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 284, + "cwe_title": "Improper Access Control" + }, + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "insider-read-tamper-audit-logs", + "title": "Insider reads or tampers with audit logs", + "description": "An actor with cluster access directly reads Vault audit files or streams pod logs (kubectl logs). They can exfiltrate sensitive audit trails, or delete/modify logs to remove traces of malicious activity.", + "threat_persona": "darius", + "event": "information disclosure / evidence tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "rogue-platform-tamper-ha-config", + "title": "Rogue platform engineer tampers with Vault deployment to cause DoS or capture secrets", + "description": "A platform engineer modifies StatefulSet, Service, or network rules (or injects sidecars) to disrupt Vault availability (DoS), redirect traffic to a malicious endpoint, or capture secrets in transit.", + "threat_persona": "sofia", + "event": "denial of service / credential capture / traffic interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 210, + "capec_title": "Abuse Existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 732, + "cwe_title": "Incorrect Permission Assignment for Critical Resource" + }, + { + "cwe_id": 269, + "cwe_title": "Improper Privilege Management" + } + ] + }, + { + "symbolic_name": "compromised-workload-abuse-auth", + "title": "Compromised workload abuses auth (Kubernetes/AppRole/IAM) to exfiltrate secrets and access various services with these secrets", + "description": "A compromised application or CI job uses stolen credentials, stolen service account tokens, or abused auth bindings to obtain Vault tokens, then reads secrets or requests dynamic credentials beyond its intended scope.", + "threat_persona": "li-wei", + "event": "unauthorized secret access", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 555, + "capec_title": "Remote Services with Stolen Credentials" + } + ], + "weaknesses": [ + { + "cwe_id": 287, + "cwe_title": "Improper Authentication" + }, + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "exposed-raft-port-remote-attack", + "title": "Exposed Raft/consensus ports allow remote access to storage", + "description": "If Raft ports (8201) or the pod network are exposed outside the cluster/VPC, an attacker could discover services, attempt to join/replicate, extract data, or cause cluster instability.", + "threat_persona": "li-wei", + "event": "confidentiality breach / data exfiltration / cluster compromise", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 310, + "capec_title": "Scanning for Vulnerable Software" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "lb-tls-mitm-or-termination-misconfig", + "title": "TLS termination/misconfiguration at Load Balancer leads to MITM or credential leak", + "description": "If the AWS Load Balancer is misconfigured (terminates TLS without re-encrypting, or uses an untrusted certificate), an attacker or compromised LB control plane could intercept or tamper with Vault API traffic.", + "threat_persona": "alejandra", + "event": "man-in-the-middle / data interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 117, + "capec_title": "Interception" + } + ], + "weaknesses": [ + { + "cwe_id": 295, + "cwe_title": "Improper Certificate Validation" + } + ] + }, + { + "symbolic_name": "vault-availability-failure", + "title": "Loss of availability of secret material due to failure", + "description": "Failures in cluster nodes, Raft replication, or storage can cause Vault to become unavailable, preventing applications from retrieving secrets or performing cryptographic operations.", + "threat_persona": "sofia", + "event": "denial of service / loss of availability", + "sources": [ + "failure" + ], + "attack_mechanisms": [ + { + "capec_id": 125, + "capec_title": "Flooding" + } + ], + "weaknesses": [ + { + "cwe_id": 400, + "cwe_title": "Uncontrolled Resource Consumption" + }, + { + "cwe_id": 664, + "cwe_title": "Improper Control of a Resource Through its Lifetime" + } + ] + }, + { + "symbolic_name": "misconfigured-policies-excess-privilege", + "title": "Over-permissive Vault policies allow lateral movement or secret theft", + "description": "Misconfigured Vault policies or overly-broad role bindings grant principals capabilities they don't need (e.g., wildcard admin policies), enabling actors to list/read secrets or create tokens for escalation.", + "threat_persona": "giovanni", + "event": "unauthorized access / privilege escalation", + "sources": [ + "human_error" + ], + "attack_mechanisms": [ + { + "capec_id": 212, + "capec_title": "Abuse existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + } + ] + } + ], + "controls": [ + { + "symbolic_name": "restrict-k8s-rbac", + "title": "Restrict Kubernetes RBAC for developers and engineers", + "description": "Limit Kubernetes RoleBindings/ClusterRoleBindings so that developers and engineers cannot exec into Vault pods, read pod volumes, or access Raft storage directly. Only platform engineers should have restricted administrative access under break-glass conditions.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "pod-security-policies", + "title": "Apply Pod Security Standards / OPA Gatekeeper", + "description": "Use Kubernetes Pod Security Standards (restricted profile) or OPA/Gatekeeper policies to prevent privileged containers and block direct volume mounts that would expose Raft data to kubectl exec or copy commands.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "audit-kubectl-commands", + "title": "Audit kubectl exec and cp usage", + "description": "Enable Kubernetes audit logging to track all kubectl exec and copy commands. Send logs to a SIEM for real-time detection of suspicious access attempts.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs" + + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "vault-multiple-audit-devices", + "title": "Configure multiple Vault audit devices", + "description": "Enable at least two Vault audit devices (e.g., file and syslog). Even if one sink is tampered with or deleted, other sinks continue to capture activity.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "immutable-storage-for-audit", + "title": "Store Vault audit logs in immutable storage", + "description": "Use append-only storage (e.g., WORM S3 buckets or immutable syslog servers) for Vault audit logs so they cannot be deleted or modified retroactively.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "deployment-change-control", + "title": "Require change control for Vault deployment manifests", + "description": "Enforce code review and approval workflows (e.g., GitOps, Infrastructure as Code pipelines) for changes to Vault StatefulSets, Services, and ConfigMaps. Prevent direct kubectl edits in production.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "k8s-admission-controls", + "title": "Apply Kubernetes admission controls for Vault workloads", + "description": "Use admission controllers (OPA Gatekeeper, Kyverno) to enforce security policies on Vault pods (no sidecars, no privilege escalation, no host networking) and reject unauthorized changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "monitor-k8s-config-changes", + "title": "Monitor and alert on Kubernetes configuration changes", + "description": "Enable auditing of Kubernetes API server for changes to StatefulSets, Services, and ConfigMaps in the Vault namespace. Send to SIEM for alerting on unexpected changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "constrain-auth-methods", + "title": "Constrain Vault authentication methods", + "description": "Configure Vault auth methods (AppRole, Kubernetes, IAM) with least privilege. Require role bindings to be tightly scoped (limited CIDRs, bounded service accounts, short-lived tokens).", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "short-lived-tokens", + "title": "Use short-lived Vault tokens and dynamic secrets", + "description": "Configure Vault roles and policies to issue ephemeral tokens and dynamic credentials that automatically expire, limiting impact of stolen tokens.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "bind-secrets-to-identity", + "title": "Bind secrets tightly to workload identity", + "description": "Restrict Vault roles to specific Kubernetes service accounts, IAM roles, or AppRoles. Enforce identity binding so compromised workloads cannot escalate or impersonate others.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "restrict-raft-network-access", + "title": "Restrict Raft port access to Vault cluster nodes only", + "description": "Use Kubernetes NetworkPolicies and AWS Security Groups to restrict port 8201 so only Vault pods can communicate with each other. Block all external or client access to Raft traffic.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "raft-mtls-cert-validation", + "title": "Enforce mutual TLS for Raft replication", + "description": "Require Vault nodes to authenticate Raft peers with mTLS certificates. Configure strict certificate validation and rotation to prevent unauthorized Raft peers from joining the cluster.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "monitor-raft-consensus-health", + "title": "Monitor Raft consensus health", + "description": "Enable monitoring and alerting on Raft replication status, quorum health, and node membership changes. Detect anomalies that may indicate tampering or external Raft join attempts.", + "threats": [ + "exposed-raft-port-remote-attack", + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "end-to-end-strong-tls", + "title": "Enforce end-to-end TLS from clients to Vault pods. Enforce TLS versions (1.2+), secure cipher suites, and valid CA-signed certificates. Disable weak ciphers and enforce certificate pinning where possible.", + "description": "Configure the AWS Load Balancer for TCP passthrough (no TLS termination), or ensure re-encryption is used with trusted server certificates so traffic is encrypted all the way to Vault pods.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "monitor-lb-config", + "title": "Monitor and alert on Load Balancer TLS configuration changes", + "description": "Continuously check AWS Load Balancer TLS configuration (e.g., via AWS Config or Security Hub). Alert if TLS termination is enabled unexpectedly or insecure parameters are set.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "multi-az-deployment", + "title": "Deploy Vault cluster across multiple Availability Zones", + "description": "Distribute Vault pods and Raft peers across multiple AWS Availability Zones to ensure quorum and service availability during AZ-level outages.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "raft-backup-snapshots", + "title": "Enable automated Raft snapshots and backup", + "description": "Configure regular Raft snapshots and store them securely outside the Vault cluster (e.g., S3 with encryption) to recover state in case of catastrophic failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "critical" + }, + { + "symbolic_name": "auto-unseal-ha", + "title": "Use redundant Cloud KMS for auto-unseal", + "description": "Configure Vault auto-unseal with multiple KMS providers (or highly available KMS setup) to avoid dependency on a single point of failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "health-checks-and-restarts", + "title": "Enable health checks and automated restarts for Vault pods", + "description": "Configure Kubernetes liveness/readiness probes for Vault pods and enable automated restart policies to recover from node/pod failures quickly.", + "threats": [ + "vault-availability-failure" + ], + "status": "active", + "priority": "high" + }, + { + "symbolic_name": "policy-review-process", + "title": "Implement Vault policy review and approval workflow", + "description": "Establish a mandatory peer-review or automated validation process for Vault policies before deployment. Reject policies that include wildcards or grant admin-level capabilities unnecessarily.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "least-privilege-defaults", + "title": "Adopt least-privilege defaults for Vault roles", + "description": "Use policy templates and default role definitions that start with no privileges. Require explicit justification and approval for each added capability.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "policy-linter", + "title": "Automated linting of Vault policies", + "description": "Introduce static analysis (policy linter) to detect dangerous constructs in Vault policies (e.g., wildcards, overly broad paths, admin capabilities) before deployment.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "low" + } + ], + "risks": [ + { + "symbolic_name": "insider-abuse-of-kubernetes-access", + "title": "Insider abuse of Kubernetes access to exfiltrate or tamper with secrets", + "description": "Developers or platform engineers with kubectl access may exec into Vault pods, read Raft storage files, or tamper with Vault audit logs, leading to loss of confidentiality and accountability.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "likelihood": "possible", + "impact": "severe", + "impact_description": "Could result in full compromise of Vault data, bypassing of audit logs, and erosion of operational trust.", + "score": 15, + "level": "high" + }, + { + "symbolic_name": "workload-auth-abuse", + "title": "Compromised workloads abusing Vault authentication", + "description": "A compromised workload (application, CI/CD job) can abuse Kubernetes, AppRole, or IAM auth to escalate privileges and extract secrets beyond intended scope.", + "threats": [ + "compromised-workload-abuse-auth", + "misconfigured-policies-excess-privilege" + ], + "likelihood": "unlikely", + "impact": "severe", + "impact_description": "Widespread credential exposure or lateral movement into other systems and services.", + "score": 10, + "level": "medium" + }, + { + "symbolic_name": "network-exposure-and-mitm", + "title": "Network exposure or misconfiguration leading to interception or Raft compromise", + "description": "If Raft ports (8201) are exposed or TLS is misconfigured at the load balancer, attackers could eavesdrop, tamper with traffic, or attempt to join the Raft cluster.", + "threats": [ + "exposed-raft-port-remote-attack", + "lb-tls-mitm-or-termination-misconfig" + ], + "likelihood": "rare", + "impact": "severe", + "impact_description": "Interception of secrets or compromise of Vault cluster integrity.", + "score": 5, + "level": "medium" + }, + { + "symbolic_name": "vault-availability-risk", + "title": "Loss of Vault availability", + "description": "Failures in Raft consensus, node crashes, or dependency outages (e.g., KMS auto-unseal) could make Vault unavailable, preventing applications from retrieving secrets.", + "threats": [ + "vault-availability-failure" + ], + "likelihood": "unlikely", + "impact": "major", + "impact_description": "Applications relying on Vault could experience outages and service disruption.", + "score": 10, + "level": "high" + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json new file mode 100644 index 00000000..88724de3 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -0,0 +1,25 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "metadata": { + + }, + "threatModel": { + // References the threat model schema + "modelTypes": [{"type": "threat"}], + "methodologies": [{"type": "STRIDE"}], + "domains": [{"type": "security"}], + + // Blueprint elements + "assets": [...], + "zones": [...], + "boundaries": [...], + "flows": [...], + + // Threat-specific elements + "scenarios": [...], + "threatActors": [...], + "mitigations": [...], + "assessments": [...] + } +} \ No newline at end of file